README ¶
Berglas Cloud Run Example - Go
This guide assumes you have followed the setup instructions in the README. Specifically, it is assumed that you have created a project, Cloud Storage bucket, and Cloud KMS key.
-
Make sure you are in the
examples/cloudrun/go
folder before continuing! -
Export the environment variables for your configuration:
Using Secret Manager storage:
export PROJECT_ID=my-project
Using Cloud Storage storage:
export PROJECT_ID=my-project export BUCKET_ID=my-bucket export KMS_KEY=projects/${PROJECT_ID}/locations/global/keyRings/berglas/cryptoKeys/berglas-key
-
Create two secrets using the
berglas
CLI (see README for installation instructions):Using Secret Manager storage:
berglas create sm://${PROJECT_ID}/api-key "xxx-yyy-zzz"
berglas create sm://${PROJECT_ID}/tls-key "=== BEGIN RSA PRIVATE KEY..."
Using Cloud Storage storage:
berglas create ${BUCKET_ID}/api-key "xxx-yyy-zzz" \ --key ${KMS_KEY}
berglas create ${BUCKET_ID}/tls-key "=== BEGIN RSA PRIVATE KEY..." \ --key ${KMS_KEY}
-
Create a dedicated service account for the Cloud Run service:
gcloud iam service-accounts create "cloudrun-berglas-go" \ --project ${PROJECT_ID}
export SA_EMAIL=cloudrun-berglas-go@${PROJECT_ID}.iam.gserviceaccount.com
-
Grant the service account access to the secrets:
Using Secret Manager storage:
berglas grant sm://${PROJECT_ID}/api-key --member serviceAccount:${SA_EMAIL} berglas grant sm://${PROJECT_ID}/tls-key --member serviceAccount:${SA_EMAIL}
Using Google Cloud storage:
berglas grant ${BUCKET_ID}/api-key --member serviceAccount:${SA_EMAIL} berglas grant ${BUCKET_ID}/tls-key --member serviceAccount:${SA_EMAIL}
-
Build a container using Cloud Build and publish it to Container Registry:
gcloud builds submit \ --project ${PROJECT_ID} \ --tag gcr.io/${PROJECT_ID}/berglas-example-go:0.0.1 \ .
-
Deploy the container on Cloud Run:
gcloud run deploy berglas-example-go \ --project ${PROJECT_ID} \ --platform managed \ --region us-central1 \ --image gcr.io/${PROJECT_ID}/berglas-example-go:0.0.1 \ --memory 1G \ --concurrency 10 \ --set-env-vars "API_KEY=berglas://${BUCKET_ID}/api-key,TLS_KEY=berglas://${BUCKET_ID}/tls-key?destination=tempfile" \ --service-account ${SA_EMAIL} \ --allow-unauthenticated
-
Access the service:
curl $(gcloud run services describe berglas-example-go \ --project ${PROJECT_ID} \ --platform managed \ --region us-central1 \ --format 'value(status.address.url)')
-
(Optional) Cleanup the deployment:
gcloud run services delete berglas-example-go \ --quiet \ --platform managed \ --project ${PROJECT_ID} \ --region us-central1
IMAGE=gcr.io/${PROJECT_ID}/berglas-example-go for DIGEST in $(gcloud container images list-tags ${IMAGE} --format='get(digest)'); do gcloud container images delete --quiet --force-delete-tags "${IMAGE}@${DIGEST}" done
-
(Optional) Revoke access to the secrets:
Using Secret Manager storage:
berglas revoke sm://${PROJECT_ID}/api-key --member serviceAccount:${SA_EMAIL} berglas revoke sm://${PROJECT_ID}/tls-key --member serviceAccount:${SA_EMAIL}
Using Cloud Storage storage:
berglas revoke ${BUCKET_ID}/api-key --member serviceAccount:${SA_EMAIL} berglas revoke ${BUCKET_ID}/tls-key --member serviceAccount:${SA_EMAIL}
-
(Optional) Delete the service account:
gcloud iam service-accounts delete "${SA_EMAIL}" \ --quiet \ --project ${PROJECT_ID}
Documentation ¶
There is no documentation for this package.