[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["# Integrate the Connect gateway with Cloud Build\n==============================================\n\nThis is a basic tutorial on how to integrate [Cloud Build](/cloud-build/docs/overview) with the Connect gateway, letting you create a CI/CD pipeline for GKE clusters running across many different environments.\n\nThis tutorial assumes that you are familiar with the previous sections in [the Connect gateway guide](/kubernetes-engine/enterprise/multicluster-management/gateway), and are also familiar with Cloud Build. These instructions leverage the [`cloud-sdk` builder image](https://github.com/GoogleCloudPlatform/cloud-sdk-docker) which requires some minor scripting (as you'll see below).\n\nBefore you begin\n----------------\n\n- Ensure that you have the following command line tools installed:\n\n - The latest version of the [Google Cloud CLI](/sdk/docs/install), which includes `gcloud`, the command-line tool for interacting with Google Cloud.\n - [`kubectl`](/kubernetes-engine/fleet-management/docs/before-you-begin#install-kubectl), the command-line tool for interacting with Kubernetes.\n\n If you are using Cloud Shell as your shell environment for interacting with Google Cloud, these tools are installed for you.\n- Ensure that you have [initialized](/sdk/docs/install-sdk#initializing_the) the gcloud CLI for use with your project.\n\n- Ensure the Connect gateway and other required APIs are enabled for your project, as described in the [setup guide](/kubernetes-engine/enterprise/multicluster-management/gateway/setup#enable_the_gateway_apis).\n\n1. Grant IAM roles to the Cloud Build service account\n-----------------------------------------------------\n\nBy default, Cloud Build uses a Google Cloud service account to run all required work, with an address in the format \u003cvar translate=\"no\"\u003eMY_PROJECT_NUMBER\u003c/var\u003e` @cloudbuild.gserviceaccount.com`. You can find this service account email address for your project under **Cloud Build** - **Settings** in the [Google Cloud console](https://console.cloud.google.com/cloud-build/settings).\n\nFollow the instructions in [Grant IAM permissions](/kubernetes-engine/enterprise/multicluster-management/gateway/setup#grant_iam_roles_to_users) in the gateway setup guide to grant this account the required roles in your project.\n\n2. Specify RBAC policies for the Cloud Build service account\n------------------------------------------------------------\n\nFollow the instructions in [Configure RBAC policies](/kubernetes-engine/enterprise/multicluster-management/gateway/setup#configure_role-based_access_control_rbac_policies) in the gateway setup guide to give the Cloud Build service account appropriate permissions on all the clusters you want to use.\n\nWe strongly recommend using [Policy Controller](/anthos-config-management/docs/concepts/policy-controller) to deploy and maintain RBAC policies on multiple clusters.\n\n3. Create a Cloud Build pipeline\n--------------------------------\n\nThe Cloud Build workflow needs a `cloudbuild.yaml` file to configure the pipeline. The following is a simple example that deploys a static manifest to two different clusters (one GKE cluster on Google Cloud, and one on VMware). You can find out more about how to configure a Cloud Build pipeline in the [Cloud Build documentation](/cloud-build/docs/configuring-builds/create-basic-configuration). \n\n steps:\n - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'\n entrypoint: bash\n id: Deploy to cluster on Google Cloud\n args:\n - '-c'\n - |\n set -x && \\\n export KUBECONFIG=\"$(pwd)/gateway-kubeconfig\" && \\\n gcloud container fleet memberships get-credentials my-gke-cluster && \\\n kubectl --kubeconfig gateway-kubeconfig apply -f myapp.yaml\n - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'\n entrypoint: bash\n id: Deploy to cluster on VMware\n args:\n - '-c'\n - |\n set -x && \\\n export KUBECONFIG=\"$(pwd)/gateway-kubeconfig\" && \\\n gcloud container fleet memberships get-credentials my-vmware-cluster && \\\n kubectl --kubeconfig gateway-kubeconfig apply -f myapp.yaml\n\nYou can put any desired workflow in `myapp.yaml` to configure clusters. Here is an example: \n\n apiVersion: apps/v1\n kind: Deployment\n metadata:\n name: my-nginx\n spec:\n selector:\n matchLabels:\n app: nginx\n replicas: 3\n template:\n metadata:\n labels:\n app: nginx\n spec:\n containers:\n - name: nginx\n image: nginx:1.14.2\n ports:\n - containerPort: 80\n\nOnce you push your configuration to your Git repository, the Cloud Build workflow deploys the required application to the specified clusters. You can also set up Cloud Build to detect changes in the linked Git repository to trigger automated application update or installation.\n\nAdvanced usage\n--------------\n\nSince it uses standard Cloud Build concepts, you can adapt and customize our example further to suit your particular CI/CD needs. In particular, if you want to build an image from scratch and deploy it in your pipeline, you can use the `gke-deploy` builder's [prepare mode](https://github.com/GoogleCloudPlatform/cloud-builders/blob/master/gke-deploy/doc/gke-deploy_prepare.md). For example, the following Cloud Build configuration:\n\n1. Builds a docker image from the Dockerfile in the root of the Git repo and tags it with the Git SHA.\n2. Pushes the tagged image to the project's [Container Registry](/container-registry/docs/overview).\n3. Prepares the Kubernetes manifests in the `manifest` directory by setting the correct image tag(s), placing the output manifests in `output/expanded`.\n4. Deploys to an GKE cluster on premises using the Connect gateway.\n\n steps:\n - name: 'gcr.io/cloud-builders/docker'\n id: \"Build Container\"\n args: ['build', '--tag=gcr.io/$PROJECT_ID/demo-app:$SHORT_SHA', '.']\n - name: 'gcr.io/cloud-builders/docker'\n id: \"Push to GCR\"\n args: ['push', 'gcr.io/$PROJECT_ID/demo-app:$SHORT_SHA']\n - name: \"gcr.io/cloud-builders/gke-deploy\"\n id: \"Prepare Manifests\"\n args:\n - prepare\n - --filename=manifests/\n - --image=gcr.io/$PROJECT_ID/demo-app:$SHORT_SHA\n - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'\n entrypoint: bash\n id: \"Deploy to cluster on VMware\n args:\n - '-c'\n - |\n set -x && \\\n export KUBECONFIG=\"$(pwd)/gateway-kubeconfig\" && \\\n gcloud container fleet memberships get-credentials my-vmware-cluster && \\\n kubectl --kubeconfig=gateway-kubeconfig apply -f output/expanded\n\nNote that in this example we had to create an [image pull secret](http://docs.heptio.com/content/private-registries/pr-gcr.html) to authorize the on-premises GKE cluster to pull images from Container Registry.\n\nFor more ideas for Cloud Build usage, see the\n[Cloud Build documentation](/build/docs/overview)."]]
