[英]GCP kms encrypt env var and passing encrypted key through cloudbuild.yaml to google app engine
I'm trying to encrypt env vars for database in Cloud SQL in my RoR app deploying to Google App Engine. 我正在尝试在部署到Google App Engine的RoR应用程序中为Cloud SQL中的数据库加密环境变量。 Following this doc https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials
遵循此文档https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials
However, I have an error when running both gcloud builds submit
and gcloud app deploy
. 但是,同时运行
gcloud builds submit
gcloud app deploy
和gcloud app deploy
时出现错误。 Both are error out with: 两者都有错误:
Failure status: UNKNOWN: Error Response: [4] DEADLINE_EXCEEDED / build step 0 "gcr.io/cloud-builders/gcloud" failed: exit status 1.
故障状态:未知:错误响应:[4] DEADLINE_EXCEEDED /构建步骤0“ gcr.io/cloud-builders/gcloud”失败:退出状态1。
I then check the gcloud builds described
shows that the app failed to deploy, however, DATABASE_PASS
shows working/queued. 然后,我检查所
gcloud builds described
的gcloud builds described
表明该应用未能部署,但是DATABASE_PASS
显示工作/排队。 I have increase the Cloud Build component in gcloud
sdk to 1000 and testing timeout: in cloudbuild.yaml;
我将
gcloud
sdk中的Cloud Build组件增加到1000,并测试了超时: cloudbuild.yaml;
both options didn't improve anything. 两种选择都没有任何改善。
Before using Cloud Build my app was working but I'm erasing the need of credentials and using encrypted credentials for CI/CD pipeline. 在使用Cloud Build之前,我的应用程序可以正常工作,但是我消除了对凭证的需求,并且对CI / CD管道使用了加密的凭证。 Also, would like to encrypt more than one env var in my
app.yaml
. 另外,想对我的
app.yaml
多个env var进行加密。
<cloudbuild.yaml>
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['app','deploy','app-beta.yaml']
- name: 'us.gcr.io/project_ID/image_name'
#args: [ 'app', 'deploy', 'app-beta.yaml' ]
secretEnv: [ "DATABASE_PASS" ]
secrets:
- kmsKeyName: projects/Project_id/locations/global/keyRings/Misc/cryptoKeys/Random
secretEnv:
DATABASE_PASS:< base64 encoded encryption>
<app.yaml>
runtime: custom
env: flex
service: authentication
resources:
cpu: 2
memory_gb: 2.5
disk_size_gb: 10
beta_settings:
cloud_sql_instances: '/cloudsql/project_id:us-central1:sqlname'
network:
name: default
skip_files:
- .ruby-gemset
- .env
- .bundle
- .byebug_history
- .vscode/
- .idea/
- storage/
- vendor/
- log/
- tmp/
#liveness_check:
#path: '/liveness-check'
# initial_delay_sec: 300
# check_interval_sec: 30
# timeout_sec: 4
# failure_threshold: 2
# success_threshold: 2
#
# readiness_check:
# path: '/readiness-check'
# check_interval_sec: 5
# timeout_sec: 4
# failure_threshold: 2
# success_threshold: 2
# app_start_timeout_sec: 300
env_variables:
SECRET_KEY_BASE: 'SECRET_KEY'
RAILS_ENV: 'redacted'
RACK_ENV: 'redacted'
SERVICE_NAME: 'redacted'
REDIS_HOST: '10.0.0.3'
REDIS_PORT: 6379
TOTP_SECRET: 'TOTP_SECRET'
DATABASE_USER: 'postgres'
DATABASE_PASS: 'DATABASE_PASS'
DATABASE_NAME: 'postgres'
DATABASE_HOST: '/cloudsql/project_id:us-central1:sqlname'
RAILS_LOG_TO_STDOUT: enabled
RAILS_SERVE_STATIC_FILES: enabled
LANG: en_US.UTF-8
I found the problem, one was that when I used the gcloud kms encryption. 我发现了问题,一个是当我使用gcloud kms加密时。 I wasn't encrypting anything.
我没有加密任何东西。 So was passing in an empty value.
传递空值也是如此。 I'll throw up my solution on a blog and hyperlink to it.
我将把解决方案放在博客上并提供超链接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.