The recommended configuration is as follows:
- Cloud Run
- Cloud SQL
- Cloud SQL Connector
Here, we will introduce how to launch using these tools.
Table Of Contents
- Google OAuth Pattern
- Identity-Aware Proxy Pattern
see Start Manual
see Start Manual
You don't need to insert any links at now.
Please copy Client ID and Client secret.
- Cloud SQL Admin API
- Cloud Resource Manager API
- Cloud Run API
- Identity and Access Management (IAM) API
set own environments.
export PROJECT_ID=OWN_PROJECT_ID
export REGION=xxxx
gcloud sql instances create prel \
--database-version=POSTGRES_15 \
--tier=db-f1-micro \
--region=${REGION} \
--quiet \
--project=${PROJECT_ID}
After deployed, open Cloud SQL Page and set password of postgres
user.
And Create Database prel
.
gcloud sql databases create --instance prel prel --project "$PROJECT_ID" --region "$REGION"
gcloud sql connect prel --database prel --project "$PROJECT_ID"
after display "password:", send ctrl + c
.
This allows me to connect to Cloud SQL using my own IP address.
psql "host=x.x.x.x port=5432 dbname=prel user=postgres password=xxxxxx" -f db/schema.sql
gcloud iam service-accounts create cloud-run-prel --project "$PROJECT_ID"
And add permissions.
gcloud projects add-iam-policy-binding "$PROJECT_ID" --member="serviceAccount:cloud-run-prel@${PROJECT_ID}.iam.gserviceaccount.com" --role="roles/cloudsql.client"
gcloud projects add-iam-policy-binding "$PROJECT_ID" --member="serviceAccount:cloud-run-prel@${PROJECT_ID}.iam.gserviceaccount.com" --role="roles/resourcemanager.projectIamAdmin"
First deploy dummy Cloud Run for get url.
gcloud run deploy prel --image=nginx --port=80 --project "$PROJECT_ID" --region "$REGION"
see Allowing public (unauthenticated) access | Cloud Run Documentation | Google Cloud
Cloud Run cannot pull container images from sources other than Google Cloud's Container Registry / Artifact Registry, so you need to store the images yourself.
To download an image from ghcr, first log in with docker.
gh config get -h github.com oauth_token | docker login ghcr.io -u $(gh config get -h github.com user) --password-stdin
Then proceed to download.
export IMAGE_VERSION=latest # example
Download the image.
docker pull ghcr.io/lirlia/prel:$IMAGE_VERSION
Set the destination registry for the push.
export IMAGE_REGISTRY=xxx
Tag the image.
docker tag ghcr.io/lirlia/prel:$IMAGE_VERSION "$IMAGE_REGISTRY/prel:$IMAGE_VERSION"
Then push it.
docker push "$IMAGE_REGISTRY/prel:$IMAGE_VERSION"
after copy Cloud Run app URL (like https://prel-3r3rs7gmzq-an.a.run.app)
Please copy the following deploy.yaml
and replace the variables.
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
annotations:
run.googleapis.com/ingress: all
labels:
cloud.googleapis.com/location: xxxx <- set region
name: prel
spec:
template:
metadata:
annotations:
autoscaling.knative.dev/maxScale: "1"
run.googleapis.com/startup-cpu-boost: "true"
spec:
containerConcurrency: 80
containers:
- env:
- name: PROJECT_ID
value: xxxx <- your google project id
- name: NOTIFICATION_URL
value: xxxx <- get Slack Incoming Webhook URL(if not set, skip notification)
- name: AUTHENTICATION_TYPE
value: google
- name: CLIENT_SECRET
value: xxxx <- get from OAuth consent
- name: CLIENT_ID
value: xxxx <- get from OAuth consent
- name: URL
value: xxxx <- Cloud Run URL(like https://prel-3r3rs7gmzq-an.a.run.app)
- name: DB_PASSWORD
value: xxxx <- get from Cloud SQL
- name: DB_INSTANCE_CONNECTION
value: xxxx <- get from Cloud SQL
- name: DB_TYPE
value: cloud-sql-connector
image: xxx <- container image path
name: prel-1
ports:
- containerPort: 8080
name: http1
resources:
limits:
cpu: 1000m
memory: 512Mi
startupProbe:
failureThreshold: 1
periodSeconds: 10
tcpSocket:
port: 8080
timeoutSeconds: 10
serviceAccountName: xxxx <- cloud-run-prel service account
timeoutSeconds: 300
traffic:
- latestRevision: true
percent: 100
Deploy it.
gcloud run services replace deploy.yaml --project "$PROJECT_ID"
Add following URL to client credentials.(created in step 2)
* there are example, please set own urls.
that's all!
If you have concerns about globally publishing Cloud Run, consider placing a Load Balancer in front of Cloud Run and setting up an Identity-Aware Proxy.
see below, and another process is same as Google OAuth Pattern.
- Setting up an external Application Load Balancer
- Set up a global external Application Load Balancer
- Managing access to IAP-secured resources
- Enabling IAP for Cloud Run
In this pattern, you need to set Authorized redirect URIs in OAuth credentials.
like: https://iap.googleapis.com/v1/oauth/clientIds/[YOUR_CLIENT_ID]:handleRedirect
You need to follow the same procedure as Google OAuth Pattern. Please follow from 3. Enable APIs.
A different point is deploy.yaml
. Please copy the following deploy.yaml
and replace the variables.
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
annotations:
run.googleapis.com/ingress: internal-and-cloud-load-balancing
run.googleapis.com/ingress-status: internal-and-cloud-load-balancing
labels:
cloud.googleapis.com/location: xxxx <- set region
name: prel-with-iap
spec:
template:
metadata:
annotations:
autoscaling.knative.dev/maxScale: "1"
run.googleapis.com/startup-cpu-boost: "true"
spec:
containerConcurrency: 80
containers:
- env:
- name: PROJECT_ID
value: xxxx <- your google project id
- name: NOTIFICATION_URL
value: xxxx <- get Slack Incoming Webhook URL(if not set, skip notification)
- name: AUTHENTICATION_TYPE
value: iap
- name: IAP_AUDIENCE
value: /projects/xxxxxx/global/backendServices/xxxxxxxxxxxxxx
- name: URL
value: xxxx <- Cloud Run URL(like https://prel-3r3rs7gmzq-an.a.run.app)
- name: DB_PASSWORD
value: xxxx <- get from Cloud SQL
- name: DB_INSTANCE_CONNECTION
value: xxxx <- get from Cloud SQL
- name: DB_TYPE
value: cloud-sql-connector
image: xxx <- container image path
name: prel-1
ports:
- containerPort: 8080
name: http1
resources:
limits:
cpu: 1000m
memory: 512Mi
startupProbe:
failureThreshold: 1
periodSeconds: 10
tcpSocket:
port: 8080
timeoutSeconds: 10
serviceAccountName: xxxx <- cloud-run-prel service account
timeoutSeconds: 300
traffic:
- latestRevision: true
percent: 100