本文介绍了GCP KMS加密环境变量并将加密的密钥通过cloudbuild.yaml传递给Google App Engine的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试在部署到Google App Engine的RoR应用程序中为Cloud SQL中的数据库加密环境变量.遵循此文档 https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials

I'm trying to encrypt env vars for database in Cloud SQL in my RoR app deploying to Google App Engine. Following this doc https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials

但是,同时运行 gcloud builds commit gcloud app deploy 时出现错误.两者都出错了:

However, I have an error when running both gcloud builds submit and gcloud app deploy. Both are error out with:

然后我检查所描述的 gcloud构建显示该应用程序部署失败,但是, DATABASE_PASS 显示工作正常/已排队.我已经将 gcloud sdk中的Cloud Build组件增加到1000,并测试了timeout:在 cloudbuild.yaml; 中没有任何改善.

I then check the gcloud builds described shows that the app failed to deploy, however, DATABASE_PASS shows working/queued. I have increase the Cloud Build component in gcloud sdk to 1000 and testing timeout: in cloudbuild.yaml; both options didn't improve anything.

在使用Cloud Build之前,我的应用程序可以正常工作,但是我消除了对凭据的需求,并且对CI/CD管道使用了加密的凭据.另外,我想在我的 app.yaml 中加密多个环境变量.

Before using Cloud Build my app was working but I'm erasing the need of credentials and using encrypted credentials for CI/CD pipeline. Also, would like to encrypt more than one env var in my app.yaml.

 <cloudbuild.yaml>
steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['app','deploy','app-beta.yaml']

- name: 'us.gcr.io/project_ID/image_name'
  #args: [ 'app', 'deploy', 'app-beta.yaml' ]
  secretEnv: [ "DATABASE_PASS" ]


secrets:
- kmsKeyName: projects/Project_id/locations/global/keyRings/Misc/cryptoKeys/Random
  secretEnv:
      DATABASE_PASS:< base64 encoded encryption>

<app.yaml>
runtime: custom

env: flex

service: authentication

resources:
  cpu: 2
  memory_gb: 2.5
  disk_size_gb: 10

beta_settings:
  cloud_sql_instances: '/cloudsql/project_id:us-central1:sqlname'

network:
  name: default

skip_files:
  - .ruby-gemset
  - .env
  - .bundle
  - .byebug_history
  - .vscode/
  - .idea/
  - storage/
  - vendor/
  - log/
  - tmp/

#liveness_check:
#path: '/liveness-check'
#   initial_delay_sec: 300
#   check_interval_sec: 30
#   timeout_sec: 4
#   failure_threshold: 2
#   success_threshold: 2
#
# readiness_check:
#   path: '/readiness-check'
#   check_interval_sec: 5
#   timeout_sec: 4
#   failure_threshold: 2
#   success_threshold: 2
#   app_start_timeout_sec: 300

env_variables:
  SECRET_KEY_BASE: 'SECRET_KEY'
  RAILS_ENV: 'redacted'
  RACK_ENV: 'redacted'
  SERVICE_NAME: 'redacted'
  REDIS_HOST: '10.0.0.3'
  REDIS_PORT: 6379
  TOTP_SECRET: 'TOTP_SECRET'
  DATABASE_USER: 'postgres'
  DATABASE_PASS: 'DATABASE_PASS'
  DATABASE_NAME: 'postgres'
  DATABASE_HOST: '/cloudsql/project_id:us-central1:sqlname'
  RAILS_LOG_TO_STDOUT: enabled
  RAILS_SERVE_STATIC_FILES: enabled
  LANG: en_US.UTF-8

推荐答案

我发现了问题,其中之一是当我使用gcloud kms加密时.我没有加密任何东西.传递空值也是如此.我将把解决方案放在博客上并提供超链接.

I found the problem, one was that when I used the gcloud kms encryption. I wasn't encrypting anything. So was passing in an empty value. I'll throw up my solution on a blog and hyperlink to it.

这篇关于GCP KMS加密环境变量并将加密的密钥通过cloudbuild.yaml传递给Google App Engine的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-07 03:50
查看更多