Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge beam and GAE configs deployment to one GCB job #182

Merged
merged 1 commit into from Jul 19, 2019

Conversation

@jianglai
Copy link
Member

commented Jul 19, 2019

Deployment of GAE configs requires that the credential used by gcloud to
have GAE admin role of the project to be managed. We do not want to
grant the GCB service account that role, because it would all any GCB
job to deploy anything to GAE. Instead we use a dedicated credential
originally created to deploy beam pipelines. This credential is
encrypted by KMS and stored on GCS. Since the beam pipeline deployment
GCB job already does the decryption, it make sense to add the config
deployment step there as well. The beam deployment steps are tweaked to
use the nomulus tool docker image instead of the jar file.

Also moved the content of deploy_configs_to_env.sh to the GCB yaml file
itself because the shell script is not uploaded to GC Bat the same time
as the yaml file when the job is triggered by Spinnaker.

Lastly, due to b/137891685, using GCB to deploy cron jobs does not work
as we cannot use service account credential to deploy to projects under
google.com.


This change is Reviewable

@jianglai jianglai requested a review from gbrodman Jul 19, 2019

@googlebot googlebot added the cla: yes label Jul 19, 2019

@jianglai jianglai force-pushed the jianglai:beam-image branch 2 times, most recently from 3271dde to d9828fc Jul 19, 2019

fi
gsutil cp gs://${PROJECT_ID}-deploy/${TAG_NAME}/${_ENV}.tar .
tar -xvf ${_ENV}.tar
for filename in cron dispatch dos index queue; do

This comment has been minimized.

Copy link
@gbrodman

gbrodman Jul 19, 2019

Collaborator

Can we put a comment here linking the bug explaining why this won't work with a service account for the time being?

This comment has been minimized.

Copy link
@gbrodman

gbrodman Jul 19, 2019

Collaborator

Also, if we use "set -e" and this won't work due to service account permissions, will this entire step fail?

@gbrodman
Copy link
Collaborator

left a comment

Unrelated to the actual content, but it's unfortunate that Reviewable doesn't recognize that "cloudbuild-deploy.yml" is a renaming of "cloudbuild-beam.yaml" like Github does. It would cut down on the total diff shown.

Reviewable status: 0 of 8 files reviewed, 1 unresolved discussion (waiting on @jianglai)

@jianglai jianglai requested a review from gbrodman Jul 19, 2019

@jianglai
Copy link
Member Author

left a comment

Reviewable status: 0 of 8 files reviewed, 1 unresolved discussion (waiting on @gbrodman)


release/cloudbuild-deploy.yaml, line 66 at r1 (raw file):

Previously, gbrodman wrote…

Also, if we use "set -e" and this won't work due to service account permissions, will this entire step fail?

Correct, but this is the last step in the pipeline so it doesn't really matter. And all files in the list (cron, dispatch, ...) are affected by the permission issue discussed in the bug, so we are not losing anything by failing eagerly.

Merge beam and GAE configs deployment to one GCB job
Deployment of GAE configs requires that the credential used by gcloud to
have GAE admin role of the project to be managed. We do not want to
grant the GCB service account that role, because it would all *any* GCB
job to deploy anything to GAE. Instead we use a dedicated credential
originally created to deploy beam pipelines. This credential is
encrypted by KMS and stored on GCS. Since the beam pipeline deployment
GCB job already does the decryption, it make sense to add the config
deployment step there as well. The beam deployment steps are tweaked to
use the nomulus tool docker image instead of the jar file.

Also moved the content of deploy_configs_to_env.sh to the GCB yaml file
itself because the shell script is not uploaded to GC Bat the same time
as the yaml file when the job is triggered by Spinnaker.

Lastly, due to b/137891685, using GCB to deploy cron jobs does not work
as we cannot use service account credential to deploy to projects under
google.com.

@jianglai jianglai force-pushed the jianglai:beam-image branch from d9828fc to 41772d7 Jul 19, 2019

@gbrodman
Copy link
Collaborator

left a comment

:lgtm:

Reviewable status: 0 of 8 files reviewed, all discussions resolved (waiting on @gbrodman)


release/cloudbuild-deploy.yaml, line 66 at r1 (raw file):

Previously, jianglai (Lai Jiang) wrote…

Correct, but this is the last step in the pipeline so it doesn't really matter. And all files in the list (cron, dispatch, ...) are affected by the permission issue discussed in the bug, so we are not losing anything by failing eagerly.

That makes sense -- thanks for adding the comment

@jianglai jianglai merged commit 5da4818 into google:master Jul 19, 2019

3 of 4 checks passed

code-review/reviewable 8 files left
Details
cla/google All necessary CLAs are signed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
kokoro Kokoro build finished
Details

@jianglai jianglai deleted the jianglai:beam-image branch Jul 19, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.