Service: Cloud Build¶
Overview¶
The CloudBuild is a serverless CICD platform within Google Cloud Platform
The table of attributes:
| ID | Attribute | Type | Value |
|---|---|---|---|
| 1 | Project | String | Data Team Project |
| 2 | Region | String | Data Team Region |
| 3 | Service | String | CloudBuild |
| 4 | Project number | Number | Get by command |
Goal is has related builds to provision services (Cloud Run, Cloud Storage, ...) within git trigger on repository
SAD - System Architechture Design¶
The logic flow for CloudBuild service:
flowchart LR
%% Component
subgraph gh[GitHub]
repository[Repository]
end
subgraph gcp[Google Cloud Platform]
subgraph project[Project]
direction TB
subgraph cloudbuild[CloudBuild]
direction TB
trigger[Trigger] --> execution[Execution] --> pool[Private Pool] --> runtime[Runtime Build]
end
subgraph log[Log Storage]
gcs[Cloud Storage]
clogging[Cloud Logging]
end
runtime -- [2] yield, write log records --> log
other[Google Platform services]
end
end
%% Flow
repository -- [1] trigger webhook event --> cloudbuild
cloudbuild <-- [2] interactive --> other
cloudbuild -- [3] send metadata, log --> repositoryThe flow follow following component:
[1] Developer interactive with code in GitHub repository, example: create PR, push commit, ... will send payload to handle in CloudBuild
See: GitHub events and payloads
[2] CloudBuild based on the payload then filtered with trigger rules.
[2] The trigger then execute a build and send it into Private pool
[2] Private pool queue build and actual execution it.
[3] In that time, the logs has been writed to configed storage and send back metadata into GitHub.
The related component:
| ID | Component | Description | Identifier |
|---|---|---|---|
| CB-01 | API | CloudBuild Endpoint | cloudbuild.googleapis.com |
| CB-02 | Private Pool | Worker pools runtime in the related region | sg-cloudbuild-workers-pool |
| CB-03 | Storage | Storage logs of runtime build | inno-internal-cloudbuild |
| CB-04 | Cloud Logging | Store and streaming log records | Google Cloud Logging |
| CB-05 | GitHub | Storage GitHub repository | Repositories at GitHub organizationInnotech-Vietnam |
The following diagram shows how builds are routed to the private pool.
Provision configuration¶
[1] Established the core element
Project: $DATATEAM_PROJECT_ID
Region: $DATATEAM_PROJECT_REGION
[2] Enable required API of service
[3] Config the private pool with following attribute
| Property | Value |
|---|---|
| Type | Private Pool |
| Name | sg-cloudbuild-workers-pool |
| Project | PROJECT_ID |
| Region | PROJECT_REGION |
| Network | Default (Public egress is enabled) |
| Worker Config | diskSizeGb: 100, machineType: e2-standard-4 |
The config will be provision at inno-infra. For more detail, go with google-private-pool-overview
[4] Config storage for CloudBuild to store log
Following: [CloudBuild Log]1
| Property | Value |
|---|---|
| Type | Cloud Storage |
| Project | PROJECT_ID |
| Region | PROJECT_REGION |
| Name | inno-internal-cloudbuild |
| Availability | region |
| Bucket Lock | False |
| Policy | No retention policy |
| Versionning | True |
| Storage Class | STANDARD |
| Admin | Cloud Build Service Account |
| Access level | Uniform bucket-level access |
| Force Destroy | True |
| Soft Delete | True |
For the life cycle of object, follow the table:
| ID | Condition | Action |
|---|---|---|
| 1 | age = 30, with_state = "ANY", matches_storage_class = "STANDARD" | type = "SetStorageClass", storage_class = "NEARLINE" |
| 2 | age = 60, with_state = "ANY", matches_storage_class = "NEARLINE" | type = "SetStorageClass", storage_class = "COLDLINE" |
| 3 | age = 60, with_state = "ANY", matches_storage_class = "COLDLINE" | type = "SetStorageClass", storage_class = "ARCHIVE" |
| 4 | no_age = true, with_state = "ANY", num_newer_versions = 3 | type = "Delete" |
Retired condition:
| ID | Condition | Action |
|---|---|---|
| 1 | age = 30, with_state = "ANY", matches_storage_class = "ARCHIVE" | type = "Delete" |
For the permissions:
-
Requested admin of bucket
-
Read priviledges for DE team and service accounts interactive with Cloud Build logs
To check the retention of object in a targeted bucket with name of STORAGE_BUCKET_NAME
export STORAGE_BUCKET_NAME=
gcloud storage buckets describe gs://$STORAGE_BUCKET_NAME --format="default(per_object_retention)"
# null
Reference:
[5] Config connection into the Github repository, which contains various private repositositories
For the list of repositories, targeted into repositories in organization at: Innotech-Vietnam
Table: Related repository linked with CloudBuild
| Repository | Description | URL |
|---|---|---|
inno-infra | Provision infrastructure | URL |
inno-basement | Layer fetch data from providers | URL |
inno-submarine | API interactive with provider database | URL |
inno-submarine-python-client | Client to interactive with API of Submarine | URL |
inno-lake-prep | Transformation on lake | URL |
inno-docs | Internal documnetation for developers | URL |
inno-terminal | inno-terminal | URL |
inno-transflow | Transformation in background | URL |
inno-processor | Processor related with basement | URL |
inno-pluto | Serve public comsume endpoint - Pluto | URL |
inno-spectrum | Serve public comsume endpoint - Spectrum | URL |
inno-streaming | Streaming service | URL |
The table has been updated at 2024-04-22. For the updated data, go to Console CloudBuild > Repositories
To handle the mapping, following process will take place:
- Go with admin repository, add runner account:
innodatarunner@innotech.vn
For password, go to Cloud Secret and read from RUNNER_EMAIL_INNODATA_RUNNER::latest
- Share
Adminpriviledges to runner account
- Go to
CloudBuild > Repositoriesto establised connection between Github and CloudBuild
This will sync repositories between GitHub and Google Cloud
Pricing¶
The property has been defined:
| Attribute | Type |
|---|---|
| Method | Pay as you go |
| Targeted on | Minutes of build executions |
| Has monthly free tier | Yes |
Source: Official CloudBuild product
The table of pricing detail
| Feature | Pricing (USD) |
|---|---|
| First 2,500 build-minutes per month | Free |
| Additional build-minutes | $0.006 per minute |
Estimate on build
| Matrix | Pricing (USD) |
|---|---|
| Next 100 minutes | 100 * 0.006 = 0.06 |
| Next 200 minutes | 200 * 0.006 = 0.12 |
| Next 500 minutes | 500 * 0.006 = 3 |
Service account¶
There are 2 component:
- Default CloudBuild Service Account: Cloudbuild Service account
$PROJECT_NUMBER@cloudbuild.gserviceaccount.com.
| SA name | Role | Target |
|---|---|---|
| Default CloudBuild SA | roles/monitoring.metricWriter | Full priviledges on Cloud Build service logs |
roles/logging.logWriter | Write log entries into Cloud Logging |
If your Cloud Storage bucket and Cloud Build are in the same Google Cloud project and you're using the Cloud Build service account, your Cloud Build service account has the necessary IAM permissions by default. You do not have to grant any additional permissions.
For more detail, go with [CloudBuild Log]1 and [CloudBuild Service Account]2
- CloudBuild Service Agent:
service-$PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com
| SA name | Role | Target |
|---|---|---|
| CloudBuild Service Agent | roles/cloudbuild.serviceAgent | Allows other Google Cloud services to access your resources |
Note: Get number of project at the [#troubleshooting]
Reference:
Troubleshooting¶
[1] Get project number by gcloud command ¶
Use following command
gcloud projects list --filter="$(gcloud config get-value project)" --format="value(PROJECT_NUMBER)";
# 992228553443
[2] Send logs to both Cloud Storage (with streaming) and Cloud Logging¶
For the configuration file:
(a) Set logStreamingOption into STREAM_ON
(b) Dont set the logging key
---
options:
# logging: null # Use this option to specify if you want to store logs in Cloud Logging or Cloud Storage.
logStreamingOption: STREAM_ON
Reference: