Skip to content
Snippets Groups Projects
Commit a607dbc8 authored by Xueshan Feng's avatar Xueshan Feng
Browse files

Migrate to GAR.

parent e8b36e66
No related branches found
No related tags found
No related merge requests found
......@@ -13,5 +13,7 @@
# --form protected=[yes|no]
# --form masked=[yes|no]
GOOGLE_APPLICATION_CREDENTIALS vault://${SEC_PATH}/common/gcr-user --form variable_type=file --form protected=yes
login_name this-is-old-test --form variable_type=env_var --form protected=yes --form masked=yes
# AR image repo and write cred
GOOGLE_APPLICATION_CREDENTIALS vault://${DOCKER_REGISTRY_PASSWORD_PATH} --form variable_type=file
IMAGE_REPO ${DOCKER_REGISTRY}/${DOCKER_REPO}/${DOCKER_IMAGE} --form variable_type=env_var
......@@ -27,8 +27,8 @@ build:
script:
- /kaniko/executor
--cache=false
--context $CI_PROJECT_DIR
--dockerfile $CI_PROJECT_DIR/Dockerfile
--destination $REGISTRY_IMAGE:2.5.12-bullseye
--destination $REGISTRY_IMAGE:$CI_COMMIT_SHA
--context $CI_PROJECT_DIR/docker
--dockerfile $CI_PROJECT_DIR/docker/Dockerfile
--destination $IMAGE_REPO:2.5.12-bullseye
--destination $IMAGE_REPO:$CI_COMMIT_SHA
## End of Job
......@@ -23,24 +23,22 @@ endif
include ${FRAMEWORK_DIR}/makefile_parts/shared.mk
include ${FRAMEWORK_DIR}/makefile_parts/vault.mk
include ${FRAMEWORK_DIR}/makefile_parts/docker-compose.mk
include ${FRAMEWORK_DIR}/makefile_parts/config.mk
include ${FRAMEWORK_DIR}/makefile_parts/gitlab.mk
# include ${FRAMEWORK_DIR}/makefile_parts/drone08.mk
.PHONY: build
build: build-docker ## build app and docker image
build: ## build docker image
@docker buildx create --use
docker buildx build --platform linux/amd64 \
-t ${DOCKER_REGISTRY}/${DOCKER_REPO}/${DOCKER_IMAGE}:latest docker
.PHONY: build-docker-nocache
build-docker-nocache: docker-composer-init ## build docker image
@if [ -f Dockerfile ]; then \
docker build --no-cache --pull -t ${DOCKER_IMAGE}:latest . ; \
elif [ -f ${COMPOSE_FILE} ]; then \
docker-compose -f ${COMPOSE_FILE} build --pull; \
fi
.PHONY: push
push: vault-login push-version push-latest ## push both latest and versioned image to docker registry
.PHONY: build-push
build-push: ## build docker image
@docker buildx create --use
docker buildx build --push --platform linux/amd64 \
-t ${DOCKER_REGISTRY}/${DOCKER_REPO}/${DOCKER_IMAGE}:latest docker
.PHONY: pull
pull: ault-login pull-latest ## pull latest image from project's docker registry
pull: pull-latest ## pull latest image from project's docker registry
File moved
File moved
File moved
File moved
File moved
File moved
File moved
File moved
File moved
File moved
# Docker configuration
export DOCKER_IMAGE=openldap
export DOCKER_REGISTRY_USERNAME=_json_key
export DOCKER_REGISTRY_PASSWORD_PATH=${SEC_PATH}/common/gcr-user
export DRONE_REPO=authnz/docker-${DOCKER_IMAGE}
export DOCKER_IMAGE_VERSION=2.4.59-bullseye
DOCKER_IMAGE=openldap
DOCKER_IMAGE_VERSION=2.4.59-bullseye
# The AR regisitory repository
DOCKER_REGISTRY=us-docker.pkg.dev
DOCKER_REPO=${GCP_PROJECT_ID}/docker-private
DOCKER_REGISTRY_PASSWORD_PATH=${SEC_PATH}/common/ar-writer
# GitLab configuration
export GITLAB_SERVER=https://code.stanford.edu
export GITLAB_REPO=authnz/docker-${DOCKER_IMAGE}
export GITLAB_SEC_FILE=.gitlab-ci.sec
export SLACK_WEBHOOK_PATH=${SEC_PATH}/common/slack/gitlab-integration
export SLACK_GITLAB_CHANNEL=authnz-git-commits
export SLACK_CICD_CHANNEL=authnz-build
GITLAB_SERVER=https://code.stanford.edu
GITLAB_REPO=authnz/docker-${DOCKER_IMAGE}
GITLAB_SEC_FILE=.gitlab-ci.sec
SLACK_WEBHOOK_PATH=${SEC_PATH}/common/slack/gitlab-integration
SLACK_GITLAB_CHANNEL=authnz-git-commits
SLACK_CICD_CHANNEL=authnz-build
......@@ -3,61 +3,61 @@
# If it is changed, re-run 'make sync-env' in uit-authnz repository.
#
# Terraform version
export TF_VERSION = "= 0.12.19"
TF_VERSION = "= 0.12.19"
# GCLOUD Configuration
export GOOGLE_CLOUD_PROJECT=uit-authnz
export GCP_PROJECT_ID=${GOOGLE_CLOUD_PROJECT}
export GCP_PROJECT_NAME=${GOOGLE_CLOUD_PROJECT}
export GCP_CONFIGURATION=${GCP_PROJECT_NAME}-${GCP_ENVIRONMENT}
export GCP_REGION=us-west1
export GCP_ZONE=${GCP_REGION}-a
export GCP_ENVIRONMENT=default
export GCP_DNS_DOMAIN=iam.stanford.edu
export ACME_DNS_PROVIDER=${GCP_PROJECT_NAME}-d
export GCP_NETWORK=services
GOOGLE_CLOUD_PROJECT=uit-authnz
GCP_PROJECT_ID=${GOOGLE_CLOUD_PROJECT}
GCP_PROJECT_NAME=${GOOGLE_CLOUD_PROJECT}
GCP_CONFIGURATION=${GCP_PROJECT_NAME}-${GCP_ENVIRONMENT}
GCP_REGION=us-west1
GCP_ZONE=${GCP_REGION}-a
GCP_ENVIRONMENT=default
GCP_DNS_DOMAIN=iam.stanford.edu
ACME_DNS_PROVIDER=${GCP_PROJECT_NAME}-d
GCP_NETWORK=services
# Default Docker registry
export DOCKER_NAMESPACE=${GCP_PROJECT_ID}
export DOCKER_REGISTRY=gcr.io
DOCKER_NAMESPACE=${GCP_PROJECT_ID}
DOCKER_REGISTRY=gcr.io
# Force gcloud auth with user credentials
export GCP_USER_AUTH=true
GCP_USER_AUTH=true
# Google group that are granted permissions to GCP resources (iam.tf)
export GCP_WORKGROUP=authnz_ops@stanford.edu
GCP_WORKGROUP=authnz_ops@stanford.edu
# Required by Terraform: APPLICATION_DEFAULT_CREDENTIALS
export GCP_INFRASTRUCTURE_BUCKET=${GCP_PROJECT_ID}-infrastructure
export TF_BACKEND_PREFIX=terraform/${GCP_PROJECT_ID}/${GCP_ENVIRONMENT}/state
GCP_INFRASTRUCTURE_BUCKET=${GCP_PROJECT_ID}-infrastructure
TF_BACKEND_PREFIX=terraform/${GCP_PROJECT_ID}/${GCP_ENVIRONMENT}/state
# PS Cloud Framework (Scripts, shared config, etc.)
export FRAMEWORK_DIR=${HOME}/bin/ps-cloud-framework
export FRAMEWORK_BUCKET=ps-cloud-framework
export SCRIPTS_DIR=${FRAMEWORK_DIR}/scripts
FRAMEWORK_DIR=${HOME}/bin/ps-cloud-framework
FRAMEWORK_BUCKET=ps-cloud-framework
SCRIPTS_DIR=${FRAMEWORK_DIR}/scripts
# Vault and secrets configuration
export VAULT_ADDR=https://vault.stanford.edu
export VAULT_AUTH_METHOD=ldap
export VAULT_CACHE=${HOME}/.vault-local
export SEC_PATH=secret/projects/${GCP_PROJECT_NAME}
export GCP_KEY_PATH=${SEC_PATH}/common/gcp-provision
export GCP_KEY_FILE=${VAULT_CACHE}/${GCP_KEY_PATH}
export EXTERNAL_DNS_GCP_CREDENTIALS_PATH=${SEC_PATH}/common/dns-admin-key
export EXTERNAL_DNS_DOMAIN_FILTERS=iam.stanford.edu
export DOCKER_REGISTRY_PASSWORD_PATH_GCR_USER=${SEC_PATH}/common/gcr-user
export DOCKER_REGISTRY_PASSWORD_PATH_GCR_PULL=${SEC_PATH}/common/gcr-pull
export SPLUNK_ADDON_SA=${SEC_PATH}/common/splunk-addon-sa
VAULT_ADDR=https://vault.stanford.edu
VAULT_AUTH_METHOD=ldap
VAULT_CACHE=${HOME}/.vault-local
SEC_PATH=secret/projects/${GCP_PROJECT_NAME}
GCP_KEY_PATH=${SEC_PATH}/common/gcp-provision
GCP_KEY_FILE=${VAULT_CACHE}/${GCP_KEY_PATH}
EXTERNAL_DNS_GCP_CREDENTIALS_PATH=${SEC_PATH}/common/dns-admin-key
EXTERNAL_DNS_DOMAIN_FILTERS=iam.stanford.edu
DOCKER_REGISTRY_PASSWORD_PATH_GCR_USER=${SEC_PATH}/common/gcr-user
DOCKER_REGISTRY_PASSWORD_PATH_GCR_PULL=${SEC_PATH}/common/gcr-pull
SPLUNK_ADDON_SA=${SEC_PATH}/common/splunk-addon-sa
# Drone server for CI/CD
export DRONE_SERVER=https://drone.svc.stanford.edu
DRONE_SERVER=https://drone.svc.stanford.edu
# GitLab ci configuration
export GITLAB_SERVER=https://code.stanford.edu
export GITLAB_SEC_FILE=../.gitlab-ci.sec
export SLACK_WEBHOOK_PATH=${SEC_PATH}/common/slack/gitlab-integration
export SLACK_GITLAB_CHANNEL=authnz-git-commits
export SLACK_CICD_CHANNEL=authnz-build
GITLAB_SERVER=https://code.stanford.edu
GITLAB_SEC_FILE=../.gitlab-ci.sec
SLACK_WEBHOOK_PATH=${SEC_PATH}/common/slack/gitlab-integration
SLACK_GITLAB_CHANNEL=authnz-git-commits
SLACK_CICD_CHANNEL=authnz-build
......@@ -65,59 +65,59 @@ export SLACK_CICD_CHANNEL=authnz-build
# Sub-projects dir
export SUB_PROJECTS=sub-projects
SUB_PROJECTS=sub-projects
# GKE Configuration
export GKE_CLUSTER_NAME=${GCP_ENVIRONMENT}-${GCP_REGION}
export KUBE_CONTEXT=gke_${GCP_PROJECT_ID}
GKE_CLUSTER_NAME=${GCP_ENVIRONMENT}-${GCP_REGION}
KUBE_CONTEXT=gke_${GCP_PROJECT_ID}
# set kube config default namespace
export KUBE_NAMESPACE=${APP_NAMESPACE}
KUBE_NAMESPACE=${APP_NAMESPACE}
# reserved cidrs for gke masters, /28 CIDR blocks
export GKE_MASTER_CIDR_PROD=172.16.0.16/28
export GKE_MASTER_CIDR_STAGE=172.16.0.32/28
export GKE_MASTER_CIDR_DEV=172.16.0.48/28
GKE_MASTER_CIDR_PROD=172.16.0.16/28
GKE_MASTER_CIDR_STAGE=172.16.0.32/28
GKE_MASTER_CIDR_DEV=172.16.0.48/28
# reserved cidrs for firestore, /29 CIDR blocks
export FS_CIDR_PROD=172.16.1.8/29
export FS_CIDR_STAGE=172.16.1.16/29
export FS_CIDR_DEV=172.16.1.32/29
export FS_TIER=STANDARD
FS_CIDR_PROD=172.16.1.8/29
FS_CIDR_STAGE=172.16.1.16/29
FS_CIDR_DEV=172.16.1.32/29
FS_TIER=STANDARD
# capacity in number of TB
export FS_CAPACITY=1
export FS_NAME=filestore-${GCP_ENVIRONMENT}
FS_CAPACITY=1
FS_NAME=filestore-${GCP_ENVIRONMENT}
# Other applications need to know the backup-monitor-user name and email
export BACKUP_MONITOR_USER=backup-monitor-user
export BACKUP_MONITOR_USER_EMAIL=${BACKUP_MONITOR_USER}@${GCP_PROJECT_NAME}.iam.gserviceaccount.com
BACKUP_MONITOR_USER=backup-monitor-user
BACKUP_MONITOR_USER_EMAIL=${BACKUP_MONITOR_USER}@${GCP_PROJECT_NAME}.iam.gserviceaccount.com
#########
# Storage buckets created and used in gke-cluster for each environment; put in here so kube-ldap can share the env.
# ldap backup bucket
export LDAP_BACKUP_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-ldap-backup
export LDAP_BACKUP_BUCKET_LOCATION=US
export FORCE_DESTROY_LDAP_BACKUP_BUCKET=true
LDAP_BACKUP_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-ldap-backup
LDAP_BACKUP_BUCKET_LOCATION=US
FORCE_DESTROY_LDAP_BACKUP_BUCKET=true
# General data bucket (for idp, kdc, ldap etc.)
export DATA_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-data
export DATA_BUCKET_LOCATION=US
export FORCE_DESTROY_DATA_BUCKET=true
DATA_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-data
DATA_BUCKET_LOCATION=US
FORCE_DESTROY_DATA_BUCKET=true
# General public data bucket (for idp, kdc, ldap etc.)
export DATA_PUBLIC_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-data-public
export DATA_PUBLIC_BUCKET_LOCATION=US
export FORCE_DESTROY_DATA_PUBLIC_BUCKET=true
DATA_PUBLIC_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-data-public
DATA_PUBLIC_BUCKET_LOCATION=US
FORCE_DESTROY_DATA_PUBLIC_BUCKET=true
# KDC backup bucket
export KDC_BACKUP_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-kdc-backup
export KDC_BACKUP_BUCKET_LOCATION=US
export FORCE_DESTROY_KDC_BACKUP_BUCKET=true
export KDC_NUMBER_NEWER_VERSIONS_BACKUP_BUCKET=30
KDC_BACKUP_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-kdc-backup
KDC_BACKUP_BUCKET_LOCATION=US
FORCE_DESTROY_KDC_BACKUP_BUCKET=true
KDC_NUMBER_NEWER_VERSIONS_BACKUP_BUCKET=30
# WALLET backup bucket
export WALLET_BACKUP_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-wallet-backup
export WALLET_BACKUP_BUCKET_LOCATION=US
export FORCE_DESTROY_WALLET_BACKUP_BUCKET=true
export WALLET_NUMBER_NEWER_VERSIONS_BACKUP_BUCKET=30
WALLET_BACKUP_BUCKET=${GCP_ENVIRONMENT}-${GCP_PROJECT_NAME}-wallet-backup
WALLET_BACKUP_BUCKET_LOCATION=US
FORCE_DESTROY_WALLET_BACKUP_BUCKET=true
WALLET_NUMBER_NEWER_VERSIONS_BACKUP_BUCKET=30
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment