I’ve been trying for a few hours to figure out the sudo /opt/google-cloud-sdk/bin/gcloud auth activate-service-account line in the docker-hello-google circleci tutorial: https://github.com/circleci/docker-hello-google/blob/master/circle.yml
I keep getting this message:
WARNING: .p12 service account keys are not recomended unless it is necessary for backwards compatability. Please switch to a newer .json service account key for this account.
ERROR: (gcloud.auth.activate-service-account) PyOpenSSL is not available. If you have already installed PyOpenSSL, you will need to enable site packages by setting the environment variable CLOUDSDK_PYTHON_SITEPACKAGES to 1.
To try and remedy the openssl issue, I set the suggested site packages to 1 in the environment variables:
machine:
environment:
PROJECT_NAME: circle-ctl-test
CLUSTER_NAME: docker-hello-google-cluster
CLOUDSDK_COMPUTE_ZONE: us-central1-f
DEBIAN_FRONTEND: noninteractive
CLOUDSDK_PYTHON_SITEPACKAGES: 1
I then also tried to actually install open ssl in the dependencies:
override:
- pip install pyopenssl
The full circle.yml file is below. Beyond those changes and adding the email of my service account id, it’s the same as in the circleci tutorial. What I also find confusing is that I specifically set up a service account using json, NOT P12 - so it’s hard for me to tell if it’s even really openssl that is tripping circleci up. Has anyone else experienced this error message and warning recently? If it helps, the service account key I made has the ‘owner’ role for the container engine app (the circleci tutorial does not say what ‘role’ you should give the service account so I just took a guess.)
machine:
environment:
PROJECT_NAME: circle-ctl-test
CLUSTER_NAME: docker-hello-google-cluster
CLOUDSDK_COMPUTE_ZONE: us-central1-f
DEBIAN_FRONTEND: noninteractive
CLOUDSDK_PYTHON_SITEPACKAGES: 1
CLOUDSDK_CORE_DISABLE_PROMPTS: 1
services:
- docker
dependencies:
pre:
- sudo /opt/google-cloud-sdk/bin/gcloud --quiet components update
- sudo /opt/google-cloud-sdk/bin/gcloud --quiet components update kubectl
- echo GCLOUD_SERVICE_KEY | base64 --decode -i > {HOME}/circle-ctl-test-XXXXX.json
- sudo /opt/google-cloud-sdk/bin/gcloud auth activate-service-account circleci-container@circle-ctl-test-XXXXX.iam.gserviceaccount.com --key-file ${HOME}/circle-ctl-test-XXXX.json
- sudo /opt/google-cloud-sdk/bin/gcloud config set project $PROJECT_NAME
- sudo /opt/google-cloud-sdk/bin/gcloud --quiet config set container/cluster CLUSTER_NAME
# Reading the zone from the env var is not working so we set it here
- sudo /opt/google-cloud-sdk/bin/gcloud config set compute/zone {CLOUDSDK_COMPUTE_ZONE}
- sudo /opt/google-cloud-sdk/bin/gcloud --quiet container clusters get-credentials CLUSTER_NAME
- docker build -t us.gcr.io/{PROJECT_NAME}/hello:CIRCLE_SHA1 .
# Using a separate tag command until Docker 1.10 is available on CircleCI, then we can use two tags in the build command above
- docker tag us.gcr.io/{PROJECT_NAME}/hello:CIRCLE_SHA1 us.gcr.io/{PROJECT_NAME}/hello:latest
override:
- pip install pyopenssl
test:
post:
- docker run -d -p 3000:3000 -e “SECRET_KEY_BASE=abcd1234” us.gcr.io/${PROJECT_NAME}/hello:$CIRCLE_SHA1; sleep 10
- curl --retry 10 --retry-delay 5 -v http://localhost:3000
deployment:
prod:
branch: master
commands:
- ./deploy.sh