Zenn
🐕

cloud runでdeployするまでの最初のステップ

2023/06/27に公開
Google Cloud
Cloud Run
tech

いつも忘れるのでメモ.
特にServiceAccount周り.

ArtifactResitoryにレポジトリ作成

gcloud artifacts repositories create <REPOSITORY> --location=asia-northeast1 --repository-format=docker

ArtifactResitoryにpush

docker tag <TARGET> asia-northeast1-docker.pkg.dev/<PROJECT>/<REPOSITORY>/<IMAGE>:<TAG>
docker push asia-northeast1-docker.pkg.dev/<PROJECT>/<REPOSITORY>/<IMAGE>:<TAG>

Secrets Managerに値登録

echo -n "<VALUE>" | gcloud secrets create <NAME> --data-file=-

CloudRun実行用のServiceAccountを作成

gcloud iam service-accounts create my-sa1 --display-name "My Service Account1"

2つのroleを設定する必要がある

gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
    --member serviceAccount:my-sa1@YOUR_PROJECT_ID.iam.gserviceaccount.com \
    --role roles/secretmanager.secretAccessor
    
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
    --member serviceAccount:my-sa1@YOUR_PROJECT_ID.iam.gserviceaccount.com \
    --role roles/run.invoker

CloudRunにServiceをつくってdeploy

CPU:1, MEM:512M, リクエスト中のみ処理, インスタンス:0~3, ...で設定
SERVICE_ACCOUNTには先程作った my-sa1@YOUR_PROJECT_ID.iam.gserviceaccount.com の値を設定する.

例:

  • TARGET_NAME=sample (cloud runのサービス名)
  • SERVICE_ACCOUNT=<user>@<project>.iam.gserviceaccount.com
gcloud run deploy <TARGET_NAME> \
  --image <IMAGE_URI> \
  --region asia-northeast1 \
  --set-secrets <SECRET_NAME1>=<SECRET_NAME1>:latest,<SECRET_NAME2>=<SECRET_NAME2>:latest \
  --service-account <SERVICE_ACCOUNT>
  --cpu-throttling \
  --cpu-boost \
  --cpu 1 \
  --memory 512Mi \
  --allow-unauthenticated \
  --min-instances 0 \
  --max-instances 3 \
  --port 8080 \
  --timeout 300 \
  --concurrency 80

CloudRunのhealth設定を更新

gcloud run services describe <SERVICE_NAME> --format export --region asia-northeast1 > service.yaml

するとこんな感じのservice.yamlができるので、

  1. name: myapi-00001-aaa のrevision名を変更 (1)
  2. startupProbe 以下にhttpGetのhealthcheck設定を記述 (2)
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
...
spec:
  template:
    metadata:
      annotations:
        autoscaling.knative.dev/maxScale: '3'
        run.googleapis.com/client-name: gcloud
        run.googleapis.com/client-version: 430.0.0
        run.googleapis.com/cpu-throttling: 'true'
        run.googleapis.com/startup-cpu-boost: 'true'
      labels:
        run.googleapis.com/startupProbeType: Default
...(1)
      name: myapi-00001-aaa
    spec:
      containerConcurrency: 80
      containers:
...
        resources:
          limits:
            cpu: '1'
            memory: 512Mi
...(2)
        startupProbe:
          httpGet:
            path: /health
          initialDelaySeconds: 10
          timeoutSeconds: 240
          periodSeconds: 240
          failureThreshold: 1
...
      serviceAccountName: xxx@xxx.iam.gserviceaccount.com
      timeoutSeconds: 300
  traffic:
  - latestRevision: true
    percent: 100

記述終わったら、下記コマンドで更新してhealth設定を反映する.

gcloud run services replace service.yaml

Discussion