This repository contains code for the sample application and the cloud functions used during the demo of the Cloud Native CI/CD talk given by Vishal Parpia at the Google Cloud Summit Singapore ‘19.

The /app folder contains the sample NodeJs application along with the CloudBuild yaml, Docker files and Kubernetes yaml. The application has some unit tests and integration tests defined which are checked during the build process.

The /functions folder contains the code for the Cloud Functions to listen to Cloudbuild updates and Slack approval events.

The source for the application to be deployed is this GitHub repository. When a pull request is raised to the master branch it triggers CloudBuild to build and test code based on the PR. If it is successful then the user can merge the PR into the master branch.

Merging the PR triggers another CloudBuild to perform unit tests, build the Docker image, push the image to Google Container Repository, deploy it to Kubernetes pods for the staging environment and then perform integration tests.

Notifications at each stage are sent to a Slack channel.

The user can now decide if he wants to roll out the build to production, this can be done by clicking on YES or NO action buttons which will be showing in the Slack channel to approve the rollout. If the rollout is approved then another CloudBuild trigger is executed which deploys it to Kubernetes pods for the production environment.

• Generate an SSH key using ssh-keygen -t rsa -b 4096 -C “[email protected]”
• Add the public part of key generated above in Repository’s Deploy Keys (Settings -> Deploy Keys -> Add Key)
• Encrypt the private part of key using Google KMS

  • Create a keyring

    gcloud kms keyrings create {keyring_name} --location=global

  • Create key

    gcloud kms keys create {key_name} --location=global --keyring={keyring_name} --purpose=encryption

  • Whitelist cloudbuild service account to decrypt the above key. This can be done as:

    In GCP Console: IAM -> Cryptographic keys -> {keyring_name} -> {key_name} -> Show Info Panel -> Add Member -> Give Decrypter permission to cloudbuild service account

  • Encrypt your private key

    gcloud kms encrypt --plaintext-file={private_key_path} --ciphertext-file={enc_key_path} --location=global --keyring={keyring_name} --key={key_name}

  • Replace the encrypted key at path app/repo-key-encrypted with your key

  • Create production-candidate branch. Replace the encrypted key generated and production kubernetes.yaml file and push it to repo.

  • Create production branch and push it (can be empty). Production configs are stored here

    Note: production-candidate and production branches should ideally be in different repository as it holds production configuration. The key added to production-candidate branch is for the repo holding production config.

Create two clusters, one for staging environment and other for production. Not down cluster names and deployment zones

• Cloudbuild -> Triggers -> Connect Repository -> check GitHub App by Google -> Authenticate -> Select your repository -> Skip creating triggers for now Create Triggers

• Create Trigger for Push on master branch. With following details

  Type: Branch
  Regex: master
  
  Cloudbuild config path: app/cloudbuild-master.yml
  Substitution Vars:
    _APP_DIR: app
    _GITHUB_REPO_ENC_KEY_PATH: app/repo-key-encrypted/id_rsa_repo_key.enc
    _GITHUB_REPO_KEY: {key_name}
    _GITHUB_REPO_KMS_KEYRING: {keyring_name}
    _GITHUB_REPO_USERNAME: cldcvr
    _IMAGE_ID: gcp-cnci-example-app
    _PRODUCTION_CANDIDATE_BRANCH: production-candidate
    _PRODUCTION_KUBERENETES_TEMPLATE_FILE_NAME: kubernetes.yaml.tpl
    _PRODUCTION_KUBERNETES_CONFIG_FILE_NAME: kubernetes.yaml
    _STAGING_DEPLOY_CLUSTER: {STAGING_GKE_CLUSTER_NAME}
    _STAGING_DEPLOY_ZONE: {STAGING_GKE_CLUSTER_ZONE}
    _STAGING_KUBERENETES_TEMPLATE_FILE_NAME: staging-kubernetes.yaml.tpl
    _STAGING_KUBERNETES_CONFIG_FILE_NAME: staging-kubernetes.yaml
  

• Create Trigger for PR on master with details:

  Type: Pull Request
  Regex: master
  
  Cloudbuild config: app/cloudbuild-master-pr.yml
  Substitution Vars:
    _APP_DIR: app
  

• Create Trigger for push on production-candidate with details

  Type: Branch
  Regex: random_string. Note: Put random non existent branch. We will be firing this trigger manually. Note down the trigger name.
  
  Cloudbuild config: cloudbuild-delivery.yml
  Substitution vars:
    _GITHUB_REPO_ENC_KEY_PATH: repo-key-encrypted/id_rsa_repo_key.enc
    _GITHUB_REPO_KEY: {prod_config_repo_key_name}
    _GITHUB_REPO_KMS_KEYRING: {prod_config_repo_keyring_name}
    _GITHUB_REPO_USERNAME: cldcvr
    _PRODUCTION_BRANCH: production
    _PRODUCTION_DEPLOY_CLUSTER: {PRODUCTION_GKE_CLUSTER_NAME}
    _PRODUCTION_DEPLOY_ZONE: {PRODUCTION_GKE_CLUSTER_ZONE}
    _PRODUCTION_KUBERNETES_CONFIG_FILE_NAME: kubernetes.yaml
  

You can get the bot user token using OAuth2 or from your slack app dashboard (if you are using bot for your own workspace). For more information see: https://api.slack.com/docs/oauth#bots

• Replace trigger name in functions/repos.js with your production trigger name.

• Deploy Functions

  • Slack Approval Events Listener

  cd functions
  gcloud functions deploy gcpCiCdApprovalAction --runtime nodejs10 --trigger-http --set-env-vars SLACK_BOT_TOKEN='{BOT_TOKEN}' --set-env-vars GCLOUD_PROJECT='{PROJECT_ID}'  --service-account={CLOUDFUNCTION_SERVICE_ACCOUNT}
  

  • CloudBuild Event Listener

   cd functions
   gcloud functions deploy gcpCiCdSlackEvents --runtime nodejs10 --trigger-topic cloud-builds --set-env-vars SLACK_BOT_TOKEN='{BOT_TOKEN}' --set-env-vars GCLOUD_PROJECT='cloudcover-sandbox' --service-account={CLOUDFUNCTION_SERVICE_ACCOUNT}