forked from vszal/gcp-secure-cicd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcloudbuild.yaml
63 lines (62 loc) · 2.22 KB
/
cloudbuild.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Overview: build and create a release via Google Cloud Deploy for GKE
# NOTE: currently requires SCM triggering due to dependency on the COMMIT_SHA variable
steps:
# Build and tag using commit sha
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '.', '-t', 'us-central1-docker.pkg.dev/$PROJECT_ID/pop-stats/pop-stats:${COMMIT_SHA}', '-f', 'Dockerfile']
dir: 'app'
id: build
# Run api tests
- name: 'us-central1-docker.pkg.dev/$PROJECT_ID/pop-stats/pop-stats:${COMMIT_SHA}'
entrypoint: python
args: ["api_tests.py"]
dir: 'app'
id: apitest
# Push the container image to Artifact Registry
- name: gcr.io/cloud-builders/docker
entrypoint: /bin/bash
args:
- -c
- |
docker push us-central1-docker.pkg.dev/$PROJECT_ID/pop-stats/pop-stats:${COMMIT_SHA} &&
docker image inspect us-central1-docker.pkg.dev/$PROJECT_ID/pop-stats/pop-stats:${COMMIT_SHA} --format '{{index .RepoDigests 0}}' > image-digest.txt &&
cat image-digest.txt
id: push
- name: gcr.io/$PROJECT_ID/kritis-signer
entrypoint: /bin/bash
args:
- -c
- |
/kritis/signer \
-v=10 \
-alsologtostderr \
-image=$(/bin/cat image-digest.txt) \
-policy=./policy/kritis/vulnz-signing-policy.yaml \
-kms_key_name=${_KMS_KEY_NAME} \
-kms_digest_alg=${_KMS_DIGEST_ALG} \
-note_name=${_NOTE_NAME}
waitFor: ['push']
id: vulnsign
# Create release in Google Cloud Deploy
- name: gcr.io/google.com/cloudsdktool/cloud-sdk
entrypoint: /bin/bash
args:
- -c
- |
gcloud deploy releases create rel-${SHORT_SHA} \
--delivery-pipeline=security-demo-pipelne \
--region=us-central1 \
--annotations=commitId=${REVISION_ID} \
--images=pop-stats=$(/bin/cat image-digest.txt)
waitFor: ['vulnsign']
images:
- us-central1-docker.pkg.dev/$PROJECT_ID/pop-stats/pop-stats:${COMMIT_SHA}
options:
requestedVerifyOption: VERIFIED
pool:
name: 'projects/$PROJECT_ID/locations/us-central1/workerPools/private-pool'
# Set these variables in your trigger or directly in the substitutions stanza below:
#substitutions:
# _KMS_KEY_NAME: MISSING_KMS_KEY_NAME
# _KMS_DIGEST_ALG: MISSING_KMS_DIGEST_ALG
# _NOTE_NAME: MISSING_NOTE_NAME