forked from learningequality/studio
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcloudbuild-production.yaml
124 lines (115 loc) · 5.37 KB
/
cloudbuild-production.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
steps:
- name: 'gcr.io/cloud-builders/docker'
id: pull-app-image-cache
args: ['pull', 'gcr.io/$PROJECT_ID/learningequality-studio-app:latest']
- name: 'gcr.io/cloud-builders/docker'
id: build-app-image
entrypoint: bash
waitFor: ['pull-app-image-cache'] # wait for app image cache pull to finish
secretEnv: ['CROWDIN_PROJECT', 'CROWDIN_API_KEY']
args:
- -c
- >
docker build
-f k8s/images/app/Dockerfile
--cache-from gcr.io/$PROJECT_ID/learningequality-studio-app:latest
-t gcr.io/$PROJECT_ID/learningequality-studio-app:$COMMIT_SHA
-t gcr.io/$PROJECT_ID/learningequality-studio-app:latest
--build-arg CROWDIN_PROJECT=$$CROWDIN_PROJECT
--build-arg CROWDIN_API_KEY=$$CROWDIN_API_KEY
.
- name: 'gcr.io/cloud-builders/docker'
id: build-nginx-image
waitFor: ['-'] # don't wait for previous steps
args: [
'build',
'-f', 'k8s/images/nginx/Dockerfile',
'--cache-from', 'gcr.io/$PROJECT_ID/learningequality-studio-nginx:latest',
'-t', 'gcr.io/$PROJECT_ID/learningequality-studio-nginx:$COMMIT_SHA',
'-t', 'gcr.io/$PROJECT_ID/learningequality-studio-nginx:latest',
'.'
]
- name: 'gcr.io/cloud-builders/docker'
id: push-app-image
waitFor: ['build-app-image']
args: ['push', 'gcr.io/$PROJECT_ID/learningequality-studio-app:$COMMIT_SHA']
- name: 'gcr.io/cloud-builders/docker'
id: push-nginx-image
waitFor: ['build-nginx-image']
args: ['push', 'gcr.io/$PROJECT_ID/learningequality-studio-nginx:$COMMIT_SHA']
- name: 'gcr.io/cloud-builders/gcloud'
id: decrypt-gcs-service-account
waitFor: ['-']
args: [
'kms', 'decrypt',
'--location=global', '--keyring=prod-secrets', '--key=storage',
'--ciphertext-file=k8s/build-secrets/$PROJECT_ID-gcs-service-account.json.enc',
'--plaintext-file=gcs-service-account.json'
]
- name: 'gcr.io/cloud-builders/gcloud'
id: decrypt-gdrive-service-account
waitFor: ['-']
args: [
'kms', 'decrypt',
'--location=global', '--keyring=prod-secrets', '--key=google-drive',
'--ciphertext-file=k8s/build-secrets/$PROJECT_ID-gdrive-service-account.json.enc',
'--plaintext-file=gdrive-service-account.json'
]
- name: 'gcr.io/$PROJECT_ID/helm'
id: helm-deploy-studio-instance
waitFor: ['decrypt-gcs-service-account', 'decrypt-gdrive-service-account', 'push-app-image', 'push-nginx-image']
dir: "k8s"
env:
- 'CLOUDSDK_COMPUTE_ZONE=us-central1-f'
- 'CLOUDSDK_CONTAINER_CLUSTER=contentworkshop-central'
secretEnv: ['POSTMARK_API_KEY', 'POSTGRES_USERNAME', 'POSTGRES_DATABASE', 'POSTGRES_PASSWORD', 'SENTRY_DSN_KEY']
entrypoint: 'bash'
args:
- -c
- >
/builder/helm.bash &&
./helm-deploy.sh
$BRANCH_NAME
$_STORAGE_BUCKET
$COMMIT_SHA
$$POSTMARK_API_KEY
$$POSTGRES_USERNAME
$$POSTGRES_DATABASE
$$POSTGRES_PASSWORD
studio-$_DATABASE_INSTANCE_NAME-sql-proxy-gcloud-sqlproxy.sqlproxy
../gcs-service-account.json
$PROJECT_ID
is_production
../gdrive-service-account.json
$$SENTRY_DSN_KEY
substitutions:
_DATABASE_INSTANCE_NAME: develop # by default, connect to the develop DB
_STORAGE_BUCKET: develop-studio-content
timeout: 3600s
secrets:
- kmsKeyName: projects/contentworkshop-159920/locations/global/keyRings/prod-secrets/cryptoKeys/postmark
secretEnv:
POSTMARK_API_KEY: CiQAiTaPumPBypHmbaI2VTsj1d0TmewTnOM83shty0Z8DBNNj8USTgDPcJXYOjPtGbmYOkUjtI2+uZ+kgluB7vMx8QvtC8+r8iWEMEDz7pWFIIc15qjQlWbzNvho6EmZ377nhBiK6yrJZuhiJilmbD6jPHi+ng==
- kmsKeyName: projects/contentworkshop-159920/locations/global/keyRings/prod-secrets/cryptoKeys/postgresUsername
secretEnv:
POSTGRES_USERNAME: CiQA5ZLmquDVWhclKQFPx/taLY+M2XFy94lSGM9gGADKNTYEe6kSMgCCxhnF/akKO/NExapT6ymG2hTOZOi2irs6dLFe2vq/TFe+b4MQuK0EoBRSvHN4P9X7
- kmsKeyName: projects/contentworkshop-159920/locations/global/keyRings/prod-secrets/cryptoKeys/postgresDatabase
secretEnv:
POSTGRES_DATABASE: CiQAUlSEzWpjl3xrmJtipVavm8GUlBqTjGl8iUpKI5K9apymcT4SOgANIVh/daMOIapNEhbtHbdolk3XzaZsjkfxc7/m4hU74ISBsz4gdiMk14dLCJOZ1XI0QUWXt+hnN6g=
- kmsKeyName: projects/contentworkshop-159920/locations/global/keyRings/prod-secrets/cryptoKeys/postgresPassword
secretEnv:
POSTGRES_PASSWORD: CiQAMPmSF7yqmZpvhbSTw1eLxx+KzaZi1MUV1QrEpsRL4VnOadUSMgD2FZMP4J23KAW6xGwwwldugufqKGb3takkNo3cpBWJocGQ1T8oQfWyJrjUHFu0PMAI
- kmsKeyName: projects/contentworkshop-159920/locations/global/keyRings/prod-secrets/cryptoKeys/crowdinProject
secretEnv:
CROWDIN_PROJECT: CiQA4GP4aWHJjKldoAx95R+RMx+I1WhYKlT5/yOKzGqT4ABZ3joSOQAdnepcOy8znHRi5BkIPc74VD/OE5iV2HtspY8GrSCSGpE/IJcizMcjIrY6KIusaBkePzEHhJKGfA==
- kmsKeyName: projects/contentworkshop-159920/locations/global/keyRings/prod-secrets/cryptoKeys/crowdinApiKey
secretEnv:
CROWDIN_API_KEY: CiQA5yVB2KLpFiuaF4kAmNS2+I04GTIBpEl3hy4Px21xpuApka0SSQC1m2SkfC/mzvR1KhoNaKzDHQRG7SyPI69iG/NTjNwV/u56To3swMhMqsD1ErNTITgnZEloUXAPpGSJAL+LLJB0fbzhMsE4cpY=
- kmsKeyName: projects/contentworkshop-159920/locations/global/keyRings/prod-secrets/cryptoKeys/sentryKey
secretEnv:
SENTRY_DSN_KEY: CiQAymGxx8tU8G23aFWKz52KLPvwY+EnKDPDMI4WZtVGtw7CJi8SagAaZGpaLvlDDdn2Nr4zJLLOxy3tpnzdteSDe8NJsQiIv8iSiULHOeA9wtZKSyzNWOv+gZrIAqgjipz7Sznm1sXC//qusnMFntzLOlRE3nJy9jp5h0XtCIY5grq/xUIW5MCeEDVf66sWO5U=
images:
- gcr.io/$PROJECT_ID/learningequality-studio-nginx:latest
- gcr.io/$PROJECT_ID/learningequality-studio-nginx:$COMMIT_SHA
- gcr.io/$PROJECT_ID/learningequality-studio-app:latest
- gcr.io/$PROJECT_ID/learningequality-studio-app:$COMMIT_SHA