feat: Add VPC connectivity configuration for Cloud Run deployments

- Introduce new flags for VPC network, subnetwork, connector, and egress settings
- Add support for configuring VPC connectivity in Cloud Run services
- Implement VPC-related options in deployment configuration
- Update service definition to set VPC network interfaces and access annotations
- Enhance deployment flexibility with advanced network configuration options

cmd/cloud-run/deploy.go

@@ -63,6 +63,12 @@ Access and Traffic Configuration:
 - --default-url                Use the default URL for the service (default)
 - --no-default-url             Disable the default URL for the service
 
+VPC Connectivity:
+- --vpc-connector              The VPC connector to use for this service
+- --vpc-network                The VPC network to connect to
+- --vpc-subnetwork             The VPC subnetwork to connect to
+- --vpc-egress                 VPC egress setting (private-ranges-only or all-traffic)
+
 Examples:
   # Deploy from container image
   cloud-run deploy --project-id=my-project --region=us-central1 --service=myapp --image=gcr.io/myproject/myapp:v1
@@ -109,6 +115,12 @@ Examples:
 	deployCmd.Flags().BoolVar(&opts.DefaultURL, "default-url", true, "Use the default URL for the service")
 	deployCmd.Flags().Bool("no-default-url", false, "Disable the default URL for the service")
 
+	// Add VPC connectivity flags
+	deployCmd.Flags().StringVar(&opts.VpcConnector, "vpc-connector", "", "The VPC connector to use for this service")
+	deployCmd.Flags().StringVar(&opts.VpcNetwork, "vpc-network", "default", "The VPC network to connect to")
+	deployCmd.Flags().StringVar(&opts.VpcSubnetwork, "vpc-subnetwork", "default", "The VPC subnetwork to connect to")
+	deployCmd.Flags().StringVar(&opts.VpcEgress, "vpc-egress", "private-ranges-only", "VPC egress setting (private-ranges-only or all-traffic)")
+
 	// Link the no-default-url flag to DefaultURL
 	deployCmd.PreRunE = func(cmd *cobra.Command, args []string) error {
 		noDefaultURL, _ := cmd.Flags().GetBool("no-default-url")

cmd/cloud-run/pkg/config/config.go

@@ -36,4 +36,10 @@ type DeployOptions struct {
 	AllowUnauthenticated bool   // Whether to allow unauthenticated access (if false, --no-allow-unauthenticated)
 	Ingress              string // Ingress setting: all, internal, or internal-and-cloud-load-balancing
 	DefaultURL           bool   // Whether to use the default URL (if false, --no-default-url)
+
+	// VPC connectivity configuration
+	VpcConnector  string // VPC connector to use, empty means no VPC connector
+	VpcNetwork    string // VPC network name, typically "default"
+	VpcSubnetwork string // VPC subnetwork name, typically "default"
+	VpcEgress     string // VPC egress setting: "private-ranges-only" or "all-traffic"
 }

cmd/cloud-run/pkg/deploy/deploy.go

@@ -31,6 +31,14 @@ import (
 	"google.golang.org/api/run/v2"
 )
 
+// VpcConfig represents the VPC connectivity configuration
+type VpcConfig struct {
+	Network    string `json:"network"`
+	Subnetwork string `json:"subnetwork"`
+	// Egress can be "all-traffic" or "private-ranges-only"
+	Egress string `json:"egress"`
+}
+
 // CreateOrUpdateService deploys a service to Cloud run. If the service
 // doesn't exist, it creates a new one. If the service exists, it updates the
 // existing service with the config.DeployOptions.
@@ -986,6 +994,23 @@ func updateServiceWithOptionsV2(service *run.GoogleCloudRunV2Service, opts confi
 		service.DefaultUriDisabled = false
 		log.Println("Enabling the default URL")
 	}
+
+	// Configure VPC connectivity if specified
+	if opts.VpcNetwork != "" && opts.VpcSubnetwork != "" {
+		log.Printf("Setting VPC network interfaces to network: %s, subnetwork: %s\n", opts.VpcNetwork, opts.VpcSubnetwork)
+		networkInterfaceJSON := fmt.Sprintf(`[{"network":"%s","subnetwork":"%s"}]`, opts.VpcNetwork, opts.VpcSubnetwork)
+		setAnnotation(service, "run.googleapis.com/network-interfaces", networkInterfaceJSON)
+	}
+
+	if opts.VpcEgress != "" {
+		log.Printf("Setting VPC egress to %s\n", opts.VpcEgress)
+		setAnnotation(service, "run.googleapis.com/vpc-access-egress", opts.VpcEgress)
+	}
+
+	if opts.VpcConnector != "" {
+		log.Printf("Setting VPC connector to %s\n", opts.VpcConnector)
+		setAnnotation(service, "run.googleapis.com/vpc-access-connector", opts.VpcConnector)
+	}
 }
 
 // processSecretsV2 processes secrets for environment variables and mounted volumes using the v2 API
@@ -1167,10 +1192,35 @@ func buildServiceDefinitionV2(projectID string, opts config.DeployOptions) *run.
 		log.Println("Enabling the default URL")
 	}
 
+	// Configure VPC connectivity if specified
+	if opts.VpcNetwork != "" && opts.VpcSubnetwork != "" {
+		log.Printf("Setting VPC network interfaces to network: %s, subnetwork: %s\n", opts.VpcNetwork, opts.VpcSubnetwork)
+		networkInterfaceJSON := fmt.Sprintf(`[{"network":"%s","subnetwork":"%s"}]`, opts.VpcNetwork, opts.VpcSubnetwork)
+		setAnnotation(service, "run.googleapis.com/network-interfaces", networkInterfaceJSON)
+	}
+
+	if opts.VpcEgress != "" {
+		log.Printf("Setting VPC egress to %s\n", opts.VpcEgress)
+		setAnnotation(service, "run.googleapis.com/vpc-access-egress", opts.VpcEgress)
+	}
+
+	if opts.VpcConnector != "" {
+		log.Printf("Setting VPC connector to %s\n", opts.VpcConnector)
+		setAnnotation(service, "run.googleapis.com/vpc-access-connector", opts.VpcConnector)
+	}
+
 	// Process secrets if specified
 	if opts.Secrets != nil && len(opts.Secrets) > 0 {
 		processSecretsV2(service, opts.Secrets)
 	}
 
 	return service
 }
+
+// Helper function to set annotations on a service
+func setAnnotation(service *run.GoogleCloudRunV2Service, key, value string) {
+	if service.Annotations == nil {
+		service.Annotations = make(map[string]string)
+	}
+	service.Annotations[key] = value
+}