The recommended configuration is as follows:
- Cloud Run
- Cloud SQL
- Cloud SQL Connector
Here, we will introduce how to launch using these tools.
Table Of Contents
- Google OAuth Pattern
- Identity-Aware Proxy Pattern
see Start Manual
see Start Manual
You don't need to insert any links at now.
Please copy Client ID and Client secret.
- Cloud SQL Admin API
- Cloud Resource Manager API
- Cloud Run API
- Identity and Access Management (IAM) API
set own environments.
export PROJECT_ID=OWN_PROJECT_ID
export REGION=xxxxgcloud sql instances create prel \
--database-version=POSTGRES_15 \
--tier=db-f1-micro \
--region=${REGION} \
--quiet \
--project=${PROJECT_ID}After deployed, open Cloud SQL Page and set password of postgres user.
And Create Database prel.
gcloud sql databases create --instance prel prel --project "$PROJECT_ID" --region "$REGION"gcloud sql connect prel --database prel --project "$PROJECT_ID"after display "password:", send ctrl + c.
This allows me to connect to Cloud SQL using my own IP address.
psql "host=x.x.x.x port=5432 dbname=prel user=postgres password=xxxxxx" -f db/schema.sqlgcloud iam service-accounts create cloud-run-prel --project "$PROJECT_ID"And add permissions.
gcloud projects add-iam-policy-binding "$PROJECT_ID" --member="serviceAccount:cloud-run-prel@${PROJECT_ID}.iam.gserviceaccount.com" --role="roles/cloudsql.client"
gcloud projects add-iam-policy-binding "$PROJECT_ID" --member="serviceAccount:cloud-run-prel@${PROJECT_ID}.iam.gserviceaccount.com" --role="roles/resourcemanager.projectIamAdmin"First deploy dummy Cloud Run for get url.
gcloud run deploy prel --image=nginx --port=80 --project "$PROJECT_ID" --region "$REGION"see Allowing public (unauthenticated) access | Cloud Run Documentation | Google Cloud
Cloud Run cannot pull container images from sources other than Google Cloud's Container Registry / Artifact Registry, so you need to store the images yourself.
To download an image from ghcr, first log in with docker.
gh config get -h github.com oauth_token | docker login ghcr.io -u $(gh config get -h github.com user) --password-stdinThen proceed to download.
export IMAGE_VERSION=latest # exampleDownload the image.
docker pull ghcr.io/lirlia/prel:$IMAGE_VERSIONSet the destination registry for the push.
export IMAGE_REGISTRY=xxxTag the image.
docker tag ghcr.io/lirlia/prel:$IMAGE_VERSION "$IMAGE_REGISTRY/prel:$IMAGE_VERSION"Then push it.
docker push "$IMAGE_REGISTRY/prel:$IMAGE_VERSION"after copy Cloud Run app URL (like https://prel-3r3rs7gmzq-an.a.run.app)
Please copy the following deploy.yaml and replace the variables.
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
annotations:
run.googleapis.com/ingress: all
labels:
cloud.googleapis.com/location: xxxx <- set region
name: prel
spec:
template:
metadata:
annotations:
autoscaling.knative.dev/maxScale: "1"
run.googleapis.com/startup-cpu-boost: "true"
spec:
containerConcurrency: 80
containers:
- env:
- name: PROJECT_ID
value: xxxx <- your google project id
- name: NOTIFICATION_URL
value: xxxx <- get Slack Incoming Webhook URL(if not set, skip notification)
- name: AUTHENTICATION_TYPE
value: google
- name: CLIENT_SECRET
value: xxxx <- get from OAuth consent
- name: CLIENT_ID
value: xxxx <- get from OAuth consent
- name: URL
value: xxxx <- Cloud Run URL(like https://prel-3r3rs7gmzq-an.a.run.app)
- name: DB_PASSWORD
value: xxxx <- get from Cloud SQL
- name: DB_INSTANCE_CONNECTION
value: xxxx <- get from Cloud SQL
- name: DB_TYPE
value: cloud-sql-connector
image: xxx <- container image path
name: prel-1
ports:
- containerPort: 8080
name: http1
resources:
limits:
cpu: 1000m
memory: 512Mi
startupProbe:
failureThreshold: 1
periodSeconds: 10
tcpSocket:
port: 8080
timeoutSeconds: 10
serviceAccountName: xxxx <- cloud-run-prel service account
timeoutSeconds: 300
traffic:
- latestRevision: true
percent: 100Deploy it.
gcloud run services replace deploy.yaml --project "$PROJECT_ID"Add following URL to client credentials.(created in step 2)
* there are example, please set own urls.
that's all!
If you have concerns about globally publishing Cloud Run, consider placing a Load Balancer in front of Cloud Run and setting up an Identity-Aware Proxy.
see below, and another process is same as Google OAuth Pattern.
- Setting up an external Application Load Balancer
- Set up a global external Application Load Balancer
- Managing access to IAP-secured resources
- Enabling IAP for Cloud Run
In this pattern, you need to set Authorized redirect URIs in OAuth credentials.
like: https://iap.googleapis.com/v1/oauth/clientIds/[YOUR_CLIENT_ID]:handleRedirect
You need to follow the same procedure as Google OAuth Pattern. Please follow from 3. Enable APIs.
A different point is deploy.yaml. Please copy the following deploy.yaml and replace the variables.
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
annotations:
run.googleapis.com/ingress: internal-and-cloud-load-balancing
run.googleapis.com/ingress-status: internal-and-cloud-load-balancing
labels:
cloud.googleapis.com/location: xxxx <- set region
name: prel-with-iap
spec:
template:
metadata:
annotations:
autoscaling.knative.dev/maxScale: "1"
run.googleapis.com/startup-cpu-boost: "true"
spec:
containerConcurrency: 80
containers:
- env:
- name: PROJECT_ID
value: xxxx <- your google project id
- name: NOTIFICATION_URL
value: xxxx <- get Slack Incoming Webhook URL(if not set, skip notification)
- name: AUTHENTICATION_TYPE
value: iap
- name: IAP_AUDIENCE
value: /projects/xxxxxx/global/backendServices/xxxxxxxxxxxxxx
- name: URL
value: xxxx <- Cloud Run URL(like https://prel-3r3rs7gmzq-an.a.run.app)
- name: DB_PASSWORD
value: xxxx <- get from Cloud SQL
- name: DB_INSTANCE_CONNECTION
value: xxxx <- get from Cloud SQL
- name: DB_TYPE
value: cloud-sql-connector
image: xxx <- container image path
name: prel-1
ports:
- containerPort: 8080
name: http1
resources:
limits:
cpu: 1000m
memory: 512Mi
startupProbe:
failureThreshold: 1
periodSeconds: 10
tcpSocket:
port: 8080
timeoutSeconds: 10
serviceAccountName: xxxx <- cloud-run-prel service account
timeoutSeconds: 300
traffic:
- latestRevision: true
percent: 100