I need to extract a string from the TAG_NAME default variable. but i could not get this to work.
- name: 'gcr.io/cloud-builders/git'
id: find-folder-name
dir: ${_DIR}
entrypoint: 'bash'
args:
- '-c'
- |
if [ ${_STRATEGY} = "tag" ]; echo "tag name " $TAG_NAME; echo ${TAG_NAME%\.np\.v\.*};fi
volumes:
- name: 'ssh'
path: /root/.ssh
secretEnv: ['GCLOUD_SERVICE_KEY']
The regex works perfect fine if i just run it in gitbash locally.
The output is follow, i am expecting it will also print "test" as well, but it is empty. here is the output
tag name test.np.v.1.1.7
Fixed by assigning to a variable
release=$TAG_NAME;echo ${release%\.np\.v\.*}
Related
Lets say I have a cloudbuild.yaml file that looks like this:
steps:
- name: 'gcr.io/cloud-builders/docker'
id: build
args: ['build', '-t', 'us.gcr.io/${PROJECT_ID}/image_name', '--build-arg', 'secret=$$SECRET', '.']
secretEnv: ['SECRET']
images:
- 'us.gcr.io/${PROJECT_ID}/image_name'
availableSecrets:
secretManager:
- versionName: projects/project/secrets/my_secret/versions/latest
env: 'SECRET'
Right now, the --build-arg is assigning to the Docker secret arg the value $SECRET instead of the value actually stored in the secret. How can I access the secret value during this step? All of the examples I can find online say to add a bash entrypoint however only for steps that aren't actually doing the build call.
It's a usual issue with Cloud Build and Secret Manager integration. You can access to the secret only in a script, not in entry-point and arguments (your case)
Try that
steps:
- name: 'gcr.io/cloud-builders/docker'
id: build
entrypoint: 'bash'
args:
- -c
- |
docker build -t us.gcr.io/${PROJECT_ID}/image_name --build-arg secret=$$SECRET .
secretEnv: ['SECRET']
The syntax for assigning secrets to docker args seems to be slightly different to that for normal environment variables. The following snippet is taken from a working project of my own and correctly accesses the secret, and you can see the difference compared to the normal environment variables:
...
env:
- PROJECT_ID=$PROJECT_ID
- NO_DEPLOY=$_NO_DEPLOY
- NO_E2E=$_NO_E2E
secretEnv:
- "EXAMPLE_API_KEY"
args:
- --destination=gcr.io/$PROJECT_ID/api
- --cache=true
- --build-arg=PROJECT_ID
- --build-arg=EXAMPLE_API_KEY
- --build-arg=NO_DEPLOY
- --build-arg=NO_E2E
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/example-api-key/versions/latest
env: "EXAMPLE_API_KEY"
...
I'm using cloudbuild to deploy new version of my app when a new commit appears in github.
Everything is working good.
Now I'm trying to setup a variable substitution in the trigger configuration, because I want to put my version number in the trigger once, so that I can find the deployed correct version without modifying cloudbuild configuration file.
Variabile substitution works great in my cloudbuild file, for example:
(cloudbuild.yaml)
# TEST: PRINT VARIABLE IN LOG
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'bash'
args: ['-c', 'echo', '${_VERSION}']
# DEPLOY APP
- name: "gcr.io/cloud-builders/gcloud"
args: ["app", "deploy", "-v", "${_VERSION}", "app.yaml"]
dir: 'frontend'
timeout: "20m"
${_VERSION} is correctly replaced with the string I put into my trigger.
Now I want to obtain the same result in app.yaml file, substituting an env variabile, something like:
(app.yaml)
runtime: nodejs
env: flex
service: backend
env_variables:
VERSION: "${_VERSION}"
TEST_ENV: "read from google"
When I read TEST_ENV from my app, it works, but _VERSION is not replaced.
Any suggestion?
When you perform this step
# DEPLOY APP
- name: "gcr.io/cloud-builders/gcloud"
args: ["app", "deploy", "-v", "${_VERSION}", "app.yaml"]
dir: 'frontend'
timeout: "20m"
The app.yaml is provided as-is to the gcloud command, and it's not evaluated. You have to update it manually. Something like this
# REPLACE: PUT THE CORRECT VALUE IN APP.YAML FILE
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'bash'
args: ['-c', 'sed', "-i", "sed -i "s/\$${_VERSION}/${_VERSION}/g", 'app.yaml']
Of course if you let the
env_variables:
VERSION: "${_VERSION}"
as-is in your app.yaml file. You can change this replacement string
I want to add this solution in case someone has problems with the one proposed by giullade (in my case, cloudbuild gave me an error in executing the sed command).
I also changed my replacement string to one more readable and to avoid escaping the $ sign.
# Step 0: REPLACE variables in app.yaml file
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'bash'
dir: 'backend'
args:
- '-c'
- |
sed -i "s/__VERSION/${_VERSION}/g" app-staging.yaml
and in my app.yaml:
env_variables:
VERSION_ENV: "__VERSION"
How does one pass a secret from Google Secrets Manager (GSM) to a Cloud Function when using Cloud Build? The below cloudbuild.yaml has three steps. Further, I'm using volumes to create permanent storage between build steps. I can confirm GSM retrieval by Cloud Build. However, when I attempt to pass a secret in yaml format using --env-vars-file I encounter the following error ...
Already have image (with digest): gcr.io/cloud-builders/gcloud
ERROR: gcloud crashed (AttributeError): 'str' object has no attribute 'items'
cloudbuild.yaml:
steps:
- name: 'gcr.io/cloud-builders/gcloud'
volumes:
- name: 'secrets'
path: '/secrets'
entrypoint: "bash"
args:
- "-c"
- |
echo -n 'gsm_secret:' > /secrets/my-secret-file.txt
- name: 'gcr.io/cloud-builders/gcloud'
volumes:
- name: 'secrets'
path: '/secrets'
entrypoint: "bash"
args:
- "-c"
- |
gcloud components update
gcloud beta secrets versions access --secret=MySecret latest >> /secrets/my-secret-file.txt
cat /secrets/my-secret-file.txt
- name: 'gcr.io/cloud-builders/gcloud'
volumes:
- name: 'secrets'
path: '/secrets'
args: [
'functions', 'deploy', 'gsm-foobar',
'--project=[...]',
'--trigger-http',
'--runtime=go111',
'--region=us-central1',
'--memory=256MB',
'--timeout=540',
'--entry-point=GSM',
'--allow-unauthenticated',
'--source=https://source.developers.google.com/[...]',
'--service-account', '[...]#appspot.gserviceaccount.com',
'--env-vars-file', '/secrets/my-secret-file.txt'
]
Update:
Usage of volumes is not required as /workspace is permanent storage between steps in Cloud Build. Also, gcloud components update is no longer necessary as the default Cloud SDK version, as of today, is 279.0.0
A Solution:
steps:
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: "bash"
args:
- "-c"
- |
echo "gsm_secret: $(gcloud beta secrets versions access --secret=MySecret latest)" > /workspace/my-secret-file.txt
cat /workspace/my-secret-file.txt
- name: 'gcr.io/cloud-builders/gcloud'
args: [
'functions', 'deploy', 'gsm-foobar',
[...]
'--entry-point=GSM',
'--allow-unauthenticated',
'--source=https://source.developers.google.com/[...]',
'--service-account', '[...]#appspot.gserviceaccount.com',
'--env-vars-file=/workspace/my-secret-file.txt'
]
On second read, I realize your 2nd step puts the secret value in the file. I think you're missing the newline.
NB I've not tried this for myself!
Ensure you have a newline at the end of your secrets file.
See: https://cloud.google.com/functions/docs/env-var
Update: tried it ;-)
I think your issue was the final newline.
Using the following in a step prior to the deployment, works:
echo "gsm_secret: $(gcloud beta secrets versions access --secret=MySecret latest)" > /secrets/my-secret-file.txt
Or, more simply, perhaps:
steps:
- name: "gcr.io/cloud-builders/gcloud"
entrypoint: /bin/bash
args:
- "-c"
- |
gcloud functions deploy ... \
--set-env-vars=NAME=$(gcloud beta secrets versions access --secret=name latest)
Also, see secretEnv. This is a more elegant mechanism..This functionality should perhaps be augmented by Google to support secret manager (in addition to KMS).
As of 2021 February 10, you can access Secret Manager secrets directly from Cloud Build using the availableSecrets field:
steps:
- id: 'deploy'
name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'bash'
args:
- '-c'
- 'gcloud functions deploy --set-env-vars=SECRET=$$MY_SECRET'
secretEnv: ['MY_SECRET']
availableSecrets:
secretManager:
- versionName: 'projects/my-project/secrets/my-secret/versions/latest'
env: 'MY_SECRET'
Documentation
This is my cloud build file
substitutions:
_CLOUDSDK_COMPUTE_ZONE: us-central1-a
_CLOUDSDK_CONTAINER_CLUSTER: $_CLOUDSDK_CONTAINER_CLUSTER
steps:
- name: gcr.io/$PROJECT_ID/sonar-scanner:latest
entrypoint: 'bash'
args:
- '-c'
- 'if [ $BRANCH_NAME != 'production' ]; then sonar-scanner -Dsonar.host.url=https://sonar.test.io -Dsonar.login=${_SONAR_LOGIN} -Dsonar.projectKey=service -Dsonar.sources=. ; fi'
- id: 'build test-service image'
name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/$PROJECT_ID/$REPO_NAME/$BRANCH_NAME:$SHORT_SHA', '.']
- id: 'push test-service image'
name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/$REPO_NAME/$BRANCH_NAME:$SHORT_SHA']
- id: 'set test-service image in yamls'
name: 'ubuntu'
args: ['bash','-c','sed -i "s,TEST_SERVICE,gcr.io/$PROJECT_ID/$REPO_NAME/$BRANCH_NAME:$SHORT_SHA," k8s/*.yaml']
- id: kubectl-apply
name: 'gcr.io/cloud-builders/kubectl'
args: ['apply', '-f', 'k8s/']
env:
- 'CLOUDSDK_COMPUTE_ZONE=${_CLOUDSDK_COMPUTE_ZONE}'
- 'CLOUDSDK_CONTAINER_CLUSTER=${_CLOUDSDK_CONTAINER_CLUSTER}'
images: ['gcr.io/$PROJECT_ID/$REPO_NAME/$BRANCH_NAME:$SHORT_SHA']
I am getting error
failed unmarshalling build config cloudbuild.yaml: yaml: line 17: did
not find expected key
Update 1
As per #cloudomation suggestion updated if condition
- 'if [ $BRANCH_NAME != "production" ]; then sonar-scanner -Dsonar.host.url=https://sonar.test.io -Dsonar.login=${_SONAR_LOGIN} -Dsonar.projectKey=service -Dsonar.sources=. ; fi'
Condition is working but when it's true getting this error
Step #1: Digest: sha256:ef0de1c8e48544b9693b9aab2222bf849028bb66881762bf77e055b0abbf7f2b Step #1: Status: Downloaded newer image for gcr.io/wotnot-235414/sonar-scanner:latest Step #1: gcr.io/project-235414/sonar-scanner:latest Step #1: /opt/sonar-scanner-3.2.0.1227-linux/bin/sonar-scanner: exec: line 59: /opt/sonar-scanner-3.2.0.1227-linux/jre/bin/java: not found Finished Step #1 ERROR ERROR: build step 1 "gcr.io/project-235414/sonar-scanner:latest" failed: exit status 127
but when my step is like this way it's working perfectly
- name: gcr.io/$PROJECT_ID/sonar-scanner:latest
args:
- '-Dsonar.host.url=https://sonar.test.io'
- '-Dsonar.login=XXXXXXXXXXXXXX'
- '-Dsonar.projectKey=service-name'
- '-Dsonar.sources=.'
also this is running that mean there no issue in builder image it's just issue of passing parameters
docker run gcr.io/$PROJECT_ID/sonar-scanner:latest bash -Dsonar.host.url=https://sonar.test.io -Dsonar.login=${_SONAR_LOGIN} -Dsonar.projectKey=service -Dsonar.sources=.
if condition working but after that then condition having some issue
You should escape the quotes:
- 'if [ $BRANCH_NAME != \'production\' ]; then sonar-scanner -Dsonar.host.url=https://sonar.test.io -Dsonar.login=${_SONAR_LOGIN} -Dsonar.projectKey=service -Dsonar.sources=. ; fi'
or use double quotes:
- 'if [ $BRANCH_NAME != "production" ]; then sonar-scanner -Dsonar.host.url=https://sonar.test.io -Dsonar.login=${_SONAR_LOGIN} -Dsonar.projectKey=service -Dsonar.sources=. ; fi'
Having this config on cloudbuild.yaml (there are other similar fragments on the file):
- name: 'gcr.io/cloud-builders/gcloud'
id: 'step_1'
args: ['builds',
'submit',
'--config=path_to_sub_app_1/app_1_build.yaml',
'--substitutions=VAR_1=${ENV_VAR_1}']
waitFor: ['Docker push']
- name: 'gcr.io/cloud-builders/gcloud'
id: 'step_2'
args: ['builds',
'submit',
'--config=path_to_sub_app_2/app_2_build.yaml',
'--substitutions=VAR_1=${ENV_VAR_1}']
waitFor: ['Docker push']
Is it possible to skip step_1 and continue the execution normally (step_2)?
Use entrypoint: 'bash':
- name: 'gcr.io/cloud-builders/gcloud'
id: 'step_1'
entrypoint: 'bash'
args:
- '-c'
- |
if [ "$_SKIP_STEP" != "true" ]
then
gcloud builds submit --config=path_to_sub_app_1/app_1_build.yaml --substitutions=VAR_1=${ENV_VAR_1}
fi
waitFor: ['Docker push']
Define this var: _SKIP_STEP="false"
And now we can run the build and skip step_1:
gcloud builds submit --config=cloudbuild.yaml --substitutions=_SKIP_STEP=true