Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/pnu/gcr-trigger-build-wip

**work in progress** – Trigger Cloud Build jobs when new tags are inserted to GCR or webhook called.I've implemented similar for Cloud Run and at least for the current use-case it seems to be better fit.. but I'll save this here for later reference.
https://github.com/pnu/gcr-trigger-build-wip

cloudbuild gcf gcloud gcr pubsub secrets-manager wip

Last synced: about 2 months ago
JSON representation

Host: GitHub
URL: https://github.com/pnu/gcr-trigger-build-wip
Owner: pnu
Created: 2020-01-29T13:51:07.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2022-06-02T21:32:25.000Z (over 2 years ago)
Last Synced: 2024-04-14T15:05:15.944Z (9 months ago)
Topics: cloudbuild, gcf, gcloud, gcr, pubsub, secrets-manager, wip
Language: Shell
Homepage:
Size: 66.4 KB
Stars: 0
Watchers: 3
Forks: 0
Open Issues: 3
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Setup

gcloud config set project
gcloud config set functions/region
./gcloud-initial-setup.sh
yarn deploy

# Components

GCR => `gcrWatcher` => PubSub

HTTP => `webhookWatcher` => PubSub

PubSub => `triggerBuild` => Cloud build => Firebase

# Description

Cloud Function `gcrWatcher` subscribes to the GCR PubSub topic.
If a new tag that matches the configuration (see
`gcloud-config-update.sh`) is inserted to the GCR, the function
triggers a new Cloud build task. This happens by publishing a
message to another topic. Message body defines name of the
requested build job.

Cloud Function `triggerBuild` subcribes to this second topic
and launches the actual Cloud build job, if build job name
matches the configured name.

Cloud Function `webhookWatcher` is attached to an HTTPS endpoint.
The request is authenticated with a shared secret. HTTP body
contains a JSON payload that defines the requested build job, which
is then triggered by sending a message to `triggerBuild`.

Configuration is stored in GCP Secrects Manager, because it may
contain some sensitive API-keys or tokens for deployment. It also
means that the configuration can be changed dynamically without
redeploying the code. For example webhook authentication secret
can be rotated as a configuration task only. Script
`gcloud-config-update.sh` can be used to update the configuration.
This script also generates a webhook authentication secret,
which needs to be included in the webhook call.

# Example use-case

When new image is pushed to GCR and tagged with `latest`,
this automation takes the build image, and runs a prerendering
task _inside_ that prebuilt image (running in Cloud build runtime).
The created assets are then deployed to Firebase hosting.
This buildtask is defined as a json configuration, in `gcloud-config-prerender.json`.

In addition to new build images, the same prerendering task
is run when content in an external CMS changes. The CMS system
triggers a webhook POST (with json payload describing the
requested buildtask). Webhook triggers the same build task
as the GCR use-case above.

Same automation can be used for triggering any build task on GCR
changes or webhooks, and can be deployed multiple times to same
project if taking care of naming the functions and configuration
entries separately for each use-case.

# Miscellaneous

The prerendering task in `gcloud-config-prerender.json` is included
as part of the dynamic configuration (see `gcloud-config-update.sh`).
Ie. this _file_ is not shipped to the functions.

For testing purposes the bare JSON file can be used to trigger a cloud build job manually, eg:

GCP_PROJECT=

gcloud builds submit --no-source --config gcloud-config-prerender.json --substitutions="_BUILD_IMAGE_NAME=gcr.io/${GCP_PROJECT}/build:latest,_FIREBASE_HOSTING_PROJECT=${GCP_PROJECT},_FIREBASE_HOSTING_TARGET=staging"