ahmetb / Cloud Run Travisci
Programming Languages
Labels
Projects that are alternatives of or similar to Cloud Run Travisci
Google Cloud Run + Travis CI
This repository shows how to use Travis CI to build a container image and deploy it to Google Cloud Run when you push a new commit.
Table of Contents
- Step 0: Fork this repository
- Step 1: Sign up to Travis CI
- Step 1: Install required tools
- Step 2: Create a service account for deploying
- Step 3: Assign permissions to the service account
- Step 4: Encrypt the service account key
- Step 5: Configure your project ID
- Step 6: Commit the changes to your fork
- Step 7: View build result
- Step 8: Clean up
Step 0: Fork this repository
- Scroll up and click "Fork" so you can try pushing commits and testing builds.
- Clone the repository on your machine.
- Go to the
cloud-run-travisci
directory you cloned.
Step 1: Sign up to Travis CI
Sign up at www.travis-ci.com and enable Travis CI app on your forked
cloud-run-travisci
repository at
https://www.travis-ci.com/account/repositories.
Note: If you have an travis-ci.org account instead of .com, replace
--pro
arguments in this tutorial with--org
.
Step 1: Install required tools
-
Google Cloud SDK (
gcloud
): https://cloud.google.com/sdk -
travis
command-line tool:sudo gem install travis
travis login --pro # (use --org if you're on travis-ci.ORG and not .COM)
Step 2: Create a service account for deploying
To authenticate to GCP APIs from Travis CI build environment you will need a service account.
PROJECT_ID="$(gcloud config get-value project -q)" # fetch current GCP project ID
SVCACCT_NAME=travisci-deployer # choose name for service account
Create a service account:
gcloud iam service-accounts create "${SVCACCT_NAME?}"
Find the email address of this account:
SVCACCT_EMAIL="$(gcloud iam service-accounts list \
--filter="name:${SVCACCT_NAME?}@" \
--format=value\(email\))"
Create a JSON key to authenticate as this service account, and save it as
google-key.json
:
gcloud iam service-accounts keys create "google-key.json" \
--iam-account="${SVCACCT_EMAIL?}"
Step 3: Assign permissions to the service account
You need to give these IAM roles to the service account created:
- Storage Admin: Used for pushing docker images to Google Container Registry (GCR).
- Cloud Run Admin: Used for deploying services to Cloud Run.
- IAM Service Account user: Required by Cloud Run to be able to "act as" the runtime identity of the Cloud Run application (in this case, our deployer service account needs to able to "act as" the GCE default service account).
gcloud projects add-iam-policy-binding "${PROJECT_ID?}" \
--member="serviceAccount:${SVCACCT_EMAIL?}" \
--role="roles/storage.admin"
gcloud projects add-iam-policy-binding "${PROJECT_ID?}" \
--member="serviceAccount:${SVCACCT_EMAIL?}" \
--role="roles/run.admin"
gcloud projects add-iam-policy-binding "${PROJECT_ID?}" \
--member="serviceAccount:${SVCACCT_EMAIL?}" \
--role="roles/iam.serviceAccountUser"
Step 4: Encrypt the service account key
Run the following command
travis encrypt-file --pro google-key.json
This command will print an openssl [...]
command, don’t lose it!
Edit the .travis.yml
file, and add this commmand to the before_install
step:
before_install:
-- echo REMOVE_ME # replace with the openssl command from "travis encrypt-file"
+- openssl aes-256-cbc -K $encrypted_fbfaf42b268c_key -iv $encrypted_fbfaf42b268c_iv -in google-key.json.enc -out google-key.json -d
- curl https://sdk.cloud.google.com | bash > /dev/null
...
Step 5: Configure your project ID
Edit the .travis.yml
and configure the environment variables under the env:
key (such as GCP_PROJECT_ID
, IMAGE
, and CLOUD_RUN_SERVICE
).
Step 6: Commit the changes to your fork
⚠️ Do not add google-key.json
file to your repository as it can be
reached by others.
Make a commit, and push the changes to your fork:
git add google-key.json.enc .travis.yml
git commit -m "Enable Travis CI"
git push -u origin master
Step 7: View build result
Go to www.travis-ci.com and view your build results.
There might be errors that require you to fix.
If the build succeeds, the output of gcloud run beta deploy
command will show
you the URL your app is deployed on! Visit the URL to see if the application
works!
[...]
Deploying container to Cloud Run service [example-app] in project [...] region [us-central1]
Deploying new service...
Setting IAM Policy.....done
Creating Revision......done
Routing traffic........done
Done.
Service [example-app] revision [example-app-00001] has been deployed
and is serving traffic at https://example-app-pwfuv4g72q-uc.a.run.app
Step 8: Clean up
Delete the service account you created:
gcloud iam service-accounts delete "${SVCACCT_EMAIL?}"
Delete the Cloud Run application you deployed:
gcloud beta run services delete "YOUR-APP-NAME"
👍Did this tutorial work for you? Click "✭Star" on the top right of this page and let me know!