js加密变量

Hi there! At my current work, we had a problem with our CI/CD, and we started to look for alternatives. We checked out various platforms like CircleCI, Bitrise, and others. Still, the process to ask the upper-level management to add this as providers was a bit slow and tedious so, since we already had GCP as a provider, we decided to try GCP Cloudbuild.

嗨，您好！在我目前的工作中，我们的CI / CD存在问题，因此我们开始寻找替代方案。我们检查了各种平台，例如CircleCI，Bitrise等。但是，要求高层管理者将其添加为提供程序的过程仍然有些缓慢且乏味，因此，由于我们已经将GCP作为提供程序，因此我们决定尝试使用GCP Cloudbuild。

Cloudbuild is an infrastructure that allows you to run builds for your projects. The price was reasonable, so we decided to start investing time on it to move our Android CI/CD all to cloudbuild.

Cloudbuild是一种基础结构，可让您运行项目的构建。价格合理，因此我们决定开始投资时间，将我们的Android CI / CD全部移至cloudbuild。

As first we started looking for some previous experience on the internet and found two excellent articles about it, those articles will be linked below. Nevertheless, those articles required a certain knowledge of Docker, CloudBuild, and other technologies that I didn’t have.

首先，我们开始在互联网上寻找一些以前的经验，并找到了两篇有关它的出色文章，这些文章将在下面链接。但是，这些文章需要对Docker，CloudBuild和我所没有的其他技术有一定的了解。

So I started learning about it to understand these articles better. What I wanted to achieve first was to read an encrypted environment variable. With this goal in mind, I started my quest.

因此，我开始学习它以更好地理解这些文章。我首先要实现的是读取一个加密的环境变量。怀着这个目标，我开始了追求。

Note: Articles in which this post is based.

注意：这篇文章所基于的文章。

https://ryanharter.com/blog/cloud-build/ https://medium.com/dailymotion/run-your-android-ci-in-google-cloud-build-2487c8b70ccf

首先，让我们启用GCP KMS (First, let’s enable GCP KMS)

What we need to do first is go to the GCP console, create our new project, and enable the KMS. You must go to Security → Cryptographic Keys.

我们首先要做的是转到GCP控制台，创建新项目，然后启用KMS。您必须转到安全性→加密密钥。

Note: KMS stands for Key Management Service.

注意：KMS代表密钥管理服务。

创建密钥环和密码匙 (Creating a Keyring and a Criptokey)

A Keyring can hold various CryptoKeys. To create a Keyring, you need to use the following command:

密钥环可以容纳各种CryptoKey。要创建密钥环，您需要使用以下命令：

gcloud kms keyrings create yourkeyringname --location=global

“yourkeyringname” is the name of your Keyring, and you should replace it for your what suits best for you, and the flag -location=global means that this Keyring is available in all regions of your project.

“ yourkeyringname”是您的Keyring的名称，您应该用最适合自己的名称替换它，并且-location = global标志意味着该Keyring在您项目的所有区域都可用。

Now that we already created a Keyring, let’s create our new CryptoKey, for that we’re going to use the next command.

现在我们已经创建了密钥环，让我们创建新的CryptoKey，为此，我们将使用下一个命令。

“KEYNAME” is the name of the key you want to create, and the-keyring flag is to indicate to which Keyring it’s going to belong since we’re using as an example “yourkeyringname” it will belong to it.

“ KEYNAME”是您要创建的密钥的名称，并且-keyring标志用于指示它将属于哪个Keyring，因为我们以“ yourkeyringname”为例，它将属于它。

加密变量 (Encrypting the variable)

To encrypt our variable, we must store it in a plain text file and then create a ciphertext file from that one. For that, we’re going to use the next command.

要加密我们的变量，我们必须将其存储在一个纯文本文件中，然后从该文件创建一个密文文件。为此，我们将使用下一个命令。

What this does for you is to encrypt your my_variable.txt file and convert it to my_variable_encrypted.txt using your Keyring and your cryptokey. After that, you need to create a base64 from your encrypted variable, and that can be achieved using the next command:

这对您来说是对my_variable.txt文件进行加密，然后使用Keyring和密钥将其转换为my_variable_encrypted.txt。之后，您需要根据加密变量创建一个base64，可以使用下一条命令来实现：

gcloud kms keys create KEYNAME --location=global --keyring=yourkeyringname --purpose=encryption

If you’re using macOS you can use:

如果您使用的是macOS ，则可以使用：

base64 -i my_variable_encrypted.txt -o my_variable_encrypted_64.txt

In Linux, the command is:

在Linux中 ，命令为：

base64 my_variable_encrypted.txt -w 0 > my_variable_encrypted_64.txt

The result of this process is going to be something like this:

这个过程的结果将是这样的：

CiQAwm7NmAeFT16bj0ES9sViYp/mBFOLMeRoj0ZzRKJJPwNbfLYSLgCk2ZAQBaAMauNIs9y9smM+g24Z5Ic+BHXG0dBYl3I/OepggpLiRlB7AuVpJaY=

Note: This is an example. Your base64 is not going to be the same.

注意：这是一个示例。您的base64将不会相同。

Now let’s store this base64 until we finish the next step.

现在让我们存储此base64，直到完成下一步。

创建我们的AndroidBuilder (Creating our AndroidBuilder)

In this step, we’re going to create our new Docker Image and pass to it our secret as a Build Argument. If you never created a Dockerfile before, probably you want to learn about it before continuing with this topic.

在这一步中，我们将创建新的Docker Image并将其作为构建参数传递给我们的秘密。如果您以前从未创建过Dockerfile，则可能想要在继续本主题之前对其进行了解。

# we use a gcr.io image and not openjdk:8-jdk-slim because it loads faster in the google Google Cloud Build environment
FROM gcr.io/cloud-builders/javac# Install Dependencies
RUN apt-get update \&& apt-get install -y wget zip unzip \&& mkdir -p /opt/android-sdk-linuxARG SECRET
ENV ANDROID_HOME /opt/android-sdk-linux# Install the wrapper script
COPY gradle-build /bin/# Download Android SDK tools
RUN wget -q "https://dl.google.com/android/repository/sdk-tools-linux-4333796.zip" -O sdk-tools.zip \&& unzip -q -d $ANDROID_HOME sdk-tools.zip \&& rm sdk-tools.zipENV PATH $PATH:$ANDROID_HOME/tools/bin# Install Android SDK components
RUN mkdir ~/.android && echo '### User Sources for Android SDK Manager' > ~/.android/repositories.cfg
RUN echo y | sdkmanager --install 'platforms;android-29' "build-tools;29.0.3" "platform-tools"

What we do in this Dockerfile is:

我们在此Dockerfile中所做的是：

Obtain the javac builder from GCR (Google Container Registry).从GCR(Google容器注册表)获取javac构建器。
Update the system.更新系统。
Download the dependencies.下载依赖项。
Set our “build arg” with the name SECRET.将我们的“ build arg”设置为SECRET。
Set the ANDROID_HOME as an environment variable.将ANDROID_HOME设置为环境变量。
Copy our gradle-build script(This is a little script that helps us to store the gradle cache so the subsequent builds can be faster).复制我们的gradle-build脚本(这是一个小脚本，可以帮助我们存储gradle缓存，以便后续构建可以更快)。
Download the android sdk tools, set our tools as an environment variable, and finally install the Android SDK.下载android sdk工具，将我们的工具设置为环境变量，最后安装Android SDK。

This is the gradle-build script that is mentioned in the Dockerfile.

这是Dockerfile中提到的gradle-build脚本。

#!/bin/sh
# this is a wrapper scripts that sets up the gradle cache and zips it after execution so that it can
# be easily transfered to cloud storage with gsutil
unzip -o -q cache.zip # this command might fail the first time if cache.zip does not exist. That's okay
./gradlew $@
status=$?
zip -qr cache.zip .gradle
echo "Exit status is: $status"
exit $status

Note: This Dockerfile and gradle-build script are based on this article that helped me a lot. I only added a few instructions, the latest android platform, build-tools, platform-tools, and the ARG SECRET line.

注：本Dockerfile和gradle这个-构建脚本是基于这一篇文章，对我帮助很大。我只添加了一些说明，最新的android平台，构建工具，平台工具和ARG SECRET系列。

If you’re a more advanced user of Docker and GCP, you can use the community cloud builder, which can be found here. I wanted a simpler proof of concept, so the previous one was the one that fit best for me.

如果您是Docker和GCP的高级用户，则可以使用社区云构建器，可以在此处找到。我想要一个更简单的概念证明，因此上一个是最适合我的证明。

As the last part of this step, we’re going to create a cloudbuild.yaml, which is going to build our container and upload it to the Google Container Registry. In this cloudbuild.yaml file, we’re going to execute a command which builds the container. There is where we’re going to run our Android project. In this cloudbuild.yaml, we pass our secret and use the base64 that we generated before, here’s how it’s going to look.

作为此步骤的最后一部分，我们将创建一个cloudbuild.yaml，它将构建我们的容器并将其上传到Google Container Registry。在这个cloudbuild.yaml文件中，我们将执行一个构建容器的命令。我们将在这里运行我们的Android项目。在此cloudbuild.yaml中，我们传递了我们的秘密，并使用了之前生成的base64，这就是它的外观。

steps:
- name: 'gcr.io/cloud-builders/docker'entrypoint: 'bash'args: ['-c','docker build --build-arg=SECRET=$$SECRET -t gcr.io/$PROJECT_ID/android-builder:29 .']secretEnv: ['SECRET']
images:
- 'gcr.io/$PROJECT_ID/android-builder:29'
secrets:- kmsKeyName: projects/yourprojectname/locations/global/keyRings/yourkeyring/cryptoKeys/yourcriptokeysecretEnv:SECRET: YOURBASE64

In this file, we’re building a Docker container and passing our secret as build arg. You can see that we’re using a double dollar sign to escape the cloudbuild substitutions, which are, for example, the $PROJECT_ID, then we’re declaring that we’re going to use the secret at the end of our cloudbuild.yaml. Remember to replace “yourprojectname,” “yourkeyring,” “yourcryptokey” and your base64 in the previous file.

在此文件中，我们正在构建一个Docker容器，并将我们的秘密作为build arg传递。您可以看到我们正在使用双美元符号来逃脱cloudbuild的替换，例如$ PROJECT_ID，然后我们声明我们将在cloudbuild.yaml的末尾使用秘密。。切记在上一个文件中替换“ yourprojectname”，“ yourkeyring”，“ yourcryptokey”和base64。

Finally, we use the following command to build it and send it to the Container Registry.

最后，我们使用以下命令来构建它并将其发送到Container Registry。

gcloud builds submit --config cloudbuild.yaml

Important: If you’re getting an error because the Container Registry doesn’t have permission to decrypt you must go to your GCP console, Select Cloudbuild, go to configuration and copy your service account email, go to Security → Cryptographic keys → Select your key → Click the add member button in the right panel, add it as a member and select the role of decrypt cryptographic keys.

重要提示 ：如果由于Container Registry不具有解密权限而遇到错误，则必须转到GCP控制台，选择Cloudbuild，转到配置并复制服务帐户电子邮件，转到Security(安全)→Cryptographic keys(加密密钥)→选择您的密钥→单击右侧面板中的添加成员按钮，将其添加为成员，然后选择解密加密密钥的角色。

我们的android项目中的cloudbuild文件 (The cloudbuild file in our android project)

Now that we created our container to run our Android project, what we’re going to do is to create the cloudbuild file of our Android Project.

既然我们已经创建了运行Android项目的容器，我们要做的就是创建Android项目的cloudbuild文件。

First, we’re going to create a couple of GCP Storage Bucket, and the Storage Buckets are object storages provided by the Google Cloud Platform. In other words, it helps us to store things. In our case, it will be helpful for our Gradle cache and apks.

首先，我们将创建几个GCP存储桶，这些存储桶是Google Cloud Platform提供的对象存储。换句话说，它可以帮助我们存储东西。就我们而言，这对于我们的Gradle缓存和apk将很有帮助。

To create it, we’re going to open up the terminal and type the next command.

为了创建它，我们将打开终端并输入下一个命令。

gsutil mb gs://gradle_cache
gsutil mb gs://apkstorage

In our cloudbuild.yaml we’re going to describe the following steps:

在我们的cloudbuild.yaml中，我们将描述以下步骤：

Copy our cache into our GCP Storage Bucket using the gsutil image from Google Container Registry. The GCP provides this image, so we don’t have to build our own.使用Google Container Registry中的gsutil映像将缓存复制到GCP存储桶中。 GCP提供了此图像，因此我们不必构建自己的图像。
Run a KtLintCheck task on our previously created AndroidBuilder.

在我们先前创建的AndroidBuilder上运行KtLintCheck任务。
Run a detekt task in our AndroidBuilder.

在我们的AndroidBuilder中运行detekt任务。
Run our unit test always on our AndroidBuilder.

始终在AndroidBuilder上运行我们的单元测试。
Assemble our Apk.组装我们的Apk。
Store the cache.存储缓存。
Store our apks in a storage bucket.将我们的apk存储在存储桶中。
Finally, we set the timeout for the build to 1200 seconds.最后，我们将构建超时设置为1200秒。

steps:- name: gcr.io/cloud-builders/gsutilargs: ['rsync', 'gs://gradle_cache_$PROJECT_ID/', '.']- name: 'gcr.io/$PROJECT_ID/android-builder:29'id: 'ktLint'entrypoint: 'gradle-build'args: ['-g', '.gradle', 'ktlintCheck']- name: 'gcr.io/$PROJECT_ID/android-builder:29'id: 'detekt'entrypoint: 'gradle-build'args: ['-g', '.gradle', 'detekt']- name: 'gcr.io/$PROJECT_ID/android-builder:29'id: 'test'entrypoint: 'gradle-build'args: ['-g', '.gradle', 'test']- name: 'gcr.io/$PROJECT_ID/android-builder:29'id: 'Assemble'entrypoint: 'gradle-build'args: ['-g', '.gradle', 'assemble']- name: gcr.io/cloud-builders/gsutilid: 'Storing gradle cache'args: ['cp', 'cache.zip', 'gs://gradle_cache_$PROJECT_ID/cache.zip']- name: 'gcr.io/cloud-builders/gsutil'id: 'Storing Apks...'args: ['cp', '-r', 'app/build/outputs/apk', 'gs://apkstorage/$BRANCH_NAME-$BUILD_ID/']
timeout: 1200s

Note: Ktlint is a linting tool for Kotlin, and you can read more about it in this awesome article by Nate Ebel. On the other hand, detekt is a static code analysis tool for Kotlin, and you can read more about it here.

注意：Ktlint是Kotlin的整理工具， 您可以在 Nate Ebel的这篇很棒的文章中了解有关它的更多信息 。另一方面，detekt是Kotlin的静态代码分析工具，您可以在此处阅读有关它的更多信息。

设置触发器。 (Set up the triggers.)

Now we want to set-up the build triggers, so each time we push a branch, we can run our build to verify that everything is fine. To do this, we need to go to console.google.com, select our project, go to the navigation menu, select cloud build, triggers, connect our repository if you haven’t already, and then click the create trigger option. It looks like this.

现在我们要设置构建触发器，因此，每次按下分支时，我们都可以运行构建以验证一切正常。为此，我们需要转到console.google.com ，选择我们的项目，转到导航菜单，选择云构建，触发器，如果尚未连接，请连接我们的存储库，然后单击创建触发器选项。看起来像这样。

This is a trigger that we want to run when a new feature branch is pushed to the repo. To test it, you need to push a new branch to the repo and check the GCP console history. If everything went well, you’re going to see something like this.

当将新功能分支推送到存储库时，这是我们要运行的触发器。要对其进行测试，您需要将新分支推送到仓库，并检查GCP控制台历史记录。如果一切顺利，您将看到类似这样的内容。

You can also try your builds locally using cloud-build-local.

您也可以使用cloud-build-local在本地尝试构建。

在本地测试您的构建 (Test your build locally)

Pushing to GitHub to trigger the build can be annoying and a slow process. If you want to test your build, you can test it in your computer using cloudbuild local and running the following command:

推送到GitHub触发构建可能很烦，而且过程很慢。如果要测试构建，则可以使用cloudbuild local并运行以下命令在计算机中对其进行测试：

cloud-build-local --config=cloudbuild.yaml --dryrun=false

Note: You need to install first cloud-build-local with the following commands.

注意：您需要使用以下命令首先安装cloud-build-local。

gcloud components install docker-credential-gcr
gcloud auth configure-docker

You can read more about it here.

您可以在此处了解更多信息。

我们从这里去哪里 (Where do we go from here)

This was a proof of concept that I used to learn new things and to propose it to the DevOps team, in my job, I wanted to help them to help our Android team as I mentioned before this can be hugely improved so feel free to improve it or to use the community cloudbuilder if that fits your needs.

这是我用来学习新事物并向DevOps团队提出建议的概念证明，在我的工作中，我想帮助他们帮助我们的Android团队，正如我之前提到的，在此之前可以大大改善，因此随时可以改进或使用适合您需求的社区cloudbuilder。

Ryan Harter has a series in which he talks about how to increment the build numbers and how to store the build cache. If you want to go even further, play around with the community builders.

瑞安·哈特(Ryan Harter)撰写了一系列文章，讨论如何增加内部版本号以及如何存储内部版本缓存。如果您想走得更远，请与社区建设者一起玩。

您可以从中得到什么 (What you can take away from this)

If you’re looking for an alternative to circleCI, bitrise, or others, and you’re not afraid of a terminal and learning new things (Assuming you’re like me and didn’t know anything about cloudbuild) cloudbuild is cool. Surely it doesn’t have the beautiful UI/UX of one Continuous Integration provider. But it does very well the job. So it depends on your needs.

如果您正在寻找CircleCI，bitrise或其他产品的替代品，并且您不惧怕终端设备并学习新知识(假设您像我一样，对cloudbuild一无所知)，那么cloudbuild很酷。当然，它没有一个持续集成提供程序的精美UI / UX。但这做得很好。因此，这取决于您的需求。

而已 (That’s it)

If you have any questions, suggestions, or improvements, please leave a comment

js加密变量_Android上的Cloudbuild —使用加密的环境变量相关推荐

linux 怎么添加path环境变量,Linux下怎么添加和查看PATH环境变量
linux下查看和添加PATH环境变量来自:http://apps.hi.baidu.com/share/detail/32942984 $PATH:决定了shell将到哪些目录中寻找命令或程序,P ...
linux shell 变量减法_第四章 shell和环境变量
第四章 shell和环境变量 4.1 shell简介 4.1.1 编译器一台计算机从基本架构上讲,由最基本的硬件组成硬件结构(如:cpu.内存.主板.声卡.显卡等),我们知道,硬件组成完备,但 ...
python需要配置环境变量吗_教你手动设置python环境变量
在Windows系统上安装Python非常简单,从头到尾只要跟着步骤走,一路点击"NEXT"按钮即可.最重要也是最麻烦的是安装完毕后需要手动设置下环境变量,到了这一步,很多朋友都不 ...
centos 配置php开发环境变量配置,CentOS中配置PHP和Nginx环境变量
搜索热词一.摘要在Linux CentOS系统上安装完PHP和Nginx后,一般需要执行查看版本命令'PHP -v'和'Nginx -v',确认是否安装成功,如果在没有添加到环境变量之前,执行& ...
linux如何查看桌面环境变量,如何设置和查看Linux系统的环境变量
在 Linux 系统中,有环境变量和 Shell 变量这两种变量.环境变量是在程序及其子程序中全局可用的,常常用来储存像默认的文本编辑器或者浏览器,以及可执行文件的路径等等这样的信息.而 Shell ...
环境变量配置的方法选择与如何配置环境变量
提示:Windows系统下,环境变量的原理和配置方法一.为什么要配置环境变量? 环境变量是操作系统指定其特定运行环境的参数,包含应用程序所需使用的信息. 在Windows系统下,我们桌面的快捷方式, ...
linux添加include环境变量,Linux添加环境变量与GCC编译器添加INCLUDE与LIB环境变量
Linux添加环境变量与GCC编译器添加INCLUDE与LIB环境变量 15:12) 标签: 编译器 Linux 分类: 转载一些有用的文章 (2012-01-31 对所有用户有效在/etc/prof ...
linux环境变量又叫局部变量的区别,Linux下环境变量（.bash_profile和.bashrc的区别）...
在linux系统下,如果下载并安装了应用程序,在启动时很有可能在键入它的名称时出现"command not found"的提示内容.如果每次都到安装目标文件夹内,找到可执行文件来 ...
执行远程服务器上的脚本失败？（环境变量引起的问题）
我们在使用jenkins构建job时会调用远程服务器上的脚本,执行某项操作.有时因为脚本涉及到了环境变量,无法成功执行.解决这个问题的方法一直就是在脚本开始加入一行: source /etc/prof ...

js加密变量_Android上的Cloudbuild —使用加密的环境变量