Merge beam and GAE configs deployment to one GCB job (#182)

* Merge beam and GAE configs deployment to one GCB job

Deployment of GAE configs requires that the credential used by gcloud to
have GAE admin role of the project to be managed. We do not want to
grant the GCB service account that role, because it would all *any* GCB
job to deploy anything to GAE. Instead we use a dedicated credential
originally created to deploy beam pipelines. This credential is
encrypted by KMS and stored on GCS. Since the beam pipeline deployment
GCB job already does the decryption, it make sense to add the config
deployment step there as well. The beam deployment steps are tweaked to
use the nomulus tool docker image instead of the jar file.

Also moved the content of deploy_configs_to_env.sh to the GCB yaml file
itself because the shell script is not uploaded to GC Bat the same time
as the yaml file when the job is triggered by Spinnaker.

Lastly, due to b/137891685, using GCB to deploy cron jobs does not work
as we cannot use service account credential to deploy to projects under
google.com.

release/cloudbuild-deploy.yaml

@@ -0,0 +1,75 @@
+# To run the build locally, install cloud-build-local first.
+# Then run:
+# cloud-build-local --config=cloudbuild-deploy-beam.yaml --dryrun=false \
+# --substitutions=TAG_NAME=[TAG],_ENV=[ENV] ..
+#
+# This will deploy Beam pipelines to GCS for the PROJECT_ID defined in gcloud
+# tool.
+#
+# To manually trigger a build on GCB, run:
+# gcloud builds submit --config=cloudbuild-deploy-beam.yaml \
+# --substitutions=TAG_NAME=[TAG],_ENV=[ENV] ..
+#
+# To trigger a build automatically, follow the instructions below and add a trigger:
+# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
+steps:
+# Pull the credential for nomulus tool.
+- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+  args:
+  - gsutil
+  - cp
+  - gs://${PROJECT_ID}-deploy/secrets/tool-credential.json.enc
+  - .
+# Decrypt the credential.
+- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+  entrypoint: /bin/bash
+  args:
+  - -c
+  - |
+    set -e
+    cat tool-credential.json.enc | base64 -d | gcloud kms decrypt \
+      --ciphertext-file=- --plaintext-file=tool-credential.json \
+      --location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key
+# Deploy the Spec11 pipeline to GCS.
+- name: 'gcr.io/${PROJECT_ID}/nomulus-tool:latest'
+  args:
+  - -e
+  - ${_ENV}
+  - --credential
+  - tool-credential.json
+  - deploy_spec11_pipeline
+# Deploy the invoicing pipeline to GCS.
+- name: 'gcr.io/${PROJECT_ID}/nomulus-tool:latest'
+  args:
+  - -e
+  - ${_ENV}
+  - --credential
+  - tool-credential.json
+  - deploy_invoicing_pipeline
+# Deploy the GAE config files.
+# First authorize the gcloud tool to use the credential json file, then
+# download and unzip the tarball that contains the relevant config files
+- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+  entrypoint: /bin/bash
+  args:
+  - -c
+  - |
+    set -e
+    gcloud auth activate-service-account --key-file=tool-credential.json
+    if [ ${_ENV} == production ]; then
+      project_id="domain-registry"
+    else
+      project_id="domain-registry-${_ENV}"
+    fi
+    gsutil cp gs://${PROJECT_ID}-deploy/${TAG_NAME}/${_ENV}.tar .
+    tar -xvf ${_ENV}.tar
+    # Note that this currently does not work for google.com projects that
+    # we use due to b/137891685. External projects are likely to work.
+    for filename in cron dispatch dos index queue; do
+      gcloud -q --project ${project_id} app deploy \
+        default/WEB-INF/appengine-generated/${filename}.yaml
+    done
+
+timeout: 3600s
+options:
+  machineType: 'N1_HIGHCPU_8'

release/cloudbuild-nomulus.yaml

@@ -29,20 +29,25 @@ steps:
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   entrypoint: /bin/bash
   args:
-    - -c
-    - |
-      docker tag nomulus-tool gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME}
-      docker push gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME}
-# Get the tool image digest and substitute in the digest in the tagging yaml file.
+  - -c
+  - |
+    set -e
+    docker tag nomulus-tool gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME}
+    docker tag nomulus-tool gcr.io/${PROJECT_ID}/nomulus-tool:latest
+    docker push gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME}
+    docker push gcr.io/${PROJECT_ID}/nomulus-tool:latest
+# Get the tool image digest and substitute in the digest in other GCB files.
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   entrypoint: /bin/bash
   args:
   - -c
   - |
+    set -e
     digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/nomulus-tool \
       --format="get(digest)" --filter="tags = ${TAG_NAME}")
     sed -i s/'$${_IMAGE}'/nomulus-tool/g release/cloudbuild-tag.yaml
     sed -i s/':$${TAG_NAME}'/@$digest/g release/cloudbuild-tag.yaml
+    sed -i s/'nomulus-tool:latest'/nomulus-tool@$digest/g release/cloudbuild-deploy-*.yaml
 # Build and package the deployment files for alpha.
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   args: ['release/build_nomulus_for_env.sh', 'alpha', 'output']
@@ -64,8 +69,7 @@ artifacts:
     - 'output/nomulus.jar'
     - 'release/cloudbuild-tag.yaml'
     - 'release/cloudbuild-sync.yaml'
-    - 'release/cloudbuild-beam-*.yaml'
-    - 'release/cloudbuild-deploy-configs-*.yaml'
+    - 'release/cloudbuild-deploy-*.yaml'
 
 timeout: 3600s
 options:

release/cloudbuild-proxy.yaml

@@ -16,27 +16,31 @@ steps:
 # Build the proxy docker image.
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   args:
-  - './gradlew'
-  - ':proxy:test'
-  - ':proxy:buildProxyImage'
-  - '-PmavenUrl=https://storage.googleapis.com/domain-registry-maven-repository/maven'
-  - '-PpluginsUrl=https://storage.googleapis.com/domain-registry-maven-repository/plugins'
+  - ./gradlew
+  - :proxy:test
+  - :proxy:buildProxyImage
+  - -PmavenUrl=https://storage.googleapis.com/domain-registry-maven-repository/maven
+  - -PpluginsUrl=https://storage.googleapis.com/domain-registry-maven-repository/plugins
 # Tag and push the image. We can't let Cloud Build's default processing do that for us
 # because we need to push the image before we can sign it in the following step.
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   entrypoint: /bin/bash
   args:
   - -c
   - |
+    set -e
     docker tag proxy gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}
+    docker tag proxy gcr.io/${PROJECT_ID}/proxy:latest
     docker push gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}
+    docker push gcr.io/${PROJECT_ID}/proxy:latest
   dir: 'proxy'
 # Get the image digest, sign it and substitute in the digest in the tagging yaml file.
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   entrypoint: /bin/bash
   args:
   - -c
   - |
+    set -e
     digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/proxy \
       --format="get(digest)" --filter="tags = ${TAG_NAME}")
     gcloud --project=${PROJECT_ID} alpha container binauthz attestations \

release/cloudbuild-release.yaml

@@ -24,6 +24,7 @@ steps:
   args:
   - -c
   - |
+    set -e
     git clone https://gerrit.googlesource.com/gcompute-tools
     ./gcompute-tools/git-cookie-authdaemon
     git clone ${_INTERNAL_REPO_URL} nomulus-internal
@@ -33,6 +34,7 @@ steps:
   args:
   - -c
   - |
+    set -e
     git tag ${TAG_NAME}
     git push origin ${TAG_NAME}
   dir: 'nomulus-internal'
@@ -42,6 +44,7 @@ steps:
   args:
   - -c
   - |
+    set -e
     shopt -s dotglob
     rm -rf .git && rm -rf nomulus-internal/.git
     cp -rf nomulus-internal/* .
@@ -52,6 +55,7 @@ steps:
   args:
   - -c
   - |
+    set -e
     docker build -t gcr.io/${PROJECT_ID}/builder:${TAG_NAME} .
     docker tag gcr.io/${PROJECT_ID}/builder:${TAG_NAME} gcr.io/${PROJECT_ID}/builder:latest
     docker pull gcr.io/distroless/java
@@ -73,6 +77,7 @@ steps:
   args:
   - -c
   - |
+    set -e
     builder_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/builder \
       --format='get(digest)' --filter='tags = ${TAG_NAME}')
     base_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/base \
@@ -83,24 +88,23 @@ steps:
     sed -i s%distroless/java:debug%${PROJECT_ID}/base-debug@$debug_digest% core/Dockerfile
     sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-proxy.yaml
     sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-nomulus.yaml
-    sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-beam.yaml
-    sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-deploy-configs.yaml
+    sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-deploy.yaml
     sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-sync.yaml
     sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-tag.yaml
     sed -i s/GCP_PROJECT/${PROJECT_ID}/ proxy/kubernetes/proxy-*.yaml
     sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-sync.yaml
-    sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-beam.yaml
-    sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-deploy-configs.yaml
+    sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-deploy.yaml
     for environment in alpha crash sandbox production; do
-      sed s/'$${_ENV}'/${environment}/g release/cloudbuild-beam.yaml > release/cloudbuild-beam-${environment}.yaml
-      sed s/'$${_ENV}'/${environment}/g release/cloudbuild-deploy-configs.yaml > release/cloudbuild-deploy-configs-${environment}.yaml
+      sed s/'$${_ENV}'/${environment}/g release/cloudbuild-deploy.yaml \
+        > release/cloudbuild-deploy-${environment}.yaml
     done
 # Upload the gradle binary to GCS if it does not exist and point URL in gradle wrapper to it.
 - name: 'gcr.io/cloud-builders/gsutil'
   entrypoint: /bin/bash
   args:
   - -c
   - |
+    set -e
     gradle_url=$(grep distributionUrl gradle/wrapper/gradle-wrapper.properties \
       | awk -F = '{print $2}' | sed 's/\\//g')
     gradle_bin=$(basename $gradle_url)
@@ -130,6 +134,7 @@ steps:
   args:
   - -c
   - |
+    set -e
     cp -rf nomulus-release/.git .
     rm -rf nomulus-release
     git config --global user.name "Cloud Build"

release/cloudbuild-sync.yaml

@@ -13,12 +13,12 @@ steps:
 # Rsync the folder.
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   args:
-  - 'gsutil'
-  - '-m'
-  - 'rsync'
-  - '-d'
-  - 'gs://${PROJECT_ID}-deploy/${TAG_NAME}'
-  - 'gs://${PROJECT_ID}-deploy/live'
+  - gsutil
+  - -m
+  - rsync
+  - -d
+  - gs://${PROJECT_ID}-deploy/${TAG_NAME}
+  - gs://${PROJECT_ID}-deploy/live
 timeout: 3600s
 options:
   machineType: 'N1_HIGHCPU_8'