-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathcloudbuild.yaml
183 lines (161 loc) · 8.93 KB
/
cloudbuild.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
# A note about Cloud Build variable substitution in this file: where you see a
# variable with a single `$`, those are built-in substitutions supported by
# Cloud Build and will be replaced with the value Cloud Build knows about
# _before_ the build takes place. Where you see variables with a double `$$`,
# that is the way to escape the `$` such that Cloud Build will ignore the
# variable and will render a single `$` before the build takes place, such that
# the variable is interpreted at run time by the build, bash in this case.
availableSecrets:
secretManager:
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-alertmanager-slack-channel-url/versions/latest
env: AM_SLACK_CHANNEL_URL
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-grafana-client-secret-name/versions/latest
env: GF_AUTH_GOOGLE_CLIENT_SECRET
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-grafana-client-id-name/versions/latest
env: GF_AUTH_GOOGLE_CLIENT_ID
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-github-receiver-auth-token/versions/latest
env: GITHUB_RECEIVER_AUTH_TOKEN
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-gmx-github-webhook-secret/versions/latest
env: GMX_GITHUB_WEBHOOK_SECRET
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-linode-private-key-ipv6-monitoring/versions/latest
env: LINODE_PRIVATE_KEY_ipv6_monitoring
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-script-exporter-monitoring-signer-key/versions/latest
env: MONITORING_SIGNER_KEY
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-oauth-proxy-client-id/versions/latest
env: OAUTH_PROXY_CLIENT_ID
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-oauth-proxy-client-secret/versions/latest
env: OAUTH_PROXY_CLIENT_SECRET
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-oauth-proxy-cookie-secret/versions/latest
env: OAUTH_PROXY_COOKIE_SECRET
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-pagerduty-service-key/versions/latest
env: PAGERDUTY_SERVICE_KEY
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-platform-prom-auth-user/versions/latest
env: PLATFORM_PROMETHEUS_BASIC_AUTH_USER
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-platform-prom-auth-pass/versions/latest
env: PLATFORM_PROMETHEUS_BASIC_AUTH_PASS
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-prom-auth-user/versions/latest
env: PROMETHEUS_BASIC_AUTH_USER
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-prom-auth-pass/versions/latest
env: PROMETHEUS_BASIC_AUTH_PASS
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-rebootapi-basic-auth-user/versions/latest
env: REBOOTAPI_BASIC_AUTH
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-rebootapi-basic-auth-pass/versions/latest
env: REBOOTAPI_BASIC_AUTH_PASS
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-rebootapi-coreos-ssh-key/versions/latest
env: REBOOTAPI_COREOS_SSH_KEY
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-service-account-discuss/versions/latest
env: SERVICE_ACCOUNT_discuss
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-service-account-mlab-ns/versions/latest
env: SERVICE_ACCOUNT_mlab_ns
- versionName: projects/${PROJECT_NUMBER}/secrets/prometheus-support-build-switch-monitoring-ssh-key/versions/latest
env: SWITCH_MONITORING_SSH_KEY
steps:
# Prepare the environment.
- name: gcr.io/google.com/cloudsdktool/cloud-sdk
entrypoint: bash
env:
- 'GO_VERSION=1.20.2'
- 'PROM_VERSION=2.37.0'
secretEnv:
- AM_SLACK_CHANNEL_URL
- GF_AUTH_GOOGLE_CLIENT_SECRET
- GF_AUTH_GOOGLE_CLIENT_ID
- GITHUB_RECEIVER_AUTH_TOKEN
- GMX_GITHUB_WEBHOOK_SECRET
- LINODE_PRIVATE_KEY_ipv6_monitoring
- MONITORING_SIGNER_KEY
- OAUTH_PROXY_CLIENT_ID
- OAUTH_PROXY_CLIENT_SECRET
- OAUTH_PROXY_COOKIE_SECRET
- PAGERDUTY_SERVICE_KEY
- PLATFORM_PROMETHEUS_BASIC_AUTH_USER
- PLATFORM_PROMETHEUS_BASIC_AUTH_PASS
- PROMETHEUS_BASIC_AUTH_USER
- PROMETHEUS_BASIC_AUTH_PASS
- REBOOTAPI_BASIC_AUTH
- REBOOTAPI_BASIC_AUTH_PASS
- REBOOTAPI_COREOS_SSH_KEY
- SERVICE_ACCOUNT_discuss
- SERVICE_ACCOUNT_mlab_ns
- SWITCH_MONITORING_SSH_KEY
args:
- -c
- |-
set -euo pipefail
export PROJECT=$PROJECT_ID
export PROJECT_NUMBER=$PROJECT_NUMBER
# Cloud Build does not support variable substitution in any location execpt
# "steps" and "images". Here we take the secret values and assign them to
# variables that apply-global-prometheus.sh expects.
export AM_SLACK_CHANNEL_URL_$${PROJECT/-/_}=$$AM_SLACK_CHANNEL_URL
export GF_AUTH_GOOGLE_CLIENT_SECRET_$${PROJECT/-/_}=$$GF_AUTH_GOOGLE_CLIENT_SECRET
export GF_AUTH_GOOGLE_CLIENT_ID_$${PROJECT/-/_}=$$GF_AUTH_GOOGLE_CLIENT_ID
export OAUTH_PROXY_CLIENT_ID_$${PROJECT/-/_}=$$OAUTH_PROXY_CLIENT_ID
export OAUTH_PROXY_CLIENT_SECRET_$${PROJECT/-/_}=$$OAUTH_PROXY_CLIENT_SECRET
export OAUTH_PROXY_COOKIE_SECRET_$${PROJECT/-/_}=$$OAUTH_PROXY_COOKIE_SECRET
export PROMETHEUS_BASIC_AUTH_USER_$${PROJECT/-/_}=$$PROMETHEUS_BASIC_AUTH_USER
export PROMETHEUS_BASIC_AUTH_PASS_$${PROJECT/-/_}=$$PROMETHEUS_BASIC_AUTH_PASS
export REBOOTAPI_BASIC_AUTH_$${PROJECT/-/_}=$$REBOOTAPI_BASIC_AUTH
export REBOOTAPI_BASIC_AUTH_PASS_$${PROJECT/-/_}=$$REBOOTAPI_BASIC_AUTH_PASS
function get_cluster_zone() {
local cluster=$$1
gcloud container clusters list --filter "name=$${cluster}" \
--format="value(location)" \
--project $$PROJECT
}
# Install Go
curl --location --remote-name https://go.dev/dl/go$${GO_VERSION}.linux-amd64.tar.gz
tar -C /usr/local -xf go$${GO_VERSION}.linux-amd64.tar.gz
export PATH=$$PATH:/usr/local/go/bin
# Install promtool
curl --location --remote-name \
"https://github.com/prometheus/prometheus/releases/download/v$${PROM_VERSION}/prometheus-$${PROM_VERSION}.linux-amd64.tar.gz"
tar xf prometheus-$${PROM_VERSION}.linux-amd64.tar.gz prometheus-$${PROM_VERSION}.linux-amd64/promtool
mv prometheus-$${PROM_VERSION}.linux-amd64/promtool /usr/local/bin/
# Install kexpand
go install github.com/kopeio/kexpand@latest
export PATH=$$PATH:~/go/bin
# Install new GKE kubectl auth plugin
# https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
apt update && apt install -y google-cloud-cli-gke-gcloud-auth-plugin
export USE_GKE_GCLOUD_AUTH_PLUGIN=True
# Install any other needed system packages
apt install -y apache2-utils jq jsonlint
# Version numbers for Helm.
K8S_HELM_VERSION="v3.3.0"
# Download Helm
curl -O https://get.helm.sh/helm-$${K8S_HELM_VERSION}-linux-amd64.tar.gz
tar -zxf helm-$${K8S_HELM_VERSION}-linux-amd64.tar.gz
# Add repos
./linux-amd64/helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
./linux-amd64/helm repo add jetstack https://charts.jetstack.io
# Update local repos
./linux-amd64/helm repo update
# Check all JSON files, mostly (likely only) provisioned Grafana dashboards
find . -type f -name '*.json' | xargs jsonlint-php -q
# TODO(soltesz): Separate configuration steps so we can use cbif conditions.
if [[ $$PROJECT = "mlab-sandbox" || $$PROJECT = "mlab-staging" || $$PROJECT = "mlab-oti" ]] ; then
# Check alert and recording rules
promtool check rules ./config/federation/prometheus/alerts.yml
promtool check rules ./config/federation/prometheus/rules.yml
export CLUSTER=prometheus-federation
# Get cluster credentials for the prometheus-federation cluster
gcloud container clusters get-credentials $$CLUSTER --project $$PROJECT --zone $$(get_cluster_zone $$CLUSTER)
# Apply various things in the prometheus-federation cluster
./apply-global-prometheus.sh
./apply-grafana-dashboards.sh
./deploy-prometheus-targets.sh $$PROJECT
# Get cluster credentials for the data-pipeline cluster
export CLUSTER=data-pipeline
gcloud container clusters get-credentials $$CLUSTER --project $$PROJECT --zone $$(get_cluster_zone $$CLUSTER)
./apply-cluster.sh
# Deploy the IPv6 monitoring BBE configs to the IPv6 Linode.
./deploy_bbe_config.sh $$PROJECT LINODE_PRIVATE_KEY_ipv6_monitoring
fi
# TODO(soltesz): Separate configuration steps so we can use cbif conditions.
if [[ $$PROJECT = "mlab-sandbox" || $$PROJECT = "mlab-staging" || $$PROJECT = "mlab-autojoin" ]] ; then
export CLUSTER=autojoin
# Get cluster credentials for the autojoin cluster
gcloud container clusters get-credentials $$CLUSTER --project $$PROJECT --zone $$(get_cluster_zone $$CLUSTER)
./apply-cluster.sh
fi