Skip to content

Latest commit

 

History

History
 
 

cloudbuild

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
cloudbuild.yaml
cloudbuild.yaml
 
 

README.md

Berglas Cloud Build Example

This guide assumes you have followed the setup instructions in the README. Specifically, it is assumed that you have created a project, Cloud Storage bucket, and Cloud KMS key.

At present, Cloud Build does not have a way to share environment variables across processes. All Berglas references must resolve to the filesystem and use a shared volume mount to pass along secrets.

  1. Make sure you are in the examples/cloudbuild folder before continuing!

  2. Enable the Cloud Build service:

    gcloud services enable --project $PROJECT_ID \
  cloudbuild.googleapis.com

  3. Export the environment variables for your configuration:

    Using Secret Manager storage:

    export PROJECT_ID=my-project

    Using Cloud Storage storage:

    export PROJECT_ID=my-project
export BUCKET_ID=my-bucket
export KMS_KEY=projects/${PROJECT_ID}/locations/global/keyRings/berglas/cryptoKeys/berglas-key

  4. Create two secrets using the berglas CLI (see README for installation instructions):

    Using Secret Manager storage:

    berglas create sm://${PROJECT_ID}/api-key "xxx-yyy-zzz"

    berglas create sm://${PROJECT_ID}/tls-key "=== BEGIN RSA PRIVATE KEY..."

    Using Cloud Storage storage:

    berglas create ${BUCKET_ID}/api-key "xxx-yyy-zzz" \
  --key ${KMS_KEY}

    berglas create ${BUCKET_ID}/tls-key "=== BEGIN RSA PRIVATE KEY..." \
  --key ${KMS_KEY}

  5. Get the Cloud Build service account email:

    PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format 'value(projectNumber)')
export SA_EMAIL=${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com

  6. Grant the service account access to the secrets:

    Using Secret Manager storage:

    berglas grant sm://${PROJECT_ID}/api-key --member serviceAccount:${SA_EMAIL}
berglas grant sm://${PROJECT_ID}/tls-key --member serviceAccount:${SA_EMAIL}

    Using Google Cloud storage:

    berglas grant ${BUCKET_ID}/api-key --member serviceAccount:${SA_EMAIL}
berglas grant ${BUCKET_ID}/tls-key --member serviceAccount:${SA_EMAIL}

  7. Build a container using Cloud Build and publish it to Container Registry:

    gcloud builds submit \
  --project ${PROJECT_ID} \
  --substitutions=_BUCKET_ID=${BUCKET_ID} \
  .

  8. (Optional) Revoke access to the secrets:

    Using Secret Manager storage:

    berglas revoke sm://${PROJECT_ID}/api-key --member serviceAccount:${SA_EMAIL}
berglas revoke sm://${PROJECT_ID}/tls-key --member serviceAccount:${SA_EMAIL}

    Using Cloud Storage storage:

    berglas revoke ${BUCKET_ID}/api-key --member serviceAccount:${SA_EMAIL}
berglas revoke ${BUCKET_ID}/tls-key --member serviceAccount:${SA_EMAIL}