Skip to content

Commit 09f4ecf

Browse files
glasntglasnt
committed
Update to Procfile, Artifact Registry, dedicated service account
1 parent 98d8ab5 commit 09f4ecf

File tree

5 files changed

+80
-123
lines changed

5 files changed

+80
-123
lines changed

run/django/Dockerfile

Lines changed: 0 additions & 37 deletions
This file was deleted.

run/django/Procfile

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
# Default entrypoint: run Django
2+
web: gunicorn --bind 0.0.0.0:$PORT --workers 1 --threads 8 --timeout 0 mysite.wsgi:application
3+
4+
# Apply database migrations
5+
migrate: python manage.py migrate && python manage.py collectstatic --verbosity 2 --no-input

run/django/e2e_test.py

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,6 @@
3030
SAMPLE_VERSION = os.environ.get("SAMPLE_VERSION", None)
3131
GOOGLE_CLOUD_PROJECT = os.environ["GOOGLE_CLOUD_PROJECT"]
3232
REGION = "us-central1"
33-
PLATFORM = "managed"
3433

3534
SERVICE = f"polls-{SUFFIX}"
3635

@@ -99,7 +98,6 @@ def run_shell_cmd(args: list) -> subprocess.CompletedProcess:
9998
def deployed_service() -> str:
10099
substitutions = [
101100
f"_SERVICE={SERVICE},"
102-
f"_PLATFORM={PLATFORM},"
103101
f"_REGION={REGION},"
104102
f"_STORAGE_BUCKET={CLOUD_STORAGE_BUCKET},"
105103
f"_DB_NAME={POSTGRES_DATABASE},"
@@ -134,7 +132,6 @@ def deployed_service() -> str:
134132

135133
substitutions = [
136134
f"_SERVICE={SERVICE},"
137-
f"_PLATFORM={PLATFORM},"
138135
f"_REGION={REGION},"
139136
f"_DB_USER={POSTGRES_USER},"
140137
f"_DB_NAME={POSTGRES_DATABASE},"
@@ -172,8 +169,6 @@ def service_url_auth_token(deployed_service: str) -> Iterator[tuple[str, str]]:
172169
"services",
173170
"describe",
174171
deployed_service,
175-
"--platform",
176-
"managed",
177172
"--region",
178173
REGION,
179174
"--format",

run/django/e2e_test_cleanup.yaml

Lines changed: 18 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -28,26 +28,34 @@ steps:
2828
./retry.sh "gsutil ls gs://${_STORAGE_BUCKET}" \
2929
"gsutil -m rm -r gs://${_STORAGE_BUCKET}"
3030
31-
./retry.sh "gcloud container images describe gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION}" \
32-
"gcloud container images delete gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION} --quiet"
31+
./retry.sh "gcloud artifacts docker images describe ${_IMAGE_NAME}" \
32+
"gcloud artifacts docker images delete ${_IMAGE_NAME} --quiet"
3333
34-
./retry.sh "gcloud run services describe ${_SERVICE} --region ${_REGION} --platform ${_PLATFORM}" \
35-
"gcloud run services delete ${_SERVICE} --region ${_REGION} --platform ${_PLATFORM} --async --quiet"
34+
./retry.sh "gcloud run jobs describe ${_CLOUD_RUN_JOB_NAME} --region ${_REGION}" \
35+
"gcloud run jobs delete ${_CLOUD_RUN_JOB_NAME} --region ${_REGION} --async --quiet"
36+
37+
./retry.sh "gcloud run services describe ${_SERVICE} --region ${_REGION}" \
38+
"gcloud run services delete ${_SERVICE} --region ${_REGION} --async --quiet"
3639
3740
WAIT=30 ./retry.sh "gcloud sql databases describe ${_DB_NAME} --instance ${_DB_INSTANCE} --project $PROJECT_ID" \
3841
"gcloud sql databases delete ${_DB_NAME} --instance ${_DB_INSTANCE} --quiet --project $PROJECT_ID"
3942
4043
./retry.sh "gcloud sql users list --filter \"name=${_DB_USER}\" --instance ${_DB_INSTANCE}" \
4144
"gcloud sql users delete ${_DB_USER} --instance ${_DB_INSTANCE} --quiet --project $PROJECT_ID"
4245
46+
options:
47+
dynamicSubstitutions: true
48+
4349
substitutions:
4450
_SERVICE: django
4551
_VERSION: manual
4652
_REGION: us-central1
47-
_PLATFORM: managed
48-
_DB_USER: django
49-
_DB_NAME: django
53+
_ARTIFACT_REGISTRY: cloud-run-source-deploy
54+
_IMAGE_NAME: ${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_ARTIFACT_REGISTRY}/django-${_VERSION}
55+
_STORAGE_BUCKET: ${PROJECT_ID}-bucket-${_VERSION}
56+
_CLOUD_RUN_JOB_NAME: migrate-${_VERSION}
57+
_DB_USER: django-${_VERSION}
58+
_DB_NAME: django-${_VERSION}
5059
_DB_INSTANCE: django-instance
51-
_SECRET_SETTINGS_NAME: django_settings
52-
_SECRET_PASSWORD_NAME: admin_password
53-
_STORAGE_BUCKET: ${PROJECT_ID}-bucket
60+
_SECRET_SETTINGS_NAME: django_settings-${_VERSION}
61+
_SECRET_PASSWORD_NAME: admin_password-${_VERSION}

run/django/e2e_test_setup.yaml

Lines changed: 57 additions & 71 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414

1515
steps:
1616
- id: "Create a dedicated database"
17-
name: "gcr.io/cloud-builders/gcloud"
17+
name: "gcr.io/google.com/cloudsdktool/cloud-sdk"
1818
entrypoint: "/bin/bash"
1919
args:
2020
- "-c"
@@ -24,7 +24,7 @@ steps:
2424
--project ${PROJECT_ID}"
2525
2626
- id: "Create a dedicated database user"
27-
name: "gcr.io/cloud-builders/gcloud"
27+
name: "gcr.io/google.com/cloudsdktool/cloud-sdk"
2828
entrypoint: "/bin/bash"
2929
args:
3030
- "-c"
@@ -37,7 +37,7 @@ steps:
3737
rm db_password
3838
3939
- id: "Create a dedicated storage bucket"
40-
name: "gcr.io/cloud-builders/gcloud"
40+
name: "gcr.io/google.com/cloudsdktool/cloud-sdk"
4141
entrypoint: "/bin/bash"
4242
args:
4343
- "-c"
@@ -47,8 +47,8 @@ steps:
4747
-p ${PROJECT_ID} \
4848
gs://${_STORAGE_BUCKET}"
4949
50-
- id: "Add Django secrets to Secret Manager"
51-
name: "gcr.io/cloud-builders/gcloud"
50+
- id: "IAM and Secrets"
51+
name: "gcr.io/google.com/cloudsdktool/cloud-sdk"
5252
entrypoint: "/bin/bash"
5353
args:
5454
- "-c"
@@ -59,112 +59,98 @@ steps:
5959
SECRET_KEY=$(cat /dev/urandom | LC_ALL=C tr -dc '[:alpha:]' | fold -w 30 | head -n1)
6060
PASSWORD_NAME=${_SECRET_PASSWORD_NAME}" > ${_SECRET_SETTINGS_NAME}
6161
62+
./retry.sh "gcloud iam service-accounts create ${_SERVICE_ACCOUNT}"
63+
6264
./retry.sh "gcloud secrets create ${_SECRET_SETTINGS_NAME} \
6365
--project $PROJECT_ID \
6466
--data-file=${_SECRET_SETTINGS_NAME}"
6567
66-
gcloud secrets add-iam-policy-binding ${_SECRET_SETTINGS_NAME} \
67-
--member serviceAccount:$(gcloud projects list --filter "name=${PROJECT_ID}" --format "value(projectNumber)")@cloudbuild.gserviceaccount.com \
68-
--role roles/secretmanager.secretAccessor \
69-
--project ${PROJECT_ID}
70-
71-
rm ${_SECRET_SETTINGS_NAME}
72-
7368
echo -n "${_SECRET_PASSWORD_VALUE}" > ${_SECRET_PASSWORD_NAME}
7469
7570
./retry.sh "gcloud secrets create ${_SECRET_PASSWORD_NAME} \
7671
--project $PROJECT_ID \
7772
--data-file=${_SECRET_PASSWORD_NAME}"
7873
79-
gcloud secrets add-iam-policy-binding ${_SECRET_PASSWORD_NAME} \
80-
--member serviceAccount:$(gcloud projects list --filter "name=${PROJECT_ID}" --format "value(projectNumber)")@cloudbuild.gserviceaccount.com \
74+
./retry.sh "gcloud secrets add-iam-policy-binding ${_SECRET_SETTINGS_NAME} \
75+
--member serviceAccount:${_SERVICE_ACCOUNT_EMAIL} \
76+
--role roles/secretmanager.secretAccessor \
77+
--project ${PROJECT_ID}"
78+
79+
./retry.sh "gcloud secrets add-iam-policy-binding ${_SECRET_PASSWORD_NAME} \
80+
--member serviceAccount:${_SERVICE_ACCOUNT_EMAIL} \
8181
--role roles/secretmanager.secretAccessor \
82-
--project ${PROJECT_ID}
82+
--project ${PROJECT_ID}"
83+
84+
./retry.sh "gcloud projects add-iam-policy-binding ${PROJECT_ID} \
85+
--member serviceAccount:${_SERVICE_ACCOUNT_EMAIL} \
86+
--role roles/cloudsql.client \
87+
--project ${PROJECT_ID}"
8388
84-
rm ${_SECRET_PASSWORD_NAME}
8589
8690
- id: "Build Container Image"
87-
name: "gcr.io/cloud-builders/docker"
88-
entrypoint: "/bin/bash"
89-
args:
90-
- "-c"
91-
- |
92-
./retry.sh "docker build -t gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION} ."
91+
name: gcr.io/k8s-skaffold/pack
92+
args: ["build", "${_IMAGE_NAME}", "--builder=gcr.io/buildpacks/builder"]
9393

9494
- id: "Push Container Image"
9595
name: "gcr.io/cloud-builders/docker"
9696
entrypoint: "/bin/bash"
9797
args:
9898
- "-c"
9999
- |
100-
./retry.sh "docker push gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION}"
100+
./retry.sh "docker push ${_IMAGE_NAME}"
101101
102102
- id: "Migrate database"
103-
name: "gcr.io/google-appengine/exec-wrapper"
104-
args:
105-
[
106-
"-i",
107-
"gcr.io/$PROJECT_ID/${_SERVICE}:${_VERSION}",
108-
"-s",
109-
"${_CLOUD_SQL_CONNECTION_NAME}",
110-
"-e",
111-
"SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
112-
"-e",
113-
"PASSWORD_NAME=${_SECRET_PASSWORD_NAME}",
114-
"--",
115-
"python",
116-
"manage.py",
117-
"migrate",
118-
]
119-
120-
- id: "Collect static"
121-
name: "gcr.io/google-appengine/exec-wrapper"
103+
name: "gcr.io/google.com/cloudsdktool/cloud-sdk"
104+
entrypoint: /bin/bash
122105
args:
123-
[
124-
"-i",
125-
"gcr.io/$PROJECT_ID/${_SERVICE}:${_VERSION}",
126-
"-s",
127-
"${_CLOUD_SQL_CONNECTION_NAME}",
128-
"-e",
129-
"SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
130-
"--",
131-
"python",
132-
"manage.py",
133-
"collectstatic",
134-
"--verbosity",
135-
"2",
136-
"--no-input",
137-
]
106+
- "-c"
107+
- |
108+
./retry.sh "gcloud run jobs create ${_CLOUD_RUN_JOB_NAME} \
109+
--region ${_REGION} \
110+
--service-account ${_SERVICE_ACCOUNT_EMAIL} \
111+
--image ${_IMAGE_NAME} \
112+
--set-cloudsql-instances ${_CLOUD_SQL_CONNECTION_NAME} \
113+
--set-env-vars SETTINGS_NAME=${_SECRET_SETTINGS_NAME} \
114+
--command migrate \
115+
--execute-now"
138116
139117
- id: "Deploy to Cloud Run"
140-
name: "gcr.io/cloud-builders/gcloud:latest"
118+
name: "gcr.io/google.com/cloudsdktool/cloud-sdk:latest"
141119
entrypoint: /bin/bash
142120
args:
143121
- "-c"
144122
- |
145123
./retry.sh "gcloud run deploy ${_SERVICE} \
146124
--project $PROJECT_ID \
147-
--image gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION} \
125+
--image ${_IMAGE_NAME} \
148126
--no-allow-unauthenticated \
149127
--region ${_REGION} \
150-
--platform ${_PLATFORM} \
151-
--add-cloudsql-instances ${_CLOUD_SQL_CONNECTION_NAME} \
152-
--update-env-vars SETTINGS_NAME=${_SECRET_SETTINGS_NAME}"
128+
--service-account ${_SERVICE_ACCOUNT_EMAIL} \
129+
--set-cloudsql-instances ${_CLOUD_SQL_CONNECTION_NAME} \
130+
--set-env-vars SETTINGS_NAME=${_SECRET_SETTINGS_NAME}"
153131
154132
images:
155-
- gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION}
133+
- ${_IMAGE_NAME}
134+
135+
options:
136+
dynamicSubstitutions: true
137+
logging: CLOUD_LOGGING_ONLY
156138

157139
substitutions:
158140
_SERVICE: django
159141
_VERSION: manual
160142
_REGION: us-central1
161-
_PLATFORM: managed
162-
_STORAGE_BUCKET: ${PROJECT_ID}-bucket
163-
_DB_INSTANCE: django-instance
164-
_CLOUD_SQL_CONNECTION_NAME: $PROJECT_ID:us-central1:django-instance
165-
_DB_NAME: postgres
166-
_DB_USER: postgres
143+
_ARTIFACT_REGISTRY: cloud-run-source-deploy
144+
_IMAGE_NAME: ${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_ARTIFACT_REGISTRY}/django-${_VERSION}
145+
_STORAGE_BUCKET: ${PROJECT_ID}-bucket-${_VERSION}
146+
_CLOUD_RUN_JOB_NAME: migrate-${_VERSION}
147+
_SERVICE_ACCOUNT: django-sa-${_VERSION}
148+
_SERVICE_ACCOUNT_EMAIL: ${_SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com
149+
_DB_INSTANCE: django-instance-${_VERSION}
150+
_CLOUD_SQL_CONNECTION_NAME: ${PROJECT_ID}:${_REGION}:${_DB_INSTANCE}
151+
_DB_NAME: postgres-${_VERSION}
152+
_DB_USER: postgres-${_VERSION}
167153
_DB_PASS: password1234
168-
_SECRET_SETTINGS_NAME: django_settings
169-
_SECRET_PASSWORD_NAME: admin_password
154+
_SECRET_SETTINGS_NAME: django_settings-${_VERSION}
155+
_SECRET_PASSWORD_NAME: admin_password-${_VERSION}
170156
_SECRET_PASSWORD_VALUE: password

0 commit comments

Comments
 (0)