Deterministic container images with java and GCP APIs using bazel
The following sample will build a simple container that uses GCP KMS apis.
These images are will have a consistent image hash no matter where it is built
java_server@sha256:bb603ed31837ea5039c0ce25afe59545d936ecdbd1eb0ea64ae12bd32e0eef33
For reference, see:
- Deterministic builds with go + bazel + grpc + docker
- Deterministic builds with nodejs + bazel + docker
- Deterministic container images with c++ and GCP APIs using bazel.
- Deterministic container images with python and GCP APIs using bazel
To run this sample, you will need bazel installed (see Cloud Shell for an easy way to use bazel)
In the end, you'll end up with the same digests
export PROJECT_ID=`gcloud config get-value core/project`
export PROJECT_NUMBER=`gcloud projects describe $PROJECT_ID --format='value(projectNumber)'`
export GCLOUD_USER=`gcloud config get-value core/account`$ bazel version
Build label: 6.1.1
Build target: bazel-out/k8-opt/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar
Build time: Wed Mar 15 15:44:56 2023 (1678895096)
Build timestamp: 1678895096
Build timestamp as int: 1678895096export JAVA_HOME=/path/to/java/jdk-11
bazel run :main
bazel run :server_image
# gcloud auth application-default login
# docker run -ti \
# -v $HOME/.config/gcloud:/root/.config/gcloud gcr.io/google.com/cloudsdktool/google-cloud-cli gcloud auth application-default print-access-token
docker run -t \
-v $HOME/.config/gcloud:/root/.config/gcloud \
-e GOOGLE_CLOUD_PROJECT=$PROJECT_ID \
us-central1-docker.pkg.dev/builder-project/r1/java_server:server_imageTo deploy on cloud platform
gcloud artifacts repositories create r1 --repository-format=docker --location=us-central1
gcloud artifacts repositories add-iam-policy-binding r1 \
--location=us-central1 \
--member=serviceAccount:$PROJECT_NUMBER@cloudbuild.gserviceaccount.com \
--role=roles/artifactregistry.writer
gcloud beta builds submit .