Checkpoints
Create Artifact Regsitry repository
/ 20
Create the delivery pipeline and targets
/ 20
Create a release
/ 40
Promote the release
/ 20
Secure Software Supply Chain: Using Cloud Build & Cloud Deploy to Deploy Containerized Applications
GSP1092
Overview
In this lab, you use Cloud Build to create a containerized "Hello, World!" application, store the container in Artifact Registry, and deploy the contianer to Cloud Run.
Objectives
In this lab, you will learn how to:
- Build a sample application container using Cloud Build
- Store the application container in Artifact Registry
- Set up a Cloud Deploy Pipeline
- Deploy the sample application to Cloud Run
Setup and requirements
Before you click the Start Lab button
Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.
This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.
To complete this lab, you need:
- Access to a standard internet browser (Chrome browser recommended).
- Time to complete the lab---remember, once you start, you cannot pause a lab.
How to start your lab and sign in to the Google Cloud console
-
Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:
- The Open Google Cloud console button
- Time remaining
- The temporary credentials that you must use for this lab
- Other information, if needed, to step through this lab
-
Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).
The lab spins up resources, and then opens another tab that shows the Sign in page.
Tip: Arrange the tabs in separate windows, side-by-side.
Note: If you see the Choose an account dialog, click Use Another Account. -
If necessary, copy the Username below and paste it into the Sign in dialog.
{{{user_0.username | "Username"}}} You can also find the Username in the Lab Details panel.
-
Click Next.
-
Copy the Password below and paste it into the Welcome dialog.
{{{user_0.password | "Password"}}} You can also find the Password in the Lab Details panel.
-
Click Next.
Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges. -
Click through the subsequent pages:
- Accept the terms and conditions.
- Do not add recovery options or two-factor authentication (because this is a temporary account).
- Do not sign up for free trials.
After a few moments, the Google Cloud console opens in this tab.
Activate Cloud Shell
Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.
- Click Activate Cloud Shell at the top of the Google Cloud console.
When you are connected, you are already authenticated, and the project is set to your Project_ID,
gcloud
is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.
- (Optional) You can list the active account name with this command:
- Click Authorize.
Output:
- (Optional) You can list the project ID with this command:
Output:
gcloud
, in Google Cloud, refer to the gcloud CLI overview guide.
Set Environment Variables
- Open the Cloud Shell Terminal.
- Set the PROJECT environment variable:
export PROJECT=$(gcloud config get-value project)
Enable Required Services
- From the Cloud Shell Terminal run the following to enable required services:
Task 1. Create Artifact Registry repository
- In the Cloud Shell Terminal, run the following command to create an Artifact Registry repository:
gcloud artifacts repositories create helloworld-repo --location={{{project_0.default_region | "REGION"}}} --repository-format=docker --project=$PROJECT
Click Check my progress to verify the objective.
Task 2. Write a Sample Application
Write a sample Node.js application to build and deploy on Cloud Run.
-
In the Cloud Shell Terminal, Create a new directory named
helloworld
and change directory into it:mkdir helloworld cd helloworld -
Open the Cloud Shell Editor.
-
Create a
package.json
file in thehelloworld
directory with the following contents:
- In the same directory, create an
index.js
file with the following contents:
Task 3. Build the Sample Application
-
Change directory into the
helloworld
folder.cd ~/helloworld -
Submit the build to Cloud Build using the following
gcloud
command:gcloud builds submit --pack image={{{project_0.default_region | "REGION"}}}-docker.pkg.dev/$PROJECT/helloworld-repo/helloworld -
In the Navigation menu (), click Cloud Build.
-
In the Navigation pane, click History.
-
In the Region drop-down, select Global.
-
Click the Build ID to view the results of the build.
Task 4. Set up Cloud Deploy resources
Prepare your Skaffold configuration
Google Cloud Deploy uses Skaffold to provide the details for what to deploy and how to deploy it properly for your separate targets.
In this quickstart, you create a skaffold.yaml
file, which identifies the Kubernetes manifest to be used to deploy the sample app.
-
Make a new directory for your manifests, and navigate into it:
mkdir ~/deploy-cloudrun cd ~/deploy-cloudrun -
Create the
skaffold.yaml
file in this directory.skaffold.yaml
tells Google Cloud Deploy which manifests to deploy for each target in the pipeline, for a given release.
Prepare your Cloud Run services
Here you'll create two different Cloud Run services in the same project by using manifests with Skaffold profiles.
- Create the
run-dev.yaml
file in the~/deploy-cloudrun/
directory. This declarative manifest represents thedev
environment version of your Cloud Run service.
- Create the
run-prod.yaml
file, in this same directory.
Create your delivery pipeline and targets
- In the directory with your recently created manifests (
~/deploy-cloudrun/
), create theclouddeploy.yaml
file. Replace$PROJECT_ID
with the value of your own project ID.
- Register the delivery pipeline and targets with Google Cloud Deploy:
The output will look like this:
Click Check my progress to verify the objective.
Create a release and deploy the container
With the configuration files prepared and the delivery pipeline and targets registered, we can now create the release resource that represents the container image to deploy. We'll use the helloworld
container image we built earlier.
- In the Cloud Shell Terminal, run the following command:
gcloud deploy releases create run-release-001 --project=$PROJECT --region={{{project_0.default_region | "REGION"}}} --delivery-pipeline=my-run-demo-app-1 --images=my-app-image="{{{project_0.default_region | "REGION"}}}-docker.pkg.dev/$PROJECT/helloworld-repo/helloworld"
The output will look like this:
Click Check my progress to verify the objective.
Promote the release
Now that the application is deployed in the first target, run-dev
, promote it to the prod environment.
- From the Cloud Deploy page, click the
my-run-demo-app-1
pipeline.
The Delivery pipeline details page shows a graphical representation of your delivery pipeline's progress. In this case, it shows that the release was deployed to the run-dev
target.
- On the first target in the delivery pipeline visualization, click Promote.
The Promote release dialog is shown. It shows the details of the target you're promoting to.
- Click Promote.
The release is now queued for deployment into run-prod
. When deployment is complete, the delivery pipeline visualization shows it as deployed.
Click Check my progress to verify the objective.
Enable unauthenticated access to Cloud Run services
To view the sample application in-browser, we'll enable unauthenticated access to the Cloud Run services.
- In the Cloud Shell Terminal, run the following commands and select the
region if promoted: gcloud run services add-iam-policy-binding helloworld-dev \ --member="allUsers" \ --role="roles/run.invoker" gcloud run services add-iam-policy-binding helloworld-prod \ --member="allUsers" \ --role="roles/run.invoker"
View helloworld application
-
In the Navigation menu, click Cloud Run. The list of deployed Cloud Run services appears.
-
Click the helloworld-prod service. The service details page opens.
-
Click the Copy to clipboard icon next to the URL field.
-
Paste the URL into a new browser window and hit enter. The "Hello, World!" message appears in browser.
Task 5. View Security Insights
Security insights via Software Delivery Shield are available in the Cloud Build and Cloud Run interfaces.
Security Insights in Cloud Build
-
In the Navigation menu, click Cloud Build.
-
In the Navigation pane, click History.
-
For Region, select global (non-regional).
-
Click the 8-digit build ID of the most recent successful build to view the build details.
-
Click the Build Artifacts tab.
-
Click View under Security Insights for the artifact with the name helloworld:latest. A panel pulls out showing security insights for this artifact.
-
The security insights show vulnerabilities detected via the Container Scanning API, information on software dependencies, and details on the build process for that container.
Security Insights in Cloud Run
-
In the Navigation menu, click Cloud Run. The list of deployed Cloud Run services appears.
-
Click helloworld-prod.
-
Click the Revisions tab.
-
In the right-side panel, click the Security tab.
-
Similar to Cloud Build, this panel displays information on Vulnerabilities, Dependenices, and Build.
Congratulations!
In this lab, you learned how to build a containerized application, store the application container in Artifact Registry, and deploy the sample application to Cloud Run.
Next Steps / Learn More
Be sure to check out the following documentation for more practice with building and deploying applications on Google Cloud:
- Deploy an app to Cloud Run using Google Cloud Deploy
- Building container images with Cloud Build
- Store Cloud Build artifacts in Artifact Registry
Google Cloud training and certification
...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.
Manual Last Updated August 31, 2023
Lab Last Tested August 31, 2023
Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.