Trigger GCP Cloudbuild

A "hello world" for triggering Google Cloudbuild in Golang.

IAM setup

1. Create a GCP service account:

   $ gcloud iam service-accounts create trigger-gcb

2. Add the "Cloud Container Builder Editor" and "Storage Object Admin" roles to the service account.

   $ export SA_EMAIL=$(gcloud iam service-accounts list --filter="name:trigger-gcb" --format='value(email)')
   $ export PROJECT=$(gcloud info --format='value(config.project)')
   $ gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL --role roles/storage.admin
   $ gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL --role roles/cloudbuild.builds.editor

3. Create a JSON key for the service-account.

   $ gcloud iam service-accounts keys create trigger-gcb.json --iam-account $SA_EMAIL

GKE test steps

• Create generic secret for $GOOGLE_APPLICATION_CREDENTIALS ENV var:

  $ kubectl create secret generic google-application-credentials --from-file=key.json=trigger-gcb.json

• Deploy the main test app:

  $ export PROJECT=$(gcloud info --format='value(config.project)')
  $ helm install trigger-gcp-cloudbuild/ --set projectID=$PROJECT --name gcb

• Monitor the output with kubectl logs (or - shameless plug - try klog for fast, prompted k8s logs)

  • The gcb-built Job pod logs should output:

    Built by GCP Cloudbuild

• Cleanup:

  $ helm delete --purge gcb
  $ kubectl delete secret google-application-credentials

IAM, Storage and Images cleanup

• Delete the service account:

  $ gcloud iam service-accounts delete $SA_EMAIL

• Remove the storage source file, then bucket:

  $ gsutil rm gs://${PROJECT}_trigger-gcp-cloudbuild/source.tgz
  $ gsutil rb gs://${PROJECT}_trigger-gcp-cloudbuild

• Remove the built images:

  $ gcloud container images list-tags gcr.io/${PROJECT}/built-by-gcp-cloudbuild --format='get(digest)' | while read -r d; do command gcloud container images delete gcr.io/${PROJECT}/built-by-gcp-cloudbuild@"$d" --force-delete-tags --quiet; done

Local test steps

• Remove any existing built images:

  $ gcloud container images delete gcr.io/${PROJECT}/built-by-gcp-cloudbuild --quiet
  $ docker rmi gcr.io/${PROJECT}/built-by-gcp-cloudbuild

• Trigger cloudbuild locally with Docker:

  $ docker run --rm -v trigger-gcb.json:/key.json --env PROJECT_ID=${PROJECT} --env GOOGLE_APPLICATION_CREDENTIALS=/key.json docker.io/r6by/trigger-gcp-cloudbuild

• Run the built test image:

  $ docker run --rm gcr.io/${PROJECT}/built-by-gcp-cloudbuild

  Should output:

  Built by GCP Cloudbuild

Local development steps

• Build vendor directory and packages:

  $ dep ensure -v

• In your local session, set the $GOOGLE_APPLICATION_CREDENTIALS variable that golang.org/x/oauth2/google FindDefaultCredentials() looks for, and the $PROJECT_ID variable with the name of your GCP project ID:

  $ export GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/trigger-gcb.json
  $ export PROJECT_ID=${PROJECT}

• Run the main package:

  $ go run main.go