diff --git a/release/cloudbuild-beam.yaml b/release/cloudbuild-beam.yaml deleted file mode 100644 index 1daae15bf48..00000000000 --- a/release/cloudbuild-beam.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# To run the build locally, install cloud-build-local first. -# Then run: -# cloud-build-local --config=cloudbuild-deploy-beam.yaml --dryrun=false \ -# --substitutions=TAG_NAME=[TAG],_ENV=[ENV] .. -# -# This will deploy Beam pipelines to GCS for the PROJECT_ID defined in gcloud -# tool. -# -# To manually trigger a build on GCB, run: -# gcloud builds submit --config=cloudbuild-deploy-beam.yaml \ -# --substitutions=TAG_NAME=[TAG],_ENV=[ENV] .. -# -# To trigger a build automatically, follow the instructions below and add a trigger: -# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds -steps: -# Pull the latest nomulus.jar to local -- name: 'gcr.io/${PROJECT_ID}/builder:latest' - args: - - gsutil - - cp - - gs://${PROJECT_ID}-deploy/${TAG_NAME}/nomulus.jar - - . -# Pull the credential for nomulus tool -- name: 'gcr.io/${PROJECT_ID}/builder:latest' - args: - - gsutil - - cp - - gs://${PROJECT_ID}-deploy/secrets/tool-credential.json.enc - - . -# Decrypt the credential -- name: 'gcr.io/${PROJECT_ID}/builder:latest' - entrypoint: /bin/bash - args: - - -c - - | - cat tool-credential.json.enc | base64 -d | gcloud kms decrypt \ - --ciphertext-file=- --plaintext-file=tool-credential.json \ - --location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key -# Deploy spec11 and invoicing pipeline to GCS -- name: 'gcr.io/${PROJECT_ID}/builder:latest' - entrypoint: /bin/bash - args: - - -c - - | - java -jar nomulus.jar -e ${_ENV} --credential tool-credential.json \ - deploy_spec11_pipeline - java -jar nomulus.jar -e ${_ENV} --credential tool-credential.json \ - deploy_invoicing_pipeline -timeout: 3600s -options: - machineType: 'N1_HIGHCPU_8' diff --git a/release/cloudbuild-deploy-configs.yaml b/release/cloudbuild-deploy-configs.yaml deleted file mode 100644 index 2438e1cc4d9..00000000000 --- a/release/cloudbuild-deploy-configs.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# To run the build locally, install cloud-build-local first. -# See: https://cloud.google.com/cloud-build/docs/build-debug-locally -# You will need access to a private registry, so be sure to install the docker -# credential helper. -# Then, in the release folder, run: -# cloud-build-local --config=cloudbuild-deploy-configs.yaml --dryrun=false \ -# --substitutions TAG_NAME=[TAG],_ENV=[ENV] .. -# This will build the contents of the current directory and generate the -# nomulus war-files locally. -# The PROJECT_ID is the current project name that gcloud uses. -# You can add "--push true" to have the image pushed to GCR. -# -# To manually trigger a build on GCB, run: -# gcloud builds submit --config cloudbuild-deploy-configs.yaml \ -# --substitutions TAG_NAME=[TAG],_ENV=[ENV] .. -# -# To trigger a build automatically, follow the instructions below and add a trigger: -# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds -steps: -# Download and unzip the tarball that contains the relevant config files -- name: 'gcr.io/${PROJECT_ID}/builder:latest' - args: ['release/deploy_configs_to_env.sh', '${_ENV}', '${TAG_NAME}'] diff --git a/release/cloudbuild-deploy.yaml b/release/cloudbuild-deploy.yaml new file mode 100644 index 00000000000..1faa019809c --- /dev/null +++ b/release/cloudbuild-deploy.yaml @@ -0,0 +1,75 @@ +# To run the build locally, install cloud-build-local first. +# Then run: +# cloud-build-local --config=cloudbuild-deploy-beam.yaml --dryrun=false \ +# --substitutions=TAG_NAME=[TAG],_ENV=[ENV] .. +# +# This will deploy Beam pipelines to GCS for the PROJECT_ID defined in gcloud +# tool. +# +# To manually trigger a build on GCB, run: +# gcloud builds submit --config=cloudbuild-deploy-beam.yaml \ +# --substitutions=TAG_NAME=[TAG],_ENV=[ENV] .. +# +# To trigger a build automatically, follow the instructions below and add a trigger: +# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds +steps: +# Pull the credential for nomulus tool. +- name: 'gcr.io/${PROJECT_ID}/builder:latest' + args: + - gsutil + - cp + - gs://${PROJECT_ID}-deploy/secrets/tool-credential.json.enc + - . +# Decrypt the credential. +- name: 'gcr.io/${PROJECT_ID}/builder:latest' + entrypoint: /bin/bash + args: + - -c + - | + set -e + cat tool-credential.json.enc | base64 -d | gcloud kms decrypt \ + --ciphertext-file=- --plaintext-file=tool-credential.json \ + --location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key +# Deploy the Spec11 pipeline to GCS. +- name: 'gcr.io/${PROJECT_ID}/nomulus-tool:latest' + args: + - -e + - ${_ENV} + - --credential + - tool-credential.json + - deploy_spec11_pipeline +# Deploy the invoicing pipeline to GCS. +- name: 'gcr.io/${PROJECT_ID}/nomulus-tool:latest' + args: + - -e + - ${_ENV} + - --credential + - tool-credential.json + - deploy_invoicing_pipeline +# Deploy the GAE config files. +# First authorize the gcloud tool to use the credential json file, then +# download and unzip the tarball that contains the relevant config files +- name: 'gcr.io/${PROJECT_ID}/builder:latest' + entrypoint: /bin/bash + args: + - -c + - | + set -e + gcloud auth activate-service-account --key-file=tool-credential.json + if [ ${_ENV} == production ]; then + project_id="domain-registry" + else + project_id="domain-registry-${_ENV}" + fi + gsutil cp gs://${PROJECT_ID}-deploy/${TAG_NAME}/${_ENV}.tar . + tar -xvf ${_ENV}.tar + # Note that this currently does not work for google.com projects that + # we use due to b/137891685. External projects are likely to work. + for filename in cron dispatch dos index queue; do + gcloud -q --project ${project_id} app deploy \ + default/WEB-INF/appengine-generated/${filename}.yaml + done + +timeout: 3600s +options: + machineType: 'N1_HIGHCPU_8' diff --git a/release/cloudbuild-nomulus.yaml b/release/cloudbuild-nomulus.yaml index 04bfdd0d3b2..df152d9b954 100644 --- a/release/cloudbuild-nomulus.yaml +++ b/release/cloudbuild-nomulus.yaml @@ -29,20 +29,25 @@ steps: - name: 'gcr.io/${PROJECT_ID}/builder:latest' entrypoint: /bin/bash args: - - -c - - | - docker tag nomulus-tool gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME} - docker push gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME} -# Get the tool image digest and substitute in the digest in the tagging yaml file. + - -c + - | + set -e + docker tag nomulus-tool gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME} + docker tag nomulus-tool gcr.io/${PROJECT_ID}/nomulus-tool:latest + docker push gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME} + docker push gcr.io/${PROJECT_ID}/nomulus-tool:latest +# Get the tool image digest and substitute in the digest in other GCB files. - name: 'gcr.io/${PROJECT_ID}/builder:latest' entrypoint: /bin/bash args: - -c - | + set -e digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/nomulus-tool \ --format="get(digest)" --filter="tags = ${TAG_NAME}") sed -i s/'$${_IMAGE}'/nomulus-tool/g release/cloudbuild-tag.yaml sed -i s/':$${TAG_NAME}'/@$digest/g release/cloudbuild-tag.yaml + sed -i s/'nomulus-tool:latest'/nomulus-tool@$digest/g release/cloudbuild-deploy-*.yaml # Build and package the deployment files for alpha. - name: 'gcr.io/${PROJECT_ID}/builder:latest' args: ['release/build_nomulus_for_env.sh', 'alpha', 'output'] @@ -64,8 +69,7 @@ artifacts: - 'output/nomulus.jar' - 'release/cloudbuild-tag.yaml' - 'release/cloudbuild-sync.yaml' - - 'release/cloudbuild-beam-*.yaml' - - 'release/cloudbuild-deploy-configs-*.yaml' + - 'release/cloudbuild-deploy-*.yaml' timeout: 3600s options: diff --git a/release/cloudbuild-proxy.yaml b/release/cloudbuild-proxy.yaml index b2a568ff7b6..b15837066bc 100644 --- a/release/cloudbuild-proxy.yaml +++ b/release/cloudbuild-proxy.yaml @@ -16,11 +16,11 @@ steps: # Build the proxy docker image. - name: 'gcr.io/${PROJECT_ID}/builder:latest' args: - - './gradlew' - - ':proxy:test' - - ':proxy:buildProxyImage' - - '-PmavenUrl=https://storage.googleapis.com/domain-registry-maven-repository/maven' - - '-PpluginsUrl=https://storage.googleapis.com/domain-registry-maven-repository/plugins' + - ./gradlew + - :proxy:test + - :proxy:buildProxyImage + - -PmavenUrl=https://storage.googleapis.com/domain-registry-maven-repository/maven + - -PpluginsUrl=https://storage.googleapis.com/domain-registry-maven-repository/plugins # Tag and push the image. We can't let Cloud Build's default processing do that for us # because we need to push the image before we can sign it in the following step. - name: 'gcr.io/${PROJECT_ID}/builder:latest' @@ -28,8 +28,11 @@ steps: args: - -c - | + set -e docker tag proxy gcr.io/${PROJECT_ID}/proxy:${TAG_NAME} + docker tag proxy gcr.io/${PROJECT_ID}/proxy:latest docker push gcr.io/${PROJECT_ID}/proxy:${TAG_NAME} + docker push gcr.io/${PROJECT_ID}/proxy:latest dir: 'proxy' # Get the image digest, sign it and substitute in the digest in the tagging yaml file. - name: 'gcr.io/${PROJECT_ID}/builder:latest' @@ -37,6 +40,7 @@ steps: args: - -c - | + set -e digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/proxy \ --format="get(digest)" --filter="tags = ${TAG_NAME}") gcloud --project=${PROJECT_ID} alpha container binauthz attestations \ diff --git a/release/cloudbuild-release.yaml b/release/cloudbuild-release.yaml index 9d0e1cd9847..315430ad982 100644 --- a/release/cloudbuild-release.yaml +++ b/release/cloudbuild-release.yaml @@ -24,6 +24,7 @@ steps: args: - -c - | + set -e git clone https://gerrit.googlesource.com/gcompute-tools ./gcompute-tools/git-cookie-authdaemon git clone ${_INTERNAL_REPO_URL} nomulus-internal @@ -33,6 +34,7 @@ steps: args: - -c - | + set -e git tag ${TAG_NAME} git push origin ${TAG_NAME} dir: 'nomulus-internal' @@ -42,6 +44,7 @@ steps: args: - -c - | + set -e shopt -s dotglob rm -rf .git && rm -rf nomulus-internal/.git cp -rf nomulus-internal/* . @@ -52,6 +55,7 @@ steps: args: - -c - | + set -e docker build -t gcr.io/${PROJECT_ID}/builder:${TAG_NAME} . docker tag gcr.io/${PROJECT_ID}/builder:${TAG_NAME} gcr.io/${PROJECT_ID}/builder:latest docker pull gcr.io/distroless/java @@ -73,6 +77,7 @@ steps: args: - -c - | + set -e builder_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/builder \ --format='get(digest)' --filter='tags = ${TAG_NAME}') base_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/base \ @@ -83,17 +88,15 @@ steps: sed -i s%distroless/java:debug%${PROJECT_ID}/base-debug@$debug_digest% core/Dockerfile sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-proxy.yaml sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-nomulus.yaml - sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-beam.yaml - sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-deploy-configs.yaml + sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-deploy.yaml sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-sync.yaml sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-tag.yaml sed -i s/GCP_PROJECT/${PROJECT_ID}/ proxy/kubernetes/proxy-*.yaml sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-sync.yaml - sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-beam.yaml - sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-deploy-configs.yaml + sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-deploy.yaml for environment in alpha crash sandbox production; do - sed s/'$${_ENV}'/${environment}/g release/cloudbuild-beam.yaml > release/cloudbuild-beam-${environment}.yaml - sed s/'$${_ENV}'/${environment}/g release/cloudbuild-deploy-configs.yaml > release/cloudbuild-deploy-configs-${environment}.yaml + sed s/'$${_ENV}'/${environment}/g release/cloudbuild-deploy.yaml \ + > release/cloudbuild-deploy-${environment}.yaml done # Upload the gradle binary to GCS if it does not exist and point URL in gradle wrapper to it. - name: 'gcr.io/cloud-builders/gsutil' @@ -101,6 +104,7 @@ steps: args: - -c - | + set -e gradle_url=$(grep distributionUrl gradle/wrapper/gradle-wrapper.properties \ | awk -F = '{print $2}' | sed 's/\\//g') gradle_bin=$(basename $gradle_url) @@ -130,6 +134,7 @@ steps: args: - -c - | + set -e cp -rf nomulus-release/.git . rm -rf nomulus-release git config --global user.name "Cloud Build" diff --git a/release/cloudbuild-sync.yaml b/release/cloudbuild-sync.yaml index bb79b53aacb..a736629f8a7 100644 --- a/release/cloudbuild-sync.yaml +++ b/release/cloudbuild-sync.yaml @@ -13,12 +13,12 @@ steps: # Rsync the folder. - name: 'gcr.io/${PROJECT_ID}/builder:latest' args: - - 'gsutil' - - '-m' - - 'rsync' - - '-d' - - 'gs://${PROJECT_ID}-deploy/${TAG_NAME}' - - 'gs://${PROJECT_ID}-deploy/live' + - gsutil + - -m + - rsync + - -d + - gs://${PROJECT_ID}-deploy/${TAG_NAME} + - gs://${PROJECT_ID}-deploy/live timeout: 3600s options: machineType: 'N1_HIGHCPU_8' diff --git a/release/deploy_configs_to_env.sh b/release/deploy_configs_to_env.sh deleted file mode 100755 index d67e2077d67..00000000000 --- a/release/deploy_configs_to_env.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash -# Copyright 2019 The Nomulus Authors. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# This script downloads the tagged tarball from GCS and uploads the AppEngine config files therein -# to the provided environment. The standard AppEngine deployment process doesn't automatically -# update these configs, so we must do it manually. - -set -e - -if [ $# -ne 2 ]; -then - echo "Usage: $0 alpha|crash|sandbox|production " - exit 1 -fi - -environment="$1" -tag_name="$2" - -if [ "${environment}" == alpha ]; then - project_id="domain-registry-alpha" -elif [ "${environment}" == crash ]; then - project_id="domain-registry-crash" -elif [ "${environment}" == sandbox ]; then - project_id="domain-registry-sandbox" -elif [ "${environment}" == production ]; then - project_id="domain-registry" -fi - -gsutil cp gs://domain-registry-dev-deploy/${tag_name}/${environment}.tar . -tar -xvf ${environment}.tar -for filename in cron dispatch dos index queue; do - gcloud -q --project ${project_id} app deploy default/WEB-INF/appengine-generated/${filename}.yaml -done