[launcher] Clean up cloudbuild config (#539)

Signed-off-by: Jiankun Lu <[email protected]>
google · Feb 4, 2025 · 7fe225f · 7fe225f
1 parent 3e57268
commit 7fe225f
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 11 deletions.
diff --git a/launcher/cloudbuild.yaml b/launcher/cloudbuild.yaml
@@ -1,6 +1,7 @@
 substitutions:
-  '_BASE_IMAGE': '' # an empty base image means the build will use the latest image in '_BASE_IMAGE_FAMILY'
-  '_BASE_IMAGE_FAMILY': 'cos-113-lts' # base image family
+  '_BASE_IMAGE': '' # If left empty, will use the latest image in _BASE_IMAGE_FAMILY of _BASE_IMAGE_PROJECT
+  '_BASE_IMAGE_FAMILY': 'cos-113-lts'
+  '_BASE_IMAGE_PROJECT': 'cos-cloud'
   '_OUTPUT_IMAGE_PREFIX': 'confidential-space'
   '_OUTPUT_IMAGE_SUFFIX': ''
   '_OUTPUT_IMAGE_FAMILY': ''
@@ -13,17 +14,19 @@ steps:
   env:
   - 'BASE_IMAGE=$_BASE_IMAGE'
   - 'BASE_IMAGE_FAMILY=$_BASE_IMAGE_FAMILY'
+  - 'BASE_IMAGE_PROJECT=$_BASE_IMAGE_PROJECT'
   script: |
     #!/usr/bin/env bash
 
-    # if BASE_IMAGE is not specified in the substitutions, use the latest COS dev image
+    # if BASE_IMAGE is not specified in the substitutions, use the latest image of the image family
     base_image=${BASE_IMAGE}
     if [ -z ${base_image} ]
     then
-      echo "getting the latest COS image"
-      base_image=$(gcloud compute images describe-from-family ${BASE_IMAGE_FAMILY} --project cos-cloud | grep name | cut -d ' ' -f 2)
+      echo "getting the latest image from project:" ${BASE_IMAGE_PROJECT} "family: "${BASE_IMAGE_FAMILY}
+      base_image=$(gcloud compute images describe-from-family ${BASE_IMAGE_FAMILY} --project ${BASE_IMAGE_PROJECT} | grep name | cut -d ' ' -f 2)
     fi
 
+    echo "base image:" ${base_image} "project:" ${BASE_IMAGE_PROJECT} 
     echo ${base_image} > /workspace/base_image.txt
 
 - name: 'gcr.io/cloud-builders/gcloud'
@@ -35,14 +38,23 @@ steps:
   - 'OUTPUT_IMAGE_FAMILY=$_OUTPUT_IMAGE_FAMILY'
   - 'BUCKET_NAME=$_BUCKET_NAME'
   - 'SHORT_SHA=${SHORT_SHA}'
+  - 'BASE_IMAGE_PROJECT=$_BASE_IMAGE_PROJECT'
   script: |
     #!/usr/bin/env bash
     set -exuo pipefail
 
     base_image=$(cat /workspace/base_image.txt)
     echo "building the debug image: ${OUTPUT_IMAGE_PREFIX}-debug-${OUTPUT_IMAGE_SUFFIX} with the base image: ${base_image}"
-    gcloud builds submit --config=launcher/image/cloudbuild.yaml --region us-west1 \
-      --substitutions _SHORT_SHA=${SHORT_SHA},_BASE_IMAGE=${base_image},_OUTPUT_IMAGE_FAMILY=${OUTPUT_IMAGE_FAMILY}-debug,_OUTPUT_IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-debug-${OUTPUT_IMAGE_SUFFIX},_IMAGE_ENV=debug,_CS_LICENSE=projects/confidential-space-images/global/licenses/confidential-space-debug,_BUCKET_NAME=${BUCKET_NAME}
+    gcloud builds submit --config=launcher/image/cloudbuild.yaml \
+    --region us-west1 \
+    --substitutions _SHORT_SHA=${SHORT_SHA},\
+    _BASE_IMAGE=${base_image},\
+    _BASE_IMAGE_PROJECT=${BASE_IMAGE_PROJECT},\
+    _OUTPUT_IMAGE_FAMILY=${OUTPUT_IMAGE_FAMILY}-debug,\
+    _OUTPUT_IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-debug-${OUTPUT_IMAGE_SUFFIX},\
+    _IMAGE_ENV=debug,\
+    _CS_LICENSE=projects/confidential-space-images/global/licenses/confidential-space-debug,\
+    _BUCKET_NAME=${BUCKET_NAME}
     exit
 
 - name: 'gcr.io/cloud-builders/gcloud'
@@ -54,14 +66,23 @@ steps:
   - 'OUTPUT_IMAGE_FAMILY=$_OUTPUT_IMAGE_FAMILY'
   - 'BUCKET_NAME=$_BUCKET_NAME'
   - 'SHORT_SHA=${SHORT_SHA}'
+  - 'BASE_IMAGE_PROJECT=$_BASE_IMAGE_PROJECT'
   script: |
     #!/usr/bin/env bash
     set -exuo pipefail
 
     base_image=$(cat /workspace/base_image.txt)
     echo "building the hardened image: ${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX} with the base image: ${base_image}"
-    gcloud builds submit --config=launcher/image/cloudbuild.yaml --region us-west1 \
-      --substitutions _SHORT_SHA=${SHORT_SHA},_BASE_IMAGE=${base_image},_OUTPUT_IMAGE_FAMILY=${OUTPUT_IMAGE_FAMILY},_OUTPUT_IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},_IMAGE_ENV=hardened,_CS_LICENSE=projects/confidential-space-images/global/licenses/confidential-space,_BUCKET_NAME=${BUCKET_NAME}
+    gcloud builds submit --config=launcher/image/cloudbuild.yaml \
+    --region us-west1 \
+    --substitutions _SHORT_SHA=${SHORT_SHA},\
+    _BASE_IMAGE=${base_image},\
+    _BASE_IMAGE_PROJECT=${BASE_IMAGE_PROJECT},\
+    _OUTPUT_IMAGE_FAMILY=${OUTPUT_IMAGE_FAMILY},\
+    _OUTPUT_IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},\
+    _IMAGE_ENV=hardened,\
+    _CS_LICENSE=projects/confidential-space-images/global/licenses/confidential-space,\
+    _BUCKET_NAME=${BUCKET_NAME}
     exit
 
 - name: 'gcr.io/cloud-builders/gcloud'

diff --git a/launcher/image/cloudbuild.yaml b/launcher/image/cloudbuild.yaml
@@ -2,9 +2,9 @@ substitutions:
   '_BASE_IMAGE': ''
   '_OUTPUT_IMAGE_NAME': ''
   '_OUTPUT_IMAGE_FAMILY': ''
-  '_BASE_IMAGE_PROJECT': 'cos-cloud'
+  '_BASE_IMAGE_PROJECT': ''
   '_IMAGE_ENV': ''
-  '_BUCKET_NAME': '${PROJECT_ID}_cloudbuild'
+  '_BUCKET_NAME': ''
   '_CS_LICENSE': ''
   '_SHORT_SHA': ''