1. Generate Bitbucket token
When running Cloud Build, we require both read and admin permissions from Bitbucket to ensure smooth integration and successful build processes. To accomplish this, we utilize two types of tokens:
- Read Token
- Admin Token
By thoroughly examining the permissions required for each token type, we can create tokens that allow full access based on the specific needs of our Cloud Build environment. This approach minimizes potential security risks while ensuring that Cloud Build has the appropriate permissions to interact with Bitbucket.
Below, we outline the necessary permissions for an admin token to function effectively with Cloud Build:
Required Permissions for Admin Token
To grant the Cloud Build process full access, the admin token must include permissions that allow it to manage repositories, access pull requests, and configure settings. The key permissions for an admin token include, but may not be limited to:
- Repository Management : Allows the token to create, modify, and delete repositories within the Bitbucket account. This permission is essential for automating tasks such as setting up new repositories, maintaining branches, and managing repository configurations.
- Pull Request Access : Enables the token to view, approve, and merge pull requests. This level of access is necessary for any tasks related to code review processes, allowing automated testing and deployment workflows based on pull request status.
- User and Group Administration : Grants the token the ability to manage user permissions and group memberships. This ensures that the token can control who has access to various repositories, a critical function for maintaining security standards within the account.
- Pipeline Configuration : Provides permission to configure pipelines and workflows. This is essential for enabling Cloud Build to set up, modify, or manage CI/CD pipelines within Bitbucket, ensuring a seamless deployment process.
Required Permissions for Read Token
- Repository Viewing : Allows the token to view repository contents within the Bitbucket account. This permission is essential for Cloud Build to read code and other files, enabling it to run build processes without making any modifications to the repositories. This includes viewing branches, commits, and individual files necessary for the build process.
- Pull Request Access : Grants the token the ability to view pull requests, which is necessary for tracking the status of code changes and any associated build or testing requirements. This access level ensures that Cloud Build can monitor pull requests, facilitating integration and testing tasks based on the current state of code review processes.
- Pipeline Monitoring : Provides permission to view pipeline statuses and logs. This allows Cloud Build to monitor CI/CD pipeline activity without the ability to modify configurations. By monitoring pipeline progress and status, the read token helps Cloud Build access build history, check logs, and understand the outcomes of previous builds for efficient build tracking and troubleshooting.
To create a token, you must first have ownership privileges within the project. Only project owners have the necessary permissions to generate and manage access tokens.
Select Repository settings.
Select Access Tokens
In this section, select Create Repository Access Token.
Enter the name you want to assign to the token and select all the permissions you wish to grant it. Then click Create and make sure to save the token, as you won’t be able to view it again later. Repeat these steps for creating the other token.
2. Link Repository
The next step involves linking your repository to Google Cloud Build, which enables seamless integration and automation of your build and deployment processes. To begin this setup, navigate to the Cloud Build interface within the Google Cloud Console by following these steps:
Access the Cloud Build Interface : Log into your Google Cloud Console and go to the Cloud Build section. You can find this by using the navigation menu on the left side of the console or by searching for "Cloud Build" in the search bar.
Select the Repositories Option : Once you’re in the Cloud Build interface, locate and select the "Repositories" option. This will direct you to a page where you can manage your repository connections. Here, you’ll be able to add, view, and modify the repositories linked to your Cloud Build environment.
Remember to select 2nd gen to link the repository for higher performance. Choose Create Hot Connection , then select Bitbucket.
Fill in all the necessary information. For Bitbucket host, select Bitbucket Cloud and enter the workspace. If your Bitbucket URL is https://bitbucket.org/workspace-x/project-y, enter workspace-x in the field.
Then, enter the two access tokens created in Step 1.
By linking your repository, you’re establishing a direct connection that allows Cloud Build to access your codebase, track changes, and trigger automated builds whenever updates are made to the repository. This integration is essential for setting up continuous integration and deployment workflows, helping to streamline your development process and maintain a consistent pipeline for code updates and deployments.
3. Create Trigger
After successfully linking your repository, the final step is to create a build trigger in Google Cloud Build. A build trigger automates the build process, allowing Cloud Build to initiate builds automatically in response to specific events, such as code commits or pull requests.
Select the Triggers Option : In the Cloud Build interface, find and select the “Triggers” tab. This will take you to a page where you can view and manage existing triggers or create new ones.
Create a New Trigger : Click on the “Create Trigger” button to begin the setup process. You’ll be prompted to configure various settings for your trigger, such as the source repository, the branch or tag to watch, and any specific build configurations you’d like to apply. You can also specify whether the trigger should activate on commits, pull requests, or other events.
Configure Build Steps and Conditions: Once you’ve chosen the source and event that will activate your trigger, you can further customize the trigger by defining any build steps, specifying build configurations (such as a cloudbuild.yaml file), and setting conditions to tailor the trigger’s behavior based on your needs.
Here is an example cloudbuild.yaml:
tags:
- "project-name"
steps:
- name: 'maven:3.8.5-openjdk-17'
id: compile_and_package
entrypoint: mvn
args:
- '-T'
- '1C'
- '-Dmaven.test.skip=true'
- clean
- package
- name: 'gcr.io/cloud-builders/docker'
id: pulling_image_to_leverage_caching
entrypoint: bash
args:
- '-c'
- 'docker pull dcr.io/repo/project-name:latest || exit 0'
- name: 'gcr.io/cloud-builders/docker'
id: building_image_using_docker
args:
- build
- '-t'
- 'dcr.io/repo/project-name:$COMMIT_SHA'
- '-t'
- 'dcr.io/repo/project-name:latest'
- '--cache-from'
- 'dcr.io/repo/project-name:latest'
- '.'
- '-f'
- 'Dockerfile'
- name: 'gcr.io/cloud-builders/docker'
id: pushing_image_commit_hash
args:
- 'push'
- 'dcr.io/repo/project-name:$COMMIT_SHA'
- name: 'gcr.io/cloud-builders/docker'
id: pushing_image_latest
args:
- 'push'
- 'dcr.io/repo/project-name:latest'
#Store images in google container registry
images:
- dcr.io/repo/project-name:$COMMIT_SHA
Then, click Create and try making a commit to verify the setup.
4. Conclusion
Configuring Cloud Build for Buckets effectively can lead to a more efficient, secure, and scalable build environment. By following these best practices, you’ll be better equipped to handle high request volumes, maintain data consistency, and secure your builds. If you have questions or additional tips, feel free to share in the comments below.
Read posts more at : Techniques with Cloud Build Configurations for Bitbucket