GitHub と連携した Cloud Build から Cloud Run にサンプルアプリケーションをデプロイをするハンズオンです
Cloud Run で使うコンテナイメージの保存先は Artifact Registry を利用します
記載の情報は執筆当時の情報になります
export _gc_pj_id='Your Google Cloud Project ID'
export _common='hnd-cb-sample'
- Google Cloud と認証をします
gcloud auth login --no-launch-browser
- ローカルの Docker の設定をアップデートします
gcloud auth configure-docker asia-northeast1-docker.pkg.dev
- API の有効化
- ※ 他の API の有効化も必要になったタイミングで実施してください
gcloud beta services enable artifactregistry.googleapis.com --project ${_gc_pj_id}
gcloud beta services enable cloudbuild.googleapis.com --project ${_gc_pj_id}
gcloud beta services enable iam.googleapis.com --project ${_gc_pj_id}
gcloud beta services enable run.googleapis.com --project ${_gc_pj_id}
- ソースコードを clone します
git clone https://github.com/iganari/handson-build-ar-run.git
cd handson-build-ar-run
- Cloud Build 用の Service Account の作成をします
gcloud beta iam service-accounts create sa-${_common}-cloudbuild \
--description="Cloud Build Trigger 毎に Service Account を付与する" \
--display-name="sa-${_common}-cloudbuild" \
--project ${_gc_pj_id}
- Service Account の確認をします
gcloud beta iam service-accounts describe \
sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com \
--project ${_gc_pj_id} \
--format json
- Role を付与します
- Logs Writer(
roles/logging.logWriter
) - Storage Admin(
roles/storage.admin
) - Artifact Registry Writer(
roles/artifactregistry.writer
) - Cloud Run Admin(
roles/run.admin
) - Service Account User(
roles/iam.serviceAccountUser
)
- Logs Writer(
### Logs Writer
gcloud beta projects add-iam-policy-binding ${_gc_pj_id} \
--member="serviceAccount:sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com" \
--role="roles/logging.logWriter" \
--project ${_gc_pj_id}
### Storage Admin
gcloud beta projects add-iam-policy-binding ${_gc_pj_id} \
--member="serviceAccount:sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com" \
--role="roles/storage.admin" \
--project ${_gc_pj_id}
### Artifact Registry Writer
gcloud beta projects add-iam-policy-binding ${_gc_pj_id} \
--member="serviceAccount:sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com" \
--role="roles/artifactregistry.writer" \
--project ${_gc_pj_id}
### Cloud Run Admin
gcloud beta projects add-iam-policy-binding ${_gc_pj_id} \
--member="serviceAccount:sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com" \
--role="roles/run.admin" \
--project ${_gc_pj_id}
### Service Account User
gcloud beta projects add-iam-policy-binding ${_gc_pj_id} \
--member="serviceAccount:sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com" \
--role="roles/iam.serviceAccountUser" \
--project ${_gc_pj_id}
- Cloud Run 用の Service Account の作成をします
gcloud beta iam service-accounts create sa-${_common}-cloudrun \
--description="Cloud Run 毎に Service Account を付与する" \
--display-name="sa-${_common}-cloudbuild" \
--project ${_gc_pj_id}
- Service Account の確認をします
gcloud beta iam service-accounts describe \
sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com \
--project ${_gc_pj_id} \
--format json
- Role を付与します
今の所無し
- Cloud Storage Bucket の作成をします
export _region='asia-northeast1'
gcloud storage buckets create gs://${_gc_pj_id}-${_common} \
--default-storage-class Standard \
--location ${_region} \
--uniform-bucket-level-access \
--project ${_gc_pj_id}
- Artifact Registry のリポジトリの作成します
export _ar_repo_name=`echo ar-${_common}`
gcloud beta artifacts repositories create ${_ar_repo_name} \
--repository-format docker \
--location ${_region} \
--project ${_gc_pj_id}
Google Cloud と GitHub を連携します
下記の公式ドキュメントを参考に設定してください
### GitHub リポジトリに接続します
https://cloud.google.com/build/docs/automating-builds/github/connect-repo-github
- Cloud Build Trigger の作成します
gcloud builds triggers create github \
--name cb-tr-${_common} \
--service-account projects/${_gc_pj_id}/serviceAccounts/sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com \
--repo-owner iganari \
--repo-name handson-build-ar-run \
--branch-pattern '^main$' \
--build-config ./cloudbuild.yaml \
--project ${_gc_pj_id} \
--substitutions _ARTIFACT_RRGISTRY_REPO_NAME=${_region}-docker.pkg.dev/${_gc_pj_id}/${_ar_repo_name},_CONTAINER_IMAGE_NAME=${_common},_RUN_SERVICE_NAME=run-${_common},_RUN_SERVICE_REGION=${_region},_RUN_SERVICE_PORT=80,_GCS_BUCKET=${_gc_pj_id}-${_common},_SERVICE_ACCOUNT=sa-${_common}-cloudrun@${_gc_pj_id}.iam.gserviceaccount.com
- 作成した Cloud Build の Trigger の RUN ボタンをクリックします
- 先に設定した値で実行します
- Build history のページにて実行されていることを確認します
- Cloud Run にデプロイされていることを確認します
- Cloud Run にデプロイされた Service を Web ブラウザで確認します
---> これで Cloud Run に意図したデプロイをすることが出来ました :)
ハンズオン終了後は不要なリソースは削除しましょう ;)
Cloud Run の Service の削除
gcloud run services delete run-${_common} --region ${_region} --project ${_gc_pj_id}
Cloud Build の Trigger の削除
gcloud builds triggers delete cb-tr-${_common} --project ${_gc_pj_id}
Artifact Registry の Repository の削除
gcloud beta artifacts repositories delete ${_ar_repo_name} \
--location ${_region} \
--project ${_gc_pj_id}
Google Cloud Storage の Bucket の削除
gcloud storage rm -r gs://${_gc_pj_id}-${_common} --project ${_gc_pj_id}
Service Account の削除
- Role の削除
### Logs Writer
gcloud beta projects remove-iam-policy-binding ${_gc_pj_id} \
--member="serviceAccount:sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com" \
--role="roles/logging.logWriter" \
--project ${_gc_pj_id}
### Storage Admin
gcloud beta projects remove-iam-policy-binding ${_gc_pj_id} \
--member="serviceAccount:sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com" \
--role="roles/storage.admin" \
--project ${_gc_pj_id}
### Artifact Registry Writer
gcloud beta projects remove-iam-policy-binding ${_gc_pj_id} \
--member="serviceAccount:sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com" \
--role="roles/artifactregistry.writer" \
--project ${_gc_pj_id}
### Cloud Run Admin
gcloud beta projects remove-iam-policy-binding ${_gc_pj_id} \
--member="serviceAccount:sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com" \
--role="roles/run.admin" \
--project ${_gc_pj_id}
### Service Account User
gcloud beta projects remove-iam-policy-binding ${_gc_pj_id} \
--member="serviceAccount:sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com" \
--role="roles/iam.serviceAccountUser" \
--project ${_gc_pj_id}
- Service Account の削除
gcloud beta iam service-accounts delete sa-${_common}-cloudbuild@${_gc_pj_id}.iam.gserviceaccount.com \
--project ${_gc_pj_id}
gcloud beta iam service-accounts delete sa-${_common}-cloudrun@${_gc_pj_id}.iam.gserviceaccount.com \
--project ${_gc_pj_id}