Skip to content

Latest commit

 

History

History
109 lines (77 loc) · 2.94 KB

README.md

File metadata and controls

109 lines (77 loc) · 2.94 KB
Raw

Berglas Cloud Build Example

This guide assumes you have followed the setup instructions in the README. Specifically, it is assumed that you have created a project, Cloud Storage bucket, and Cloud KMS key.

At present, Cloud Build does not have a way to share environment variables across processes. All Berglas references must resolve to the filesystem and use a shared volume mount to pass along secrets.

  1. Make sure you are in the examples/cloudbuild folder before continuing!

  2. Enable the Cloud Build service:

    gcloud services enable --project $PROJECT_ID \
  cloudbuild.googleapis.com

  3. Export the environment variables for your configuration:

    Using Secret Manager storage:

    export PROJECT_ID=my-project

    Using Cloud Storage storage:

    export PROJECT_ID=my-project
export BUCKET_ID=my-bucket
export KMS_KEY=projects/${PROJECT_ID}/locations/global/keyRings/berglas/cryptoKeys/berglas-key

  4. Create two secrets using the berglas CLI (see README for installation instructions):

    Using Secret Manager storage:

    berglas create sm://${PROJECT_ID}/api-key "xxx-yyy-zzz"

    berglas create sm://${PROJECT_ID}/tls-key "=== BEGIN RSA PRIVATE KEY..."

    Using Cloud Storage storage:

    berglas create ${BUCKET_ID}/api-key "xxx-yyy-zzz" \
  --key ${KMS_KEY}

    berglas create ${BUCKET_ID}/tls-key "=== BEGIN RSA PRIVATE KEY..." \
  --key ${KMS_KEY}

  5. Get the Cloud Build service account email:

    PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format 'value(projectNumber)')
export SA_EMAIL=${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com

  6. Grant the service account access to the secrets:

    Using Secret Manager storage:

    berglas grant sm://${PROJECT_ID}/api-key --member serviceAccount:${SA_EMAIL}
berglas grant sm://${PROJECT_ID}/tls-key --member serviceAccount:${SA_EMAIL}

    Using Google Cloud storage:

    berglas grant ${BUCKET_ID}/api-key --member serviceAccount:${SA_EMAIL}
berglas grant ${BUCKET_ID}/tls-key --member serviceAccount:${SA_EMAIL}

  7. Build a container using Cloud Build and publish it to Container Registry:

    gcloud builds submit \
  --project ${PROJECT_ID} \
  --substitutions=_BUCKET_ID=${BUCKET_ID} \
  .

  8. (Optional) Revoke access to the secrets:

    Using Secret Manager storage:

    berglas revoke sm://${PROJECT_ID}/api-key --member serviceAccount:${SA_EMAIL}
berglas revoke sm://${PROJECT_ID}/tls-key --member serviceAccount:${SA_EMAIL}

    Using Cloud Storage storage:

    berglas revoke ${BUCKET_ID}/api-key --member serviceAccount:${SA_EMAIL}
berglas revoke ${BUCKET_ID}/tls-key --member serviceAccount:${SA_EMAIL}