-
Notifications
You must be signed in to change notification settings - Fork 12
/
cloudbuild.yaml
99 lines (91 loc) · 3.9 KB
/
cloudbuild.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
timeout: 14400s
#### SECURITY NOTICE ####
# Google Cloud Build (GCB) supports the usage of secrets for build requests.
# Secrets appear within GCB configs as base64-encoded strings.
# These secrets are GCP Cloud KMS-encrypted and cannot be decrypted by any human or system
# outside of GCP Cloud KMS for the GCP project this encrypted resource was created for.
# Seeing the base64-encoded encrypted blob here is not a security event for the project.
#
# More details on using encrypted resources on Google Cloud Build can be found here:
# https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials
#
# (Please do not remove this security notice.)
secrets:
- kmsKeyName: projects/cert-manager-release/locations/europe-west1/keyRings/cert-manager-release/cryptoKeys/cert-manager-release-secret-key
secretEnv:
GITHUB_TOKEN: CiQAPjqeE0LnlyMJdmLr+laf8RxSKjw/BOv8yiTzdi/RjN9IWh4SUQBQ4fbHZMFt3QlDxBvdU81a6r5LXT0pTTXWOuHQbctSsjc2BZCMROgI2wdRCEyTgj5XJ1YQS0kXaEfIucZrhUlMKsJPXt4ZaZkKtxv4RNPpQg==
DOCKER_CONFIG: CiQAPjqeEyZx+aSgFNoW7KQ4wE4hp/9vbWElifjHJNTI0/71ywMSkwIAUOH2xwTfrn72i6p+Op2PYnjDfwMBcInMEtgKAqiTsaup3R5HeL8BsZGuWxVhCEm5CJJ0Rg3CPdFUx2IVmCfC3j32LkAiMxMpszdHTjWHEyWmxwtBlTJW8NFmoYzxfN4Ox9rYFF66eZ0XVdLz1UejXpqAkGFVzTzQSu4rvNFnAsP5Sj7ZKJpXn+p0ZZW1IdMTD0xzCwZjW9hhcTjyNaCKDJYwl8j6Y/bYeoUMrzDQNk48fzKIBgxEdUTR2OOAI785GWSrkB4Y03oEyrfw8jTd1yAoil2S6p3AGV1FbvFleajSCy3Ov+5gjomjtqCbTx06hVsTcqLHC45WzAWPa/8TsiXh5PPgBbkg+pfBQUTj6i9+WA==
steps:
- name: docker.io/library/golang:1.22-alpine
entrypoint: go
args:
- install
- github.com/cert-manager/release/cmd/cmrel@${_RELEASE_REPO_REF}
- name: docker.io/library/golang:1.22-alpine
entrypoint: go
args:
- install
- github.com/sigstore/cosign/cmd/cosign@${_COSIGN_REPO_REF}
## Write DOCKER_CONFIG file to $HOME/.docker/config.json
- name: gcr.io/cloud-builders/docker:19.03.8
entrypoint: bash
secretEnv:
- DOCKER_CONFIG
args:
- -c
- |
mkdir -p $$HOME/.docker
echo "$${DOCKER_CONFIG}" > $$HOME/.docker/config.json
## Build and push the release artifacts
- name: gcr.io/cloud-builders/docker:19.03.8
dir: "go/src/github.com/cert-manager/cert-manager"
entrypoint: /go/bin/cmrel
secretEnv:
- GITHUB_TOKEN
args:
- gcb
- publish
- --bucket=${_RELEASE_BUCKET}
- --release-name=${_RELEASE_NAME}
- --nomock=${_NO_MOCK}
- --published-github-org=${_PUBLISHED_GITHUB_ORG}
- --published-github-repo=${_PUBLISHED_GITHUB_REPO}
- --published-helm-chart-github-owner=${_PUBLISHED_HELM_CHART_GITHUB_OWNER}
- --published-helm-chart-github-repo=${_PUBLISHED_HELM_CHART_GITHUB_REPO}
- --published-helm-chart-github-branch=${_PUBLISHED_HELM_CHART_GITHUB_BRANCH}
- --published-image-repo=${_PUBLISHED_IMAGE_REPO}
- --publish-actions=${_PUBLISH_ACTIONS}
- --signing-kms-key=${_KMS_KEY}
- --skip-signing=${_SKIP_SIGNING}
- --cosign-path=/go/bin/cosign
tags:
- "cert-manager-release-publish"
- "name-${_TAG_RELEASE_NAME}"
options:
volumes:
- name: go-modules
path: /go
# Use the --substitutions=_OS=linux,_ARCH=arm64 flag to gcloud build submit to
# override these values
substitutions:
## Required parameters
_RELEASE_NAME: ""
## Optional/defaulted parameters
_KMS_KEY: "projects/cert-manager-release/locations/europe-west1/keyRings/cert-manager-release/cryptoKeys/cert-manager-release-signing-key/cryptoKeyVersions/1"
_SKIP_SIGNING: "false"
_RELEASE_BUCKET: ""
_NO_MOCK: "false"
_PUBLISHED_GITHUB_ORG: ""
_PUBLISHED_GITHUB_REPO: ""
_PUBLISHED_HELM_CHART_GITHUB_OWNER: ""
_PUBLISHED_HELM_CHART_GITHUB_REPO: ""
_PUBLISHED_HELM_CHART_GITHUB_BRANCH: ""
_PUBLISHED_IMAGE_REPO: ""
## Used to control the exact artifacts which will be published
_PUBLISH_ACTIONS: "*"
## Used as a tag to identify the build more easily later
_TAG_RELEASE_NAME: ""
## Ref for cert-manager/release repo to use when installing cmrel
_RELEASE_REPO_REF: "master"
## Version of the cosign tool to install
_COSIGN_REPO_REF: "v1.13.6"