-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathcloudbuild.yaml
30 lines (25 loc) · 1.18 KB
/
cloudbuild.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
steps:
# Decrypt Rails Master key file
- name: gcr.io/cloud-builders/gcloud
args: ["kms", "decrypt", "--ciphertext-file=./config/master.key.enc",
"--plaintext-file=./config/master.key",
"--location=us-central1","--keyring=photo-album",
"--key=rails_master_key"]
# Decrypt Photo Album service account credentials
- name: gcr.io/cloud-builders/gcloud
args: ["kms", "decrypt", "--ciphertext-file=./config/photo_album_runner.key.enc",
"--plaintext-file=./config/photo_album_runner.key",
"--location=us-central1","--keyring=photo-album",
"--key=photo_album_runner_key"]
# Build image with tag 'latest' and pass decrypted Rails DB password as argument
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '--tag', 'gcr.io/$PROJECT_ID/photo_album:latest',
'--build-arg', 'DB_PWD', '.']
secretEnv: ['DB_PWD']
# Push new image to Google Cloud Registry
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/photo_album:latest']
secrets:
- kmsKeyName: projects/project_id/locations/us-central1/keyRings/photo-album/cryptoKeys/db_pwd_key
secretEnv:
DB_PWD: "your_encrypted_production_database_password_here"