jenkins: add --json-key and --sdk-url to cork update commands

[tormath1]

it pulls flatcar/mantle#239 to be able to
use --json-key and --sdk-url in order to access private GCS bucket

Signed-off-by: Mathieu Tortuyaux [email protected]

Note for reviewers

• I have a doubt regarding the availability of GOOGLE_APPLICATION_CREDENTIALS from each script
• in jenkins/vm.sh we mix GS_DEVEL_CREDS and GOOGLE_APPLICATION_CREDENTIALS - I think they target the same file

CI: http://jenkins.infra.kinvolk.io:8080/job/os/job/manifest/3742/cldsv/

[dongsupark]

Looks ok.
A test CI run would be great.

[tormath1]

@dongsupark I started a build: http://jenkins.infra.kinvolk.io:8080/job/os/job/manifest/3742/cldsv/

[tormath1]

@jepio @dongsupark I added too the --sdk-url to target the GCS bucket (otherwise it was defaulting to the mirror). CI is started (at least for the toolchain).

NOTE: I started the build with SDK_URL_PATH=/flatcar-jenkins/sdk and SDK_VERSION=3005.0.0 otherwise it fails to do some hack for using nightly SDK (https://github.com/kinvolk/jenkins-os/blob/5bb18e314ac7dab8e71038389fe4dd0bf09ccda3/os/manifest.groovy#L228-L233)

[krnowak]

@tormath1 : For each script in the jenkins directory, you would need to look at the respective job file in jenkins-os. The GOOGLE_APPLICATION_CREDENTIALS thing is a mess, if you ask me. It's an env var that is probably also respected by mantle (try grepping for it there). So jenkins-os seems to specify it in environment, then mantle sometimes picks that up. It's horrible and annoying to track.

We seem to have two sets of creds - one for uploading the development files (GS_DEVEL_CREDS), and one for uploading release files (GS_RELEASE_CREDS). jenkins-os sets GOOGLE_APPLICATION_CREDENTIALS env var to one of them. In case of vms.sh, GS_RELEASE_CREDS is mapped to GOOGLE_APPLICATION_CREDENTIALS env var and GS_DEVEL_CREDS to GS_DEVEL_CREDS env var. See https://github.com/kinvolk/jenkins-os/blob/flatcar-master/os/board/vm-matrix.groovy#L432-L436

So your changes seem to be alright, but I'm not entirely sure about vms.sh. I'd say that if explicit specification of the key was missing, then it should fall back to GOOGLE_APPLICATION_CREDENTIALS, no?

[tormath1]

@krnowak thanks for the explanation - I really had a doubt regarding this duality GOOGLE_APPLICATION_CREDENTIALS / GS_DEVEL_CREDS.

I think we're good using GS_DEVEL_CREDS we don't want to upload but to download a SDK (from flatcar-jenkins) and we can see that the enter function does use this creds too in the fetch command, so that "makes sense" but it's a bit confusing.