Skip to content
/ cloud-sql-for-cloud-run-example Public

Sample outlining a process of setting up Cloud SQL instance with secure (TLS) access that will work the same way from developer workstation as well as from within Cloud Run

License

Apache-2.0 license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mchmarny/cloud-sql-for-cloud-run-example

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
bin
bin
 
 
img
img
 
 
sql
sql
 
 
vendor
vendor
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cert.go
cert.go
 
 
data.go
data.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
handler.go
handler.go
 
 
main.go
main.go
 
 

Repository files navigation

cloud-sql-for-cloud-run-example

The current Cloud SQL integration in Cloud Run is not yet 100% idiomatic and does require couple GCP-specific steps:

  1. Side-effects import _ "github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/dialers/mysql"
  2. Needing to run Cloud SQL Proxy during local development or testing

This sample outlines a process of setting up a highly available (multi-zone) Cloud SQL instance with secure (TLS) access that works the same way from the developer workstation as it does from within Cloud Run.

Note, to keep this readme short, I will be asking you to execute scripts rather than listing here complete commands. You should really review each one of these scripts for content, and, to understand the individual commands so you can use them in the future.

Pre-requirements

GCP Project and gcloud SDK

If you don't have one already, start by creating new project and configuring Google Cloud SDK. Similarly, if you have not done so already, you will have set up Cloud Run.

API

In case you have not used some of the required GCP APIs, run bin/api script to make sure they are all enabled:

bin/api

Setup

To setup this service you will need to clone this repo:

git clone https://github.com/mchmarny/logo-identifier.git

And navigate into that directory:

cd logo-identifier

Cloud SQL

Passwords

The bin/password script will generate root and app user passwords and saved them in a project scoped path under .cloud-sql folder in your home directory.

bin/password

Instance

The bin/instance script will:

  • Create a Cloud SQL instance
  • Set the default (root) user credentials
  • Configure MySQL database in the new Cloud SQL instance
  • Set up application database user and its credentials
  • Create and download client SSL certificates from the newly created instance

Note, while the created Cloud SQL instance will be exposed to the world (0.0.0.0/0), it allow only SSL connections. Also, the root and app user passwords created in first step. If you ever decide to remove the SSL connection requirements, you can reset the root password in the Cloud SQL UI.

bin/instance

Schema

The bin/schema script applies database schema located in sql/schema.ddl.

The provided script checks for existence of all the objects before creating them so you can run it multiple times. it only creates one simple table right now so feel free to edit it before executing the schema script

bin/schema

Test Connection

At this point you should be able to connect to the newly created database with this command:

bin/connect

Certificates

The bin/secret script creates KMS keys, encrypts Cloud SQL certificates, and save them to a GCS bucket so that the Cloud Run service can securely obtain them while connecting to Cloud SQL DB

bin/secret

Cloud Run

Once the Cloud SQL instance is configured, you can now deploy the Cloud Run service. First though, you will have to build the image and create a specific service account under which the new service will run.

Container Image

First, build container image from the included source using the bin/image script

bin/image

Service Account

This is specific right now to the managed version of Cloud Run, skip it if you are deploying to Cloud Run on GKE

After that, create a service account and assign it the necessary roles using the bin/user script

bin/user

Managed Service Deployment

Once the container image and service account are ready, you can deploy the new service using either bin/deploy-managed or bin/deploy-gke scripts

bin/deploy-managed

or

bin/deploy-gke

Testing Service on Cloud Run

At this point you should be able to access your deployed service.

Note, there is currently no way tp predict the service URL, specifically the bit between the service name (cloudsql-demo) and the static Cloud Run domain (uc.a.run.app).

Now, navigate in browser to the service URL which will return a JSON response.

{
    "request_id":  "1224d739-cfa5-4500-9a8e-97df6a583aee",
    "request_on":  "2019-08-19 21:14:58.565436028 +0000 UTC",
    "info":        "Success - records saved: 1"
}

If for some reason there were errors while inviting the service, the response will include the error details in the info field.

Testing Service Locally

You can run the sample service locally by executing the bin/run-local script

bin/run-local

And navigating to http://localhost:8080/v1/test

Disclaimer

This is my personal project and it does not represent my employer. I take no responsibility for issues caused by this code. I do my best to ensure that everything works, but if something goes wrong, my apologies is all you will get.

About

Sample outlining a process of setting up Cloud SQL instance with secure (TLS) access that will work the same way from developer workstation as well as from within Cloud Run

Topics

tls golang cloud sql certificate kms cloud-sql

Resources

Readme

License

Apache-2.0 license
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages