[Cloud Hero 2-3] 소프트웨어 공급망 보안: Cloud Build와 Cloud Deploy를 통한 컨테이너 앱 배포하기

안녕하세요! 이번 랩은 소프트웨어 공급망 보안에 관한 내용입니다.

환경 변수 세팅하기

export PROJECT=$(gcloud config get-value project)

필요한 서비스 활성화 하기

gcloud services enable run.googleapis.com

artifact registry 만들기

gcloud artifacts repositories create helloworld-repo --location=us-central1 --repository-format=docker --project=$PROJECT

샘플 애플리케이션 만들기

mkdir helloworld
cd helloworld

package.json

{
  "name": "helloworld",
  "description": "Simple hello world sample in Node",
  "version": "1.0.0",
  "private": true,
  "main": "index.js",
  "scripts": {
    "start": "node index.js"
  },
  "engines": {
    "node": ">=12.0.0"
  },
  "author": "Google LLC",
  "license": "Apache-2.0",
  "dependencies": {
    "express": "^4.17.1"
  }
}

index.js

{
  "name": "helloworld",
  "description": "Simple hello world sample in Node",
  "version": "1.0.0",
  "private": true,
  "main": "index.js",
  "scripts": {
    "start": "node index.js"
  },
  "engines": {
    "node": ">=12.0.0"
  },
  "author": "Google LLC",
  "license": "Apache-2.0",
  "dependencies": {
    "express": "^4.17.1"
  }
}

cd ~/helloworld

gcloud builds submit --pack image=us-central1-docker.pkg.dev/$PROJECT/helloworld-repo/helloworld

skaffold 환경 구성 준비하기

mkdir ~/deploy-cloudrun
cd ~/deploy-cloudrun

skaffold.yaml

apiVersion: skaffold/v3alpha1
kind: Config
metadata: 
  name: deploy-run-quickstart
profiles:
- name: dev
  manifests:
    rawYaml:
    - run-dev.yaml
- name: prod
  manifests:
    rawYaml:
    - run-prod.yaml
deploy:
  cloudrun: {}

clouddeploy.yaml

apiVersion: deploy.cloud.google.com/v1
kind: DeliveryPipeline
metadata:
 name: my-run-demo-app-1
description: main application pipeline
serialPipeline:
 stages:
 - targetId: run-dev
   profiles: [dev]
 - targetId: run-prod
   profiles: [prod]
---
apiVersion: deploy.cloud.google.com/v1
kind: Target
metadata:
 name: run-dev
description: Cloud Run development service
run:
 location: projects/$PROJECT_ID/locations/us-central1
---
apiVersion: deploy.cloud.google.com/v1
kind: Target
metadata:
 name: run-prod
description: Cloud Run production service
run:
 location: projects/$PROJECT_ID/locations/us-central1

gcloud deploy apply --file clouddeploy.yaml --region=us-central1

run-dev.yaml

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld-dev
spec:
  template:
    spec:
      containers:
      - image: my-app-image

run-prod.yaml

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld-prod
spec:
  template:
    spec:
      containers:
      - image: my-app-image

릴리즈 생성하고, 컨테이너 배포하기

gcloud deploy releases create run-release-001 --project=$PROJECT --region=us-central1 
--delivery-pipeline=my-run-demo-app-1 --images=my-app-image="us-central1-docker.pkg.dev/$PROJECT/helloworld-repo/helloworld"

Cloud run 서비스에 비인가된 액세스 활성화 하기

gcloud run services add-iam-policy-binding helloworld-dev \
  --member="allUsers" \
  --role="roles/run.invoker"
gcloud run services add-iam-policy-binding helloworld-prod \
  --member="allUsers" \
  --role="roles/run.invoker"

 

감사합니다.