8
11

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

【GCP】Cloud Run での Endpoints (API Gateway)

Last updated at Posted at 2020-07-30

公式サイトのドキュメントは大変分かりにくいため、ここで必要なコマンドなどまとめて記載します。

事前準備

  • Cloud Shell
  • Service API の有効化
    • Cloud Enpoints API
    • Cloud Run API

バックエンドサービスのデポロイ

$ gcloud beta run deploy backend \
    --image="gcr.io/cloudrun/hello" \
    --project=$GOOGLE_CLOUD_PROJECT \
    --allow-unauthenticated \
    --platform managed \
    --region asia-northeast1

Deploying container to Cloud Run service [backend] in project [9999999999] region [asia-northeast1]
✓ Deploying new service... Done.                                                           
  ✓ Creating Revision...
  ✓ Routing traffic...
  ✓ Setting IAM Policy...
Done.
Service [backend] revision [backend-00001-kam] has been deployed and is serving 100 percent of traffic at https://backend-3iegrzpgpa-an.a.run.app

デポロイ結果の確認

最後に表示されてる、https://backend-3iegrzpgpa-an.a.run.app にアクセスすると、テスト用の画面が見れます。
001.png

Cloud Enpoints の初期化

環境変数の設定
export CLOUD_RUN_SERVICE_NAME=endpoint

https://gcr.io/endpoints-release/endpoints-runtime-serverless から最新の ESP (Extensible Service Proxy) が確認できます。

$ gcloud beta run deploy $CLOUD_RUN_SERVICE_NAME \
    --image="gcr.io/endpoints-release/endpoints-runtime-serverless:2.14" \
    --memory=2Gi \
    --project=$GOOGLE_CLOUD_PROJECT \
    --allow-unauthenticated \
    --platform managed \
    --region asia-northeast1

Deploying container to Cloud Run service [endpoint] in project [9999999999] region [asia-northeast1]
✓ Deploying new service... Done.                                                           
  ✓ Creating Revision...
  ✓ Routing traffic...
  ✓ Setting IAM Policy...
Done.
Service [endpoint] revision [endpoint-00001-dim] has been deployed and is serving 100 percent of traffic at https://endpoint-3iegrzpgpa-an.a.run.app

APIs Deploy

hostx-google-backend/addressBackend と Endpoint それぞれのアドレスになるので、ご注意ください

api.yaml
swagger: '2.0'
info:
  title: APIGateway
  description: APIGateway for endpoints
  version: 1.0.0
host: endpoint-3iegrzpgpa-an.a.run.app
schemes:
  - https
produces:
  - application/json
x-google-backend:
  address: https://backend-3iegrzpgpa-an.a.run.app
paths:
  /:
    get:
      summary: hello
      operationId: root
      responses:
        '200':
          description: A successful response
          schema:
            type: string
api-deploy
$ gcloud endpoints services deploy api.yaml

Waiting for async operation operations/services.endpoint-3iegrzpgpa-an.a.run.app-0 to complete...
Waiting for async operation operations/serviceConfigs.endpoint-3iegrzpgpa-an.a.run.app:e8dd17df-d4e2-4e11-a2a4-63d961f813e1 to complete...
Operation finished successfully. The following command can describe the Operation details:
 gcloud endpoints operations describe operations/serviceConfigs.endpoint-3iegrzpgpa-an.a.run.app:e8dd17df-d4e2-4e11-a2a4-63d961f813e1
WARNING: api.yaml: Operation 'get' in path '/': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all
 the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one Sec
urityDefinition of type : 'apiKey'.
Waiting for async operation operations/rollouts.endpoint-3iegrzpgpa-an.a.run.app:f1146c2f-e5d8-464a-8d0f-47121dc6b00c to complete...
Operation finished successfully. The following command can describe the Operation details:
 gcloud endpoints operations describe operations/rollouts.endpoint-3iegrzpgpa-an.a.run.app:f1146c2f-e5d8-464a-8d0f-47121dc6b00c
Enabling service [endpoint-3iegrzpgpa-an.a.run.app] on project [pocketcards]...
Operation "operations/acf.a9afc803-80b3-4acd-bb52-a984439b9b49" finished successfully.
Service Configuration [2020-07-30r0] uploaded for service [endpoint-3iegrzpgpa-an.a.run.app]
To manage your API, go to: https://console.cloud.google.com/endpoints/api/endpoint-3iegrzpgpa-an.a.run.app/overview?project=pocketcards

Cloud Enpoints の権限設定

そのまま使えませんので、 Cloud Endpoints から Cloud Run 呼び出せる権限を付ける必要があります。

環境変数
export PROJECT_NUMBER=$(gcloud projects describe $GOOGLE_CLOUD_PROJECT --format json | jq ".projectNumber | tonumber")
export CLOUD_RUN_ENDPOINT=endpoint-3iegrzpgpa-an.a.run.app
export CLOUD_RUN_BACKEND=backend
権限設定
// Cloud Enpoints 環境変数の設定
$ gcloud beta run services update $CLOUD_RUN_SERVICE_NAME \
  --set-env-vars="^|^ENDPOINTS_SERVICE_NAME=$CLOUD_RUN_ENDPOINT|ESPv2_ARGS=^++^--cors_preset=basic++--cors_allow_origin=*" \
  --platform managed \
  --region asia-northeast1

✓ Deploying... Done.                                         
  ✓ Creating Revision...
  ✓ Routing traffic...
Done.
Service [endpoint] revision [endpoint-00002-pos] has been deployed and is serving 100 percent of traffic at https://endpoint-3iegrzpgpa-an.a.run.app

// Invoke 権限の設定
$ gcloud beta run services add-iam-policy-binding $CLOUD_RUN_SERVICE_NAME \
    --member "serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com" \
    --role "roles/run.invoker" \
    --platform managed \
    --region asia-northeast1

Updated IAM policy for service [endpoint].
bindings:
- members:
  - allUsers
  - serviceAccount:9999999999-compute@developer.gserviceaccount.com
  role: roles/run.invoker
etag: BwWrnw7w_u4=
version: 1

Cloud Enpoints の設定確認

https://endpoint-3iegrzpgpa-an.a.run.app アクセスしてみると、画面は出てきましたが、画像が表示されません。まぁ、API 用なので、画像表示されないのは、想定通りです。

バックエンドの保護

allow-unauthenticated の設定を外せば、バックエンドの一般公開を無効にできます。

no-allow-unauthenticated
$ gcloud beta run deploy backend \
    --image="gcr.io/cloudrun/hello" \
    --project=$GOOGLE_CLOUD_PROJECT \
    --no-allow-unauthenticated \
    --platform managed \
    --region asia-northeast1

Deploying container to Cloud Run service [backend] in project [xxxxxxxxx] region [asia-northeast1]
✓ Deploying... Done.                                                           
  ✓ Creating Revision...
  ✓ Routing traffic...
  ✓ Setting IAM Policy...
Done.
Service [backend] revision [backend-00004-vov] has been deployed and is serving 100 percent of traffic at https://backend-3iegrzpgpa-an.a.run.app

最終確認

バックエンドの https://backend-3iegrzpgpa-an.a.run.app アクセスすると、下記のようなエラー画面が表示されます

403_Forbidden
Error: Forbidden
Your client does not have permission to get URL / from this server.

Cloud Endpoints の https://endpoint-3iegrzpgpa-an.a.run.app からアクセスすると、下記のような画面が表示されます
002.png

最後のひと言

Cloud Run は コールドスタート の場合ありますので、Cloud Scheduler など Health check の実装を行いましょう

参考資料

Cloud Run での Endpoints スタートガイド

8
11
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
8
11

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?