forked from kubernetes/release
/
cloudbuild.yaml
99 lines (91 loc) · 2.99 KB
/
cloudbuild.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
timeout: 14400s
#### SECURITY NOTICE ####
# Google Cloud Build (GCB) supports the usage of secrets for build requests.
# Secrets appear within GCB configs as base64-encoded strings.
# These secrets are GCP Cloud KMS-encrypted and cannot be decrypted by any human or system
# outside of GCP Cloud KMS for the GCP project this encrypted resource was created for.
# Seeing the base64-encoded encrypted blob here is not a security event for the project.
#
# Adding new keys to the existing default keyring `release` in the default
# project `k8s-releng-prod` can be done by:
# ```
# gcloud kms keys create $KEY --project k8s-releng-prod --location global --keyring release --purpose encryption
# ```
#
# After that, verify that the key is marked as "Available" there:
# https://console.cloud.google.com/security/kms/keyring/manage/global/release/key?project=k8s-releng-prod
#
# Now encrypt any secret:
# ```
# echo -n my-secret > pw
# gcloud kms encrypt --project k8s-releng-prod --location global --keyring release --key $KEY --plaintext-file pw --ciphertext-file pw.enc
# base64 pw.enc -w0
# ```
#
# Use the base64 output printed above as secretEnv value below. Then just
# reference it via secretEnv in a step.
#
# More details on using encrypted resources on Google Cloud Build can be found here:
# https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials
#
# (Please do not remove this security notice.)
secrets:
- kmsKeyName: projects/k8s-releng-prod/locations/global/keyRings/release/cryptoKeys/encrypt-0
secretEnv:
GITHUB_TOKEN: CiQAIkWjMODH+TR8+6KmsAValHBKkX2PjVWSzyNdScGCIl0rBlYSUQBLz1D++mrhyd+wXohoQEGDuyQHvFzQyT7NEvI2BR/WBmnu1S9+E5GgER8OOnaQg+dGEMrYzEQIiTOB8WPxU7ecsIyo0AuegcBH24dj9L2tDw==
steps:
- name: gcr.io/cloud-builders/git
dir: "go/src/k8s.io"
args:
- "clone"
- "https://github.com/${_TOOL_ORG}/${_TOOL_REPO}"
- name: gcr.io/cloud-builders/git
entrypoint: "bash"
dir: "go/src/k8s.io/release"
args:
- '-c'
- |
git fetch
echo "Checking out ${_TOOL_REF}"
git checkout ${_TOOL_REF}
- name: gcr.io/k8s-staging-releng/k8s-cloud-builder:${_KUBE_CROSS_VERSION}
dir: go/src/k8s.io/release
env:
- KREL_OUTPUT_PATH=/workspace/bin/krel
args:
- ./hack/get-krel
- name: gcr.io/k8s-staging-releng/k8s-cloud-builder:${_KUBE_CROSS_VERSION}
dir: "/workspace"
env:
- "TOOL_ORG=${_TOOL_ORG}"
- "TOOL_REPO=${_TOOL_REPO}"
- "TOOL_REF=${_TOOL_REF}"
- "K8S_ORG=${_K8S_ORG}"
- "K8S_REPO=${_K8S_REPO}"
- "K8S_REF=${_K8S_REF}"
secretEnv:
- GITHUB_TOKEN
args:
- "bin/krel"
- "fast-forward"
- "--log-level=${_LOG_LEVEL}"
- "--non-interactive"
- "--github-org=${_K8S_ORG}"
- "--github-repo=${_K8S_REPO}"
- "${_NOMOCK}"
tags:
- ${_GCP_USER_TAG}
- ${_NOMOCK_TAG}
- FAST_FORWARD
- ${_GIT_TAG}
- ${_RELEASE_BRANCH}
- ${_TYPE_TAG}
- ${_K8S_ORG}
- ${_K8S_REPO}
- ${_TYPE}
options:
machineType: E2_HIGHCPU_32
substitutions:
# _GIT_TAG will be filled with a git-based tag of the form vYYYYMMDD-hash, and
# can be used as a substitution
_GIT_TAG: '12345'