Migrate to GAR.

.gitlab-ci.sec

@@ -13,5 +13,7 @@
 #     --form protected=[yes|no]
 #     --form masked=[yes|no]
 
-GOOGLE_APPLICATION_CREDENTIALS      vault://${SEC_PATH}/common/gcr-user --form variable_type=file --form protected=yes
-login_name  	                    this-is-old-test  --form variable_type=env_var --form protected=yes --form masked=yes
+# AR image repo and write cred
+GOOGLE_APPLICATION_CREDENTIALS  vault://${DOCKER_REGISTRY_PASSWORD_PATH} --form variable_type=file
+IMAGE_REPO ${DOCKER_REGISTRY}/${DOCKER_REPO}/${DOCKER_IMAGE} --form variable_type=env_var
+    

.gitlab-ci.yml

@@ -27,8 +27,8 @@ build:
   script:
     - /kaniko/executor
         --cache=false
-        --context $CI_PROJECT_DIR
-        --dockerfile $CI_PROJECT_DIR/Dockerfile
-        --destination $REGISTRY_IMAGE:2.5.12-bullseye
-        --destination $REGISTRY_IMAGE:$CI_COMMIT_SHA
+        --context $CI_PROJECT_DIR/docker
+        --dockerfile $CI_PROJECT_DIR/docker/Dockerfile
+        --destination $IMAGE_REPO:2.5.12-bullseye
+        --destination $IMAGE_REPO:$CI_COMMIT_SHA
 ## End of Job

Makefile

@@ -23,24 +23,22 @@ endif
 
 include ${FRAMEWORK_DIR}/makefile_parts/shared.mk
 include ${FRAMEWORK_DIR}/makefile_parts/vault.mk
-include ${FRAMEWORK_DIR}/makefile_parts/docker-compose.mk
 include ${FRAMEWORK_DIR}/makefile_parts/config.mk
 include ${FRAMEWORK_DIR}/makefile_parts/gitlab.mk
 # include ${FRAMEWORK_DIR}/makefile_parts/drone08.mk
 
 .PHONY: build
-build: build-docker ## build app and docker image
+build: ## build docker image
+	@docker buildx create --use
+	docker buildx build --platform linux/amd64 \
+          -t ${DOCKER_REGISTRY}/${DOCKER_REPO}/${DOCKER_IMAGE}:latest docker
 
-.PHONY: build-docker-nocache
-build-docker-nocache: docker-composer-init ## build docker image
-	@if  [ -f Dockerfile ]; then \
-		docker build  --no-cache --pull -t ${DOCKER_IMAGE}:latest . ; \
-    elif [ -f ${COMPOSE_FILE} ]; then \
-        docker-compose -f ${COMPOSE_FILE} build --pull; \
-    fi
-
-.PHONY: push
-push: vault-login push-version push-latest ## push both latest and versioned image to docker registry
+.PHONY: build-push
+build-push: ## build docker image
+	@docker buildx create --use
+	docker buildx build --push --platform linux/amd64 \
+          -t ${DOCKER_REGISTRY}/${DOCKER_REPO}/${DOCKER_IMAGE}:latest docker
 
 .PHONY: pull
-pull: ault-login pull-latest ## pull latest image from project's docker registry
+pull: pull-latest ## pull latest image from project's docker registry
+

env.mk

 # Docker configuration
-export DOCKER_IMAGE=openldap
-export DOCKER_REGISTRY_USERNAME=_json_key
-export DOCKER_REGISTRY_PASSWORD_PATH=${SEC_PATH}/common/gcr-user
-export DRONE_REPO=authnz/docker-${DOCKER_IMAGE}
-export DOCKER_IMAGE_VERSION=2.4.59-bullseye
+DOCKER_IMAGE=openldap
+DOCKER_IMAGE_VERSION=2.4.59-bullseye
+
+# The AR regisitory repository
+DOCKER_REGISTRY=us-docker.pkg.dev
+DOCKER_REPO=${GCP_PROJECT_ID}/docker-private
+DOCKER_REGISTRY_PASSWORD_PATH=${SEC_PATH}/common/ar-writer
+
 
 # GitLab configuration
-export GITLAB_SERVER=https://code.stanford.edu
-export GITLAB_REPO=authnz/docker-${DOCKER_IMAGE}
-export GITLAB_SEC_FILE=.gitlab-ci.sec
-export SLACK_WEBHOOK_PATH=${SEC_PATH}/common/slack/gitlab-integration
-export SLACK_GITLAB_CHANNEL=authnz-git-commits
-export SLACK_CICD_CHANNEL=authnz-build
+GITLAB_SERVER=https://code.stanford.edu
+GITLAB_REPO=authnz/docker-${DOCKER_IMAGE}
+GITLAB_SEC_FILE=.gitlab-ci.sec
+SLACK_WEBHOOK_PATH=${SEC_PATH}/common/slack/gitlab-integration
+SLACK_GITLAB_CHANNEL=authnz-git-commits
+SLACK_CICD_CHANNEL=authnz-build

gcp-env.sh

@@ -3,61 +3,61 @@
 # If it is changed, re-run 'make sync-env' in uit-authnz repository.
 #
 # Terraform version
-export TF_VERSION = "= 0.12.19"
+TF_VERSION = "= 0.12.19"
 
 # GCLOUD Configuration
-export GOOGLE_CLOUD_PROJECT=uit-authnz
-export GCP_PROJECT_ID=${GOOGLE_CLOUD_PROJECT}
-export GCP_PROJECT_NAME=${GOOGLE_CLOUD_PROJECT}
-export GCP_CONFIGURATION=${GCP_PROJECT_NAME}-${GCP_ENVIRONMENT}
-export GCP_REGION=us-west1
-export GCP_ZONE=${GCP_REGION}-a
-export GCP_ENVIRONMENT=default
-export GCP_DNS_DOMAIN=iam.stanford.edu
-export ACME_DNS_PROVIDER=${GCP_PROJECT_NAME}-d
-export GCP_NETWORK=services
+GOOGLE_CLOUD_PROJECT=uit-authnz
+GCP_PROJECT_ID=${GOOGLE_CLOUD_PROJECT}
+GCP_PROJECT_NAME=${GOOGLE_CLOUD_PROJECT}
+GCP_CONFIGURATION=${GCP_PROJECT_NAME}-${GCP_ENVIRONMENT}
+GCP_REGION=us-west1
+GCP_ZONE=${GCP_REGION}-a
+GCP_ENVIRONMENT=default
+GCP_DNS_DOMAIN=iam.stanford.edu
+ACME_DNS_PROVIDER=${GCP_PROJECT_NAME}-d
+GCP_NETWORK=services
 
 # Default Docker registry
-export DOCKER_NAMESPACE=${GCP_PROJECT_ID}
-export DOCKER_REGISTRY=gcr.io
+DOCKER_NAMESPACE=${GCP_PROJECT_ID}
+DOCKER_REGISTRY=gcr.io
 
 # Force gcloud auth with user credentials
-export GCP_USER_AUTH=true
+GCP_USER_AUTH=true
 
 # Google group that are granted permissions to GCP resources (iam.tf)
-export GCP_WORKGROUP=authnz_ops@stanford.edu
+GCP_WORKGROUP=authnz_ops@stanford.edu
 
 # Required by Terraform: APPLICATION_DEFAULT_CREDENTIALS
-export GCP_INFRASTRUCTURE_BUCKET=${GCP_PROJECT_ID}-infrastructure
-export TF_BACKEND_PREFIX=terraform/${GCP_PROJECT_ID}/${GCP_ENVIRONMENT}/state
+GCP_INFRASTRUCTURE_BUCKET=${GCP_PROJECT_ID}-infrastructure
+TF_BACKEND_PREFIX=terraform/${GCP_PROJECT_ID}/${GCP_ENVIRONMENT}/state
 
 # PS Cloud Framework (Scripts, shared config, etc.)
-export FRAMEWORK_DIR=${HOME}/bin/ps-cloud-framework
-export FRAMEWORK_BUCKET=ps-cloud-framework
-export SCRIPTS_DIR=${FRAMEWORK_DIR}/scripts
+FRAMEWORK_DIR=${HOME}/bin/ps-cloud-framework
+FRAMEWORK_BUCKET=ps-cloud-framework
+SCRIPTS_DIR=${FRAMEWORK_DIR}/scripts
 
 # Vault and secrets configuration
-export VAULT_ADDR=https://vault.stanford.edu
-export VAULT_AUTH_METHOD=ldap
-export VAULT_CACHE=${HOME}/.vault-local
-export SEC_PATH=secret/projects/${GCP_PROJECT_NAME}
-export GCP_KEY_PATH=${SEC_PATH}/common/gcp-provision
-export GCP_KEY_FILE=${VAULT_CACHE}/${GCP_KEY_PATH}
-export EXTERNAL_DNS_GCP_CREDENTIALS_PATH=${SEC_PATH}/common/dns-admin-key
-export EXTERNAL_DNS_DOMAIN_FILTERS=iam.stanford.edu
-export DOCKER_REGISTRY_PASSWORD_PATH_GCR_USER=${SEC_PATH}/common/gcr-user
-export DOCKER_REGISTRY_PASSWORD_PATH_GCR_PULL=${SEC_PATH}/common/gcr-pull
-export SPLUNK_ADDON_SA=${SEC_PATH}/common/splunk-addon-sa
+VAULT_ADDR=https://vault.stanford.edu
+VAULT_AUTH_METHOD=ldap
+VAULT_CACHE=${HOME}/.vault-local
+SEC_PATH=secret/projects/${GCP_PROJECT_NAME}
+GCP_KEY_PATH=${SEC_PATH}/common/gcp-provision
+GCP_KEY_FILE=${VAULT_CACHE}/${GCP_KEY_PATH}
+EXTERNAL_DNS_GCP_CREDENTIALS_PATH=${SEC_PATH}/common/dns-admin-key
+EXTERNAL_DNS_DOMAIN_FILTERS=iam.stanford.edu
+DOCKER_REGISTRY_PASSWORD_PATH_GCR_USER=${SEC_PATH}/common/gcr-user
+DOCKER_REGISTRY_PASSWORD_PATH_GCR_PULL=${SEC_PATH}/common/gcr-pull
+SPLUNK_ADDON_SA=${SEC_PATH}/common/splunk-addon-sa
 
 # Drone server for CI/CD
-export DRONE_SERVER=https://drone.svc.stanford.edu
+DRONE_SERVER=https://drone.svc.stanford.edu
 
 # GitLab ci configuration
-export GITLAB_SERVER=https://code.stanford.edu
-export GITLAB_SEC_FILE=../.gitlab-ci.sec
-export SLACK_WEBHOOK_PATH=${SEC_PATH}/common/slack/gitlab-integration
-export SLACK_GITLAB_CHANNEL=authnz-git-commits
-export SLACK_CICD_CHANNEL=authnz-build
+GITLAB_SERVER=https://code.stanford.edu
+GITLAB_SEC_FILE=../.gitlab-ci.sec
+SLACK_WEBHOOK_PATH=${SEC_PATH}/common/slack/gitlab-integration
+SLACK_GITLAB_CHANNEL=authnz-git-commits
+SLACK_CICD_CHANNEL=authnz-build
 
 
 
@@ -65,59 +65,59 @@ export SLACK_CICD_CHANNEL=authnz-build
 
 
 # Sub-projects dir
-export SUB_PROJECTS=sub-projects
+SUB_PROJECTS=sub-projects
 
 # GKE Configuration
-export GKE_CLUSTER_NAME=${GCP_ENVIRONMENT}-${GCP_REGION}
-export KUBE_CONTEXT=gke_${GCP_PROJECT_ID}
+GKE_CLUSTER_NAME=${GCP_ENVIRONMENT}-${GCP_REGION}
+KUBE_CONTEXT=gke_${GCP_PROJECT_ID}
 
 # set kube config default namespace
-export KUBE_NAMESPACE=${APP_NAMESPACE}
+KUBE_NAMESPACE=${APP_NAMESPACE}
 
 # reserved cidrs for gke masters,  /28 CIDR blocks
-export GKE_MASTER_CIDR_PROD=172.16.0.16/28
-export GKE_MASTER_CIDR_STAGE=172.16.0.32/28
-export GKE_MASTER_CIDR_DEV=172.16.0.48/28
+GKE_MASTER_CIDR_PROD=172.16.0.16/28
+GKE_MASTER_CIDR_STAGE=172.16.0.32/28
+GKE_MASTER_CIDR_DEV=172.16.0.48/28
 
 # reserved cidrs for firestore,  /29 CIDR blocks
-export FS_CIDR_PROD=172.16.1.8/29
-export FS_CIDR_STAGE=172.16.1.16/29
-export FS_CIDR_DEV=172.16.1.32/29
-export FS_TIER=STANDARD
+FS_CIDR_PROD=172.16.1.8/29
+FS_CIDR_STAGE=172.16.1.16/29
+FS_CIDR_DEV=172.16.1.32/29
+FS_TIER=STANDARD
 # capacity in number of TB
-export FS_CAPACITY=1
-export FS_NAME=filestore-${GCP_ENVIRONMENT}
+FS_CAPACITY=1
+FS_NAME=filestore-${GCP_ENVIRONMENT}
 
 # Other applications need to know the backup-monitor-user name and email
-export BACKUP_MONITOR_USER=backup-monitor-user
-export BACKUP_MONITOR_USER_EMAIL=${BACKUP_MONITOR_USER}@${GCP_PROJECT_NAME}.iam.gserviceaccount.com
+BACKUP_MONITOR_USER=backup-monitor-user
+BACKUP_MONITOR_USER_EMAIL=${BACKUP_MONITOR_USER}@${GCP_PROJECT_NAME}.iam.gserviceaccount.com
 
 #########
 # Storage buckets created and used in gke-cluster for each environment; put in here so kube-ldap can share the env.
 
 # ldap backup bucket
-export LDAP_BACKUP_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-ldap-backup
-export LDAP_BACKUP_BUCKET_LOCATION=US
-export FORCE_DESTROY_LDAP_BACKUP_BUCKET=true
+LDAP_BACKUP_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-ldap-backup
+LDAP_BACKUP_BUCKET_LOCATION=US
+FORCE_DESTROY_LDAP_BACKUP_BUCKET=true
 
 # General data bucket (for idp, kdc, ldap etc.)
-export DATA_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-data
-export DATA_BUCKET_LOCATION=US
-export FORCE_DESTROY_DATA_BUCKET=true
+DATA_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-data
+DATA_BUCKET_LOCATION=US
+FORCE_DESTROY_DATA_BUCKET=true
 
 # General public data bucket (for idp, kdc, ldap etc.)
-export DATA_PUBLIC_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-data-public
-export DATA_PUBLIC_BUCKET_LOCATION=US
-export FORCE_DESTROY_DATA_PUBLIC_BUCKET=true
+DATA_PUBLIC_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-data-public
+DATA_PUBLIC_BUCKET_LOCATION=US
+FORCE_DESTROY_DATA_PUBLIC_BUCKET=true
 
 # KDC backup bucket
-export KDC_BACKUP_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-kdc-backup
-export KDC_BACKUP_BUCKET_LOCATION=US
-export FORCE_DESTROY_KDC_BACKUP_BUCKET=true
-export KDC_NUMBER_NEWER_VERSIONS_BACKUP_BUCKET=30
+KDC_BACKUP_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-kdc-backup
+KDC_BACKUP_BUCKET_LOCATION=US
+FORCE_DESTROY_KDC_BACKUP_BUCKET=true
+KDC_NUMBER_NEWER_VERSIONS_BACKUP_BUCKET=30
 
 # WALLET backup bucket
-export WALLET_BACKUP_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-wallet-backup
-export WALLET_BACKUP_BUCKET_LOCATION=US
-export FORCE_DESTROY_WALLET_BACKUP_BUCKET=true
-export WALLET_NUMBER_NEWER_VERSIONS_BACKUP_BUCKET=30
+WALLET_BACKUP_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-wallet-backup
+WALLET_BACKUP_BUCKET_LOCATION=US
+FORCE_DESTROY_WALLET_BACKUP_BUCKET=true
+WALLET_NUMBER_NEWER_VERSIONS_BACKUP_BUCKET=30