Skip to content

Latest commit

 

History

History
 
 

cloudbuild

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Berglas Cloud Build Example

This guide assumes you have followed the setup instructions in the README. Specifically, it is assumed that you have created a project, Cloud Storage bucket, and Cloud KMS key.

At present, Cloud Build does not have a way to share environment variables across processes. All Berglas references must resolve to the filesystem and use a shared volume mount to pass along secrets.

  1. Make sure you are in the examples/cloudbuild folder before continuing!

  2. Enable the Cloud Build service:

    gcloud services enable --project $PROJECT_ID \
      cloudbuild.googleapis.com
    
  3. Export the environment variables for your configuration:

    export PROJECT_ID=my-project
    export BUCKET_ID=my-bucket
    export KMS_KEY=projects/${PROJECT_ID}/locations/global/keyRings/berglas/cryptoKeys/berglas-key
    
  4. Create two secrets using the berglas CLI (see README for installation instructions):

    berglas create ${BUCKET_ID}/api-key "xxx-yyy-zzz" \
      --key ${KMS_KEY}
    
    berglas create ${BUCKET_ID}/tls-key "=== BEGIN RSA PRIVATE KEY..." \
      --key ${KMS_KEY}
    
  5. Get the Cloud Build service account email:

    PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format 'value(projectNumber)')
    export SA_EMAIL=${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com
    
  6. Grant the service account access to the secrets:

    berglas grant ${BUCKET_ID}/api-key --member serviceAccount:${SA_EMAIL}
    berglas grant ${BUCKET_ID}/tls-key --member serviceAccount:${SA_EMAIL}
    
  7. Build a container using Cloud Build and publish it to Container Registry:

    gcloud builds submit \
      --project ${PROJECT_ID} \
      --substitutions=_BUCKET_ID=${BUCKET_ID} \
      .
    
  8. (Optional) Revoke access to the secrets:

    berglas revoke ${BUCKET_ID}/api-key --member serviceAccount:${SA_EMAIL}
    berglas revoke ${BUCKET_ID}/tls-key --member serviceAccount:${SA_EMAIL}