Read mixer env helm charts for /v2/resolve authentication overrides

build/ci/cloudbuild.push.yaml

@@ -12,6 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Official CI/CD pipeline for building and pushing release images to GCR.
+# Triggered automatically on every push to the master branch.
+# DO NOT trigger this manually. Manual runs will tag images with official release tags (autopush) and trigger downstream deployment builds.
+
 steps:
   # Trigger downstream builds that listen for changes to multiple repos.
   - id: update-repo-version

build/ci/cloudbuild.push_image.yaml

@@ -12,6 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Manual Cloud Build pipeline for building and pushing images to GCR.
+# Trigger this manually (e.g., via /scripts/push_image.sh) for development deployments or testing custom images.
+# This is NOT used by the official CI/CD pipeline nor any automated triggers.
+
 steps:
   - id: push-web-server
     name: gcr.io/cloud-builders/docker

scripts/deploy_cloud_esp.sh

@@ -85,6 +85,15 @@ if [[ "$DEPLOYMENT" == "mixer" ]]; then
   export IP=$(yq eval '.ip' $HELM_VALUES_FILE)
   yq eval -i '.endpoints[0].target = env(IP)' endpoints.yaml
   yq eval -i '.endpoints[0].name = env(SERVICE_NAME)' endpoints.yaml
+
+  # Check for V2Resolve override
+  # TODO(/v2/resolve cleanup): Delete once /v2/resolve always requires an api key.
+  V2_RESOLVE_ALLOW_UNREGISTERED=$(yq eval '.esp.v2_resolve_allow_unregistered' $HELM_VALUES_FILE)
+  if [[ "$V2_RESOLVE_ALLOW_UNREGISTERED" == "false" ]]; then
+    echo "Overriding allow_unregistered_calls to false for datacommons.Mixer.V2Resolve"
+    yq eval -i '(.usage.rules[] | select(.selector == "datacommons.Mixer.V2Resolve").allow_unregistered_calls) = false' endpoints.yaml
+  fi
+
   echo "endpoints.yaml content:"
   cat endpoints.yaml
 fi

tools/script_runner/README.md

@@ -10,6 +10,13 @@ The `cloudbuild.push_image.yaml` file defines a Cloud Build job that builds and
 
 You can trigger the build using the `gcloud` command-line tool.
 
+> [!WARNING]  
+> Please use a custom tag (e.g., `dev-username`) for testing.
+> The `latest` tag is used by the official CI/CD pipeline and all deployment environments (autopush, staging, prod).  
+> Pushing to `latest` manually can affect subsequent cicd deployments.  
+> Only use the tag `latest` if you need to deploy an emergency fix for immediate pickup by the pipeline.
+
+You must provide a tag name using substitutions:
 ```bash
-gcloud builds submit --config tools/script_runner/cloudbuild.push_image.yaml --project=datcom-ci
+gcloud builds submit --config tools/script_runner/cloudbuild.push_image.yaml --project=datcom-ci --substitutions=_TAG_NAME=dev-myuser
 ```

tools/script_runner/cloudbuild.push_image.yaml

@@ -11,15 +11,25 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+# Cloud Build configuration for manual building of the script runner image.
+#
+# Usage:
+#   This build requires a _TAG_NAME substitution to be provided.
+#   Do NOT use 'latest' unless fixing a critical issue for the pipeline.
+#
+# Example Command:
+#   gcloud builds submit --config tools/script_runner/cloudbuild.push_image.yaml \
+#     --project=datcom-ci \
+#     --substitutions=_TAG_NAME=dev-myuser
 
 steps:
   - name: "gcr.io/cloud-builders/docker"
     args:
       - build
-      - --tag=gcr.io/datcom-ci/datacommons-script-runner:latest
+      - --tag=gcr.io/datcom-ci/datacommons-script-runner:${_TAG_NAME}
       - "."
       - -f
       - "tools/script_runner/Dockerfile"
 
 images:
-  - "gcr.io/datcom-ci/datacommons-script-runner:latest"
+  - "gcr.io/datcom-ci/datacommons-script-runner:${_TAG_NAME}"