fix(run/django): Update to Procfile, Artifact Registry, dedicated service account (#12718)

* Update to Procfile, Artifact Registry, dedicated service account

* debug: do not create sa

* remove excess permission

* ensure unique cloudrunjob name

* debug: ensure values use random suffix

* lint

* syntax

* Turns out, this value is important.

* ensure consistent substitutions

* move to Cloud Run Job based superuser, update migrations

* remove unused vars

* Update sample code, region tags

* fix region tag

* lint [skip ci]

* update cloudmigrate

* update to support multiple cloud run URLs

* confirm jobs complete

* pass python version to pack

* string

* use CNB-distributed pack image

* remove old build steps

* replace other k8s-skaffold image reference

---------

Co-authored-by: Jennifer Davis <[email protected]>

Author: glasnt

run/django/Dockerfile

@@ -0,0 +1,12 @@
+# Default entrypoint: run Django
+web: gunicorn --bind 0.0.0.0:$PORT --workers 1 --threads 8 --timeout 0 mysite.wsgi:application
+
+# [START cloudrun_django_procfile_migrate]
+# Apply database migrations
+migrate: python manage.py migrate && python manage.py collectstatic --verbosity 2 --no-input
+# [END cloudrun_django_procfile_migrate]
+
+# [START cloudrun_django_procfile_superuser]
+# Create superuser (requires DJANGO_SUPERUSER_PASSWORD and DJANGO_SUPERUSER_EMAIL envvars)
+createsuperuser: python manage.py createsuperuser --username admin --noinput || echo "User already exists."
+# [END cloudrun_django_procfile_superuser]

run/django/Procfile

@@ -14,55 +14,58 @@
 
 # [START cloudrun_django_cloudmigrate]
 steps:
-  - id: "build image"
-    name: "gcr.io/cloud-builders/docker"
-    args: ["build", "-t", "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}", "."]
+  - id: "Build Container Image"
+    name: buildpacksio/pack
+    args: ["build", "${_IMAGE_NAME}", "--builder=gcr.io/buildpacks/builder"]
 
-  - id: "push image"
+  - id: "Push Container Image"
     name: "gcr.io/cloud-builders/docker"
-    args: ["push", "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}"]
+    args: ["push", "${_IMAGE_NAME}"]
 
-  - id: "apply migrations"
-    name: "gcr.io/google-appengine/exec-wrapper"
+  - id: "Migrate database"
+    name: "gcr.io/google.com/cloudsdktool/cloud-sdk"
+    entrypoint: /bin/bash
     args:
-      [
-        "-i",
-        "gcr.io/$PROJECT_ID/${_SERVICE_NAME}",
-        "-s",
-        "${PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}",
-        "-e",
-        "SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
-        "--",
-        "python",
-        "manage.py",
-        "migrate",
-      ]
+      - "-c"
+      - |
+        gcloud run jobs create migrate-job \
+          --region ${_REGION} \
+          --image ${_IMAGE_NAME} \
+          --set-cloudsql-instances ${_CLOUD_SQL_CONNECTION_NAME} \
+          --set-env-vars SETTINGS_NAME=${_SECRET_SETTINGS_NAME} \
+          --command migrate \
+          --execute-now
 
-  - id: "collect static"
-    name: "gcr.io/google-appengine/exec-wrapper"
+  - id: "Create superuser"
+    name: "gcr.io/google.com/cloudsdktool/cloud-sdk"
+    entrypoint: /bin/bash
     args:
-      [
-        "-i",
-        "gcr.io/$PROJECT_ID/${_SERVICE_NAME}",
-        "-s",
-        "${PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}",
-        "-e",
-        "SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
-        "--",
-        "python",
-        "manage.py",
-        "collectstatic",
-        "--verbosity",
-        "2",
-        "--no-input",
-      ]
+      - "-c"
+      - |
+        gcloud run jobs create superuser-job \
+          --region ${_REGION} \
+          --image ${_IMAGE_NAME} \
+          --set-cloudsql-instances ${_CLOUD_SQL_CONNECTION_NAME} \
+          --set-env-vars SETTINGS_NAME=${_SECRET_SETTINGS_NAME} \
+          --set-env-vars DJANGO_SUPERUSER_EMAIL=${_ADMIN_EMAIL} \
+          --set-secrets DJANGO_SUPERUSER_PASSWORD=${_ADMIN_PASSWORD_NAME}:latest \
+          --command createsuperuser \
+          --execute-now
+
+options:
+  dynamicSubstitutions: true
 
 substitutions:
   _INSTANCE_NAME: django-instance
+  _CLOUD_SQL_CONNECTION_NAME: ${PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}
   _REGION: us-central1
   _SERVICE_NAME: polls-service
   _SECRET_SETTINGS_NAME: django_settings
+  _ARTIFACT_REGISTRY: cloud-run-source-deploy
+  _IMAGE_NAME: ${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_ARTIFACT_REGISTRY}/${_SERVICE_NAME}
+  _ADMIN_EMAIL: [email protected]
+  _ADMIN_PASSWORD_NAME: superuser_password
 
 images:
-  - "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}"
+  - "${_IMAGE_NAME}"
 # [END cloudrun_django_cloudmigrate]

run/django/cloudmigrate.yaml

@@ -18,6 +18,7 @@
 from collections.abc import Iterator
 import os
 import subprocess
+import sys
 import uuid
 
 import backoff
@@ -27,10 +28,10 @@
 # Unique suffix to create distinct service names
 SUFFIX = uuid.uuid4().hex[:10]
 
+PYTHON_VERSION = f"{sys.version_info.major}.{sys.version_info.minor}"
 SAMPLE_VERSION = os.environ.get("SAMPLE_VERSION", None)
 GOOGLE_CLOUD_PROJECT = os.environ["GOOGLE_CLOUD_PROJECT"]
 REGION = "us-central1"
-PLATFORM = "managed"
 
 SERVICE = f"polls-{SUFFIX}"
 
@@ -50,20 +51,11 @@
     POSTGRES_INSTANCE_FULL = f"{GOOGLE_CLOUD_PROJECT}:{REGION}:{POSTGRES_INSTANCE}"
     POSTGRES_INSTANCE_NAME = POSTGRES_INSTANCE
 
-POSTGRES_DATABASE = f"django-database-{SUFFIX}"
-
-CLOUD_STORAGE_BUCKET = f"{GOOGLE_CLOUD_PROJECT}-media-{SUFFIX}"
-
-POSTGRES_DATABASE = f"polls-{SUFFIX}"
-POSTGRES_USER = f"django-{SUFFIX}"
 POSTGRES_PASSWORD = uuid.uuid4().hex[:26]
 
 ADMIN_NAME = "admin"
 ADMIN_PASSWORD = uuid.uuid4().hex[:26]
 
-SECRET_SETTINGS_NAME = f"django_settings-{SUFFIX}"
-SECRET_PASSWORD_NAME = f"superuser_password-{SUFFIX}"
-
 
 @backoff.on_exception(backoff.expo, Exception, max_tries=3)
 def run_shell_cmd(args: list) -> subprocess.CompletedProcess:
@@ -98,18 +90,14 @@ def run_shell_cmd(args: list) -> subprocess.CompletedProcess:
 @pytest.fixture
 def deployed_service() -> str:
     substitutions = [
+        f"_VERSION={SUFFIX},"
+        f"_PYTHON_VERSION={PYTHON_VERSION},"
         f"_SERVICE={SERVICE},"
-        f"_PLATFORM={PLATFORM},"
         f"_REGION={REGION},"
-        f"_STORAGE_BUCKET={CLOUD_STORAGE_BUCKET},"
-        f"_DB_NAME={POSTGRES_DATABASE},"
-        f"_DB_USER={POSTGRES_USER},"
         f"_DB_PASS={POSTGRES_PASSWORD},"
+        f"_ADMIN_PASSWORD={ADMIN_PASSWORD},"
         f"_DB_INSTANCE={POSTGRES_INSTANCE_NAME},"
-        f"_SECRET_SETTINGS_NAME={SECRET_SETTINGS_NAME},"
-        f"_SECRET_PASSWORD_NAME={SECRET_PASSWORD_NAME},"
-        f"_SECRET_PASSWORD_VALUE={ADMIN_PASSWORD},"
-        f"_CLOUD_SQL_CONNECTION_NAME={POSTGRES_INSTANCE_FULL}"
+        f"_CLOUD_SQL_CONNECTION_NAME={POSTGRES_INSTANCE_FULL},"
     ]
     if SAMPLE_VERSION:
         substitutions.append(f",_VERSION={SAMPLE_VERSION}")
@@ -133,15 +121,10 @@ def deployed_service() -> str:
     # Cleanup
 
     substitutions = [
+        f"_VERSION={SUFFIX},"
         f"_SERVICE={SERVICE},"
-        f"_PLATFORM={PLATFORM},"
         f"_REGION={REGION},"
-        f"_DB_USER={POSTGRES_USER},"
-        f"_DB_NAME={POSTGRES_DATABASE},"
         f"_DB_INSTANCE={POSTGRES_INSTANCE_NAME},"
-        f"_SECRET_SETTINGS_NAME={SECRET_SETTINGS_NAME},"
-        f"_SECRET_PASSWORD_NAME={SECRET_PASSWORD_NAME},"
-        f"_STORAGE_BUCKET={CLOUD_STORAGE_BUCKET},"
     ]
     if SAMPLE_VERSION:
         substitutions.append(f"_SAMPLE_VERSION={SAMPLE_VERSION}")
@@ -172,8 +155,6 @@ def service_url_auth_token(deployed_service: str) -> Iterator[tuple[str, str]]:
                 "services",
                 "describe",
                 deployed_service,
-                "--platform",
-                "managed",
                 "--region",
                 REGION,
                 "--format",

run/django/e2e_test.py

@@ -22,32 +22,38 @@ steps:
         ./retry.sh "gcloud secrets describe ${_SECRET_SETTINGS_NAME}" \
           "gcloud secrets delete ${_SECRET_SETTINGS_NAME} --quiet --project $PROJECT_ID"
 
-        ./retry.sh "gcloud secrets describe ${_SECRET_PASSWORD_NAME}" \
-          "gcloud secrets delete ${_SECRET_PASSWORD_NAME} --quiet --project $PROJECT_ID"
-
         ./retry.sh "gsutil ls gs://${_STORAGE_BUCKET}" \
           "gsutil -m rm -r gs://${_STORAGE_BUCKET}"
 
-        ./retry.sh "gcloud container images describe gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION}" \
-          "gcloud container images delete gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION} --quiet"
+        ./retry.sh "gcloud artifacts docker images describe ${_IMAGE_NAME}" \
+          "gcloud artifacts docker images delete ${_IMAGE_NAME} --quiet"
+
+        ./retry.sh "gcloud run jobs describe migrate-${_VERSION} --region ${_REGION}" \
+          "gcloud run jobs delete migrate-${_VERSION}  --region ${_REGION} --async --quiet"
 
-        ./retry.sh "gcloud run services describe ${_SERVICE} --region ${_REGION} --platform ${_PLATFORM}" \
-          "gcloud run services delete ${_SERVICE} --region ${_REGION} --platform ${_PLATFORM} --async --quiet"
+        ./retry.sh "gcloud run jobs describe superuser-${_VERSION} --region ${_REGION}" \
+          "gcloud run jobs delete superuser-${_VERSION}  --region ${_REGION} --async --quiet"
+
+        ./retry.sh "gcloud run services describe ${_SERVICE} --region ${_REGION}" \
+          "gcloud run services delete ${_SERVICE} --region ${_REGION} --async --quiet"
 
         WAIT=30 ./retry.sh "gcloud sql databases describe ${_DB_NAME} --instance ${_DB_INSTANCE} --project $PROJECT_ID" \
           "gcloud sql databases delete ${_DB_NAME} --instance ${_DB_INSTANCE} --quiet --project $PROJECT_ID"
 
         ./retry.sh "gcloud sql users list --filter \"name=${_DB_USER}\" --instance ${_DB_INSTANCE}" \
           "gcloud sql users delete ${_DB_USER} --instance ${_DB_INSTANCE} --quiet --project $PROJECT_ID"
 
+options:
+  dynamicSubstitutions: true
+
 substitutions:
   _SERVICE: django
   _VERSION: manual
   _REGION: us-central1
-  _PLATFORM: managed
-  _DB_USER: django
-  _DB_NAME: django
+  _ARTIFACT_REGISTRY: cloud-run-source-deploy
+  _IMAGE_NAME: ${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_ARTIFACT_REGISTRY}/django-${_VERSION}
+  _STORAGE_BUCKET: ${PROJECT_ID}-bucket-${_VERSION}
+  _DB_USER: django-${_VERSION}
+  _DB_NAME: django-${_VERSION}
   _DB_INSTANCE: django-instance
-  _SECRET_SETTINGS_NAME: django_settings
-  _SECRET_PASSWORD_NAME: admin_password
-  _STORAGE_BUCKET: ${PROJECT_ID}-bucket
+  _SECRET_SETTINGS_NAME: django_settings-${_VERSION}