build: allow release jobs to run on new cluster

.kokoro/populate-secrets.sh

@@ -19,6 +19,11 @@ function now { date +"%Y-%m-%d %H:%M:%S" | tr -d '\n' ;}
 function msg { println "$*" >&2 ;}
 function println { printf '%s\n' "$(now) $*" ;}
 
+# Override to declare the GCP project that holds the secrets to fetch
+if [[ -z "${SECRET_MANAGER_PROJECT_ID}" ]]; then
+  msg "SECRET_MANAGER_PROJECT_ID is not set in environment variables, using default"
+  SECRET_MANAGER_PROJECT_ID="cloud-devrel-kokoro-resources"
+fi
 
 # Populates requested secrets set in SECRET_MANAGER_KEYS from service account:
 # kokoro-trampoline@cloud-devrel-kokoro-resources.iam.gserviceaccount.com
@@ -32,7 +37,7 @@ do
     --volume=${KOKORO_GFILE_DIR}:${KOKORO_GFILE_DIR} \
     gcr.io/google.com/cloudsdktool/cloud-sdk \
     secrets versions access latest \
-    --project cloud-devrel-kokoro-resources \
+    --project "${SECRET_MANAGER_PROJECT_ID}" \
     --secret ${key} > \
     "${SECRET_LOCATION}/${key}"
   if [[ $? == 0 ]]; then

.kokoro/release.sh

@@ -23,7 +23,7 @@ python3 -m releasetool publish-reporter-script > /tmp/publisher-script; source /
 export PYTHONUNBUFFERED=1
 
 # Move into the package, build the distribution and upload.
-TWINE_PASSWORD=$(cat "${KOKORO_KEYSTORE_DIR}/73713_google-cloud-pypi-token-keystore-1")
+TWINE_PASSWORD=$(cat "${KOKORO_KEYSTORE_DIR}/73713_google-cloud-pypi-token-keystore-3")
 cd github/python-test-utils
 python3 setup.py sdist bdist_wheel
 twine upload --username __token__ --password "${TWINE_PASSWORD}" dist/*

.kokoro/release/common.cfg

@@ -7,28 +7,25 @@ action {
   }
 }
 
-# Download trampoline resources.
-gfile_resources: "/bigstore/cloud-devrel-kokoro-resources/trampoline"
-
 # Use the trampoline script to run in docker.
 build_file: "python-test-utils/.kokoro/trampoline.sh"
 
 # Configure the docker image for kokoro-trampoline.
 env_vars: {
-    key: "TRAMPOLINE_IMAGE"
-    value: "gcr.io/cloud-devrel-kokoro-resources/python-multi"
+  key: "TRAMPOLINE_IMAGE"
+  value: "us-central1-docker.pkg.dev/cloud-sdk-release-custom-pool/release-images/python-multi"
 }
 env_vars: {
-    key: "TRAMPOLINE_BUILD_FILE"
-    value: "github/python-test-utils/.kokoro/release.sh"
+  key: "TRAMPOLINE_BUILD_FILE"
+  value: "github/python-test-utils/.kokoro/release.sh"
 }
 
 # Fetch PyPI password
 before_action {
   fetch_keystore {
     keystore_resource {
       keystore_config_id: 73713
-      keyname: "google-cloud-pypi-token-keystore-1"
+      keyname: "google-cloud-pypi-token-keystore-3"
     }
   }
 }
@@ -38,6 +35,10 @@ env_vars: {
   key: "SECRET_MANAGER_KEYS"
   value: "releasetool-publish-reporter-app,releasetool-publish-reporter-googleapis-installation,releasetool-publish-reporter-pem"
 }
+env_vars: {
+  key: "SECRET_MANAGER_PROJECT_ID"
+  value: "cloud-sdk-release-custom-pool"
+}
 
 # Store the packages we uploaded to PyPI.  That way, we have a record of exactly
 # what we published, which we can use to generate SBOMs and attestations.

.kokoro/trampoline.sh

@@ -15,14 +15,14 @@
 
 set -eo pipefail
 
-# Always run the cleanup script, regardless of the success of bouncing into
-# the container.
-function cleanup() {
-    chmod +x ${KOKORO_GFILE_DIR}/trampoline_cleanup.sh
-    ${KOKORO_GFILE_DIR}/trampoline_cleanup.sh
-    echo "cleanup";
-}
-trap cleanup EXIT
+# authenticate against Artifact Registry if necessary
+TRAMPOLINE_HOST=$(echo "${TRAMPOLINE_IMAGE}" | cut -d/ -f1)
+if [[ ! "${TRAMPOLINE_HOST}" =~ "gcr.io" ]]
+then
+  echo "TRAMPOLINE_HOST: ${TRAMPOLINE_HOST}"
+  gcloud components update
+  gcloud auth configure-docker "${TRAMPOLINE_HOST}"
+fi
 
 $(dirname $0)/populate-secrets.sh # Secret Manager secrets.
-python3 "${KOKORO_GFILE_DIR}/trampoline_v1.py"
+$(dirname $0)/trampoline_v2.sh