This repository has been archived by the owner on Sep 20, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 196
/
cloudbuild.yaml
182 lines (166 loc) · 5.77 KB
/
cloudbuild.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
---
steps:
- id: 'Configure deployment namespace'
name: 'gcr.io/cloud-builders/docker'
entrypoint: 'sh'
args:
- '-c'
- |
# Write namespace to file for future usage
case "$BRANCH_NAME" in
master)
echo "dev" > .namespace
;;
staging)
echo "staging" > .namespace
;;
stable)
echo "prod" > .namespace
;;
esac
# Add encrypted secrets and private code
- id: 'Decrypt secrets required for Kubernetes deployment'
name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'sh'
args:
- '-c'
- |
_VALUES_PATH=./devops/kubernetes/values/origin
gcloud kms decrypt \
--ciphertext-file=$${_VALUES_PATH}/secrets-$(cat .namespace).enc \
--plaintext-file=$${_VALUES_PATH}/secrets-$(cat .namespace).yaml \
--location=global \
--keyring=origin \
--key=cloudbuild
# Checkout private fraud code if deploying @origin/cron or @origin/relayer
if [ "${_CONTAINER}" = "origin-cron" -o "${_CONTAINER}" = "origin-relayer" ]; then
echo "Cloning origin-fraud"
gcloud source repos clone origin-fraud --project=origin-214503
if [ "${_CONTAINER}" = "origin-cron" ]; then
echo "Copying growth fraud"
cp -r ./origin-fraud/growth/prod ./infra/growth/src/fraud/
else
echo "Copying relayer fraud"
cp -r ./origin-fraud/relayer/prod ./infra/relayer/src/risk/
fi
rm -rf origin-fraud
fi
# Decrypt the file containing the SSH key for GitHub
- id: 'Decrypt secrets required for GitHub push'
name: 'gcr.io/cloud-builders/gcloud'
args:
- kms
- decrypt
- --ciphertext-file=./devops/github.enc
- --plaintext-file=/root/.ssh/id_rsa
- --location=global
- --keyring=origin
- --key=cloudbuild
volumes:
- name: 'ssh'
path: /root/.ssh
# Set up git with key and domain
- id: 'Configure for GitHub'
name: 'gcr.io/cloud-builders/git'
entrypoint: 'sh'
args:
- '-c'
- |
chmod 600 /root/.ssh/id_rsa
ssh-keyscan -t rsa github.com >> /root/.ssh/known_hosts
cat <<EOF >> /root/.ssh/config
Hostname github.com
IdentityFile /root/.ssh/id_rsa
EOF
volumes:
- name: 'ssh'
path: /root/.ssh
# Build the container image
- id: 'Build the container image'
name: 'gcr.io/cloud-builders/docker'
# Must use bash here due to if statement/string cmp
entrypoint: '/bin/bash'
args:
- '-c'
- |
_VALUES_PATH=./devops/kubernetes/values/origin
_SECRETS_FILE=$${_VALUES_PATH}/secrets-$(cat .namespace).yaml
# Set the EnvKey for the Docker container if substitution set
if [[ "${_ENVKEY_FIELD}" != "" ]]; then
_ENVKEY=$(cat $${_SECRETS_FILE} | grep ${_ENVKEY_FIELD} | cut -d " " -f 2)
else
_ENVKEY=false
fi
# Build container
docker build \
-f devops/dockerfiles/${_CONTAINER} \
-t gcr.io/${PROJECT_ID}/$(cat .namespace)/${_CONTAINER}:${SHORT_SHA} \
--build-arg GIT_COMMIT_HASH=${SHORT_SHA} \
--build-arg GIT_BRANCH=${BRANCH_NAME} \
--build-arg ENVKEY=$${_ENVKEY} \
--build-arg NAMESPACE=$(cat .namespace) \
.
# Push the container image
- id: 'Push the container image to GCR'
name: 'gcr.io/cloud-builders/docker'
entrypoint: 'sh'
args:
- '-c'
- |
docker push \
gcr.io/${PROJECT_ID}/$(cat .namespace)/${_CONTAINER}:${SHORT_SHA}
# Add latest tag to the container
- id: 'Add `latest` tag to pushed container image'
name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'sh'
args:
- '-c'
- |
gcloud container images add-tag \
gcr.io/${PROJECT_ID}/$(cat .namespace)/${_CONTAINER}:${SHORT_SHA} \
gcr.io/${PROJECT_ID}/$(cat .namespace)/${_CONTAINER}:latest \
--quiet
# Commit devops tags
- id: 'Push deployment tags to GitHub'
name: 'gcr.io/cloud-builders/git'
entrypoint: 'sh'
args:
- '-c'
- |
git config --global user.name "OriginCI"
git config --global user.email "[email protected]"
git remote add upstream [email protected]:OriginProtocol/origin.git
git pull upstream ${BRANCH_NAME}
git checkout ${BRANCH_NAME}
sed -i \
"s|^${_IMAGE_TAG_FIELD}: .*|${_IMAGE_TAG_FIELD}: '${SHORT_SHA}'|g" \
devops/kubernetes/values/origin/values-$(cat .namespace).yaml
git add devops/kubernetes/values/origin/values-$(cat .namespace).yaml
git commit -m 'Update deployed image tag for ${_CONTAINER} [ci skip]'
git push upstream ${BRANCH_NAME}
volumes:
- name: 'ssh'
path: /root/.ssh
# Generate a kubeconfig file for the given GKE cluster and upgrade with Helm
- id: 'Update Kubernetes using Helm'
name: 'gcr.io/$PROJECT_ID/helm'
env:
- 'CLOUDSDK_COMPUTE_ZONE=us-west1-a'
- 'CLOUDSDK_CONTAINER_CLUSTER=origin'
entrypoint: 'sh'
args:
- '-c'
- |
CLUSTER=$$(gcloud config get-value container/cluster)
PROJECT=$$(gcloud config get-value core/project)
ZONE=$$(gcloud config get-value compute/zone)
gcloud container clusters get-credentials "$${CLUSTER}" \
--project "$${PROJECT}" \
--zone "$${ZONE}"
helm upgrade $(cat .namespace) devops/kubernetes/charts/origin \
-f devops/kubernetes/charts/origin/values.yaml \
-f devops/kubernetes/values/origin/values-$(cat .namespace).yaml \
-f devops/kubernetes/values/origin/secrets-$(cat .namespace).yaml
timeout: '3600s'
options:
machineType: 'N1_HIGHCPU_32'