arrow_back

Secure Software Supply Chain: Using Cloud Build & Cloud Deploy to Deploy Containerized Applications

Join Sign in
Test and share your knowledge with our community!
done
Get access to over 700 hands-on labs, skill badges, and courses

Secure Software Supply Chain: Using Cloud Build & Cloud Deploy to Deploy Containerized Applications

Lab 1 hour universal_currency_alt 1 Credit show_chart Introductory
Test and share your knowledge with our community!
done
Get access to over 700 hands-on labs, skill badges, and courses

GSP1092

Google Cloud self-paced labs logo

Overview

In this lab, you use Cloud Build to create a containerized "Hello, World!" application, store the container in Artifact Registry, and deploy the contianer to Cloud Run.

Objectives

In this lab, you will learn how to:

  • Build a sample application container using Cloud Build
  • Store the application container in Artifact Registry
  • Set up a Cloud Deploy Pipeline
  • Deploy the sample application to Cloud Run

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab---remember, once you start, you cannot pause a lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Cloud console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab

  2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

    The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.

  3. If necessary, copy the Username below and paste it into the Sign in dialog.

    {{{user_0.username | "Username"}}}

    You can also find the Username in the Lab Details panel.

  4. Click Next.

  5. Copy the Password below and paste it into the Welcome dialog.

    {{{user_0.password | "Password"}}}

    You can also find the Password in the Lab Details panel.

  6. Click Next.

    Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

  7. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To view a menu with a list of Google Cloud products and services, click the Navigation menu at the top-left. Navigation menu icon

Activate Cloud Shell

Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.

  1. Click Activate Cloud Shell Activate Cloud Shell icon at the top of the Google Cloud console.

When you are connected, you are already authenticated, and the project is set to your Project_ID, . The output contains a line that declares the Project_ID for this session:

Your Cloud Platform project in this session is set to {{{project_0.project_id | "PROJECT_ID"}}}

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

  1. (Optional) You can list the active account name with this command:
gcloud auth list
  1. Click Authorize.

Output:

ACTIVE: * ACCOUNT: {{{user_0.username | "ACCOUNT"}}} To set the active account, run: $ gcloud config set account `ACCOUNT`
  1. (Optional) You can list the project ID with this command:
gcloud config list project

Output:

[core] project = {{{project_0.project_id | "PROJECT_ID"}}} Note: For full documentation of gcloud, in Google Cloud, refer to the gcloud CLI overview guide.

Set Environment Variables

  1. Open the Cloud Shell Terminal.
  2. Set the PROJECT environment variable: export PROJECT=$(gcloud config get-value project)

Enable Required Services

  1. From the Cloud Shell Terminal run the following to enable required services:
gcloud services enable run.googleapis.com

Task 1. Create Artifact Registry repository

  1. In the Cloud Shell Terminal, run the following command to create an Artifact Registry repository: gcloud artifacts repositories create helloworld-repo --location={{{project_0.default_region | "REGION"}}} --repository-format=docker --project=$PROJECT

Click Check my progress to verify the objective. Create Artifact Regsitry repository

Task 2. Write a Sample Application

Write a sample Node.js application to build and deploy on Cloud Run.

  1. In the Cloud Shell Terminal, Create a new directory named helloworld and change directory into it:

    mkdir helloworld cd helloworld

  2. Open the Cloud Shell Editor.

  3. Create a package.json file in the helloworld directory with the following contents:

{ "name": "helloworld", "description": "Simple hello world sample in Node", "version": "1.0.0", "private": true, "main": "index.js", "scripts": { "start": "node index.js" }, "engines": { "node": ">=12.0.0" }, "author": "Google LLC", "license": "Apache-2.0", "dependencies": { "express": "^4.17.1" } }
  1. In the same directory, create an index.js file with the following contents:
const express = require('express'); const app = express(); app.get('/', (req, res) => { const name = process.env.NAME || 'World'; res.send(`Hello ${name}!`); }); const port = parseInt(process.env.PORT) || 8080; app.listen(port, () => { console.log(`helloworld: listening on port ${port}`); });

Task 3. Build the Sample Application

  1. Change directory into the helloworld folder.

    cd ~/helloworld

  2. Submit the build to Cloud Build using the following gcloud command:

    gcloud builds submit --pack image={{{project_0.default_region | "REGION"}}}-docker.pkg.dev/$PROJECT/helloworld-repo/helloworld

  3. In the Navigation menu (Navigation menu icon), click Cloud Build.

  4. In the Navigation pane, click History.

  5. In the Region drop-down, select Global.

  6. Click the Build ID to view the results of the build.

Task 4. Set up Cloud Deploy resources

Prepare your Skaffold configuration

Google Cloud Deploy uses Skaffold to provide the details for what to deploy and how to deploy it properly for your separate targets.

In this quickstart, you create a skaffold.yaml file, which identifies the Kubernetes manifest to be used to deploy the sample app.

  1. Make a new directory for your manifests, and navigate into it:

    mkdir ~/deploy-cloudrun cd ~/deploy-cloudrun

  2. Create the skaffold.yaml file in this directory. skaffold.yaml tells Google Cloud Deploy which manifests to deploy for each target in the pipeline, for a given release.

apiVersion: skaffold/v3alpha1 kind: Config metadata: name: deploy-run-quickstart profiles: - name: dev manifests: rawYaml: - run-dev.yaml - name: prod manifests: rawYaml: - run-prod.yaml deploy: cloudrun: {}

Prepare your Cloud Run services

Here you'll create two different Cloud Run services in the same project by using manifests with Skaffold profiles.

  1. Create the run-dev.yaml file in the ~/deploy-cloudrun/ directory. This declarative manifest represents the dev environment version of your Cloud Run service.
apiVersion: serving.knative.dev/v1 kind: Service metadata: name: helloworld-dev spec: template: spec: containers: - image: my-app-image
  1. Create the run-prod.yaml file, in this same directory.
apiVersion: serving.knative.dev/v1 kind: Service metadata: name: helloworld-prod spec: template: spec: containers: - image: my-app-image

Create your delivery pipeline and targets

  1. In the directory with your recently created manifests (~/deploy-cloudrun/), create the clouddeploy.yaml file. Replace $PROJECT_ID with the value of your own project ID.
apiVersion: deploy.cloud.google.com/v1 kind: DeliveryPipeline metadata: name: my-run-demo-app-1 description: main application pipeline serialPipeline: stages: - targetId: run-dev profiles: [dev] - targetId: run-prod profiles: [prod] --- apiVersion: deploy.cloud.google.com/v1 kind: Target metadata: name: run-dev description: Cloud Run development service run: location: projects/$PROJECT_ID/locations/{{{project_0.default_region | "REGION"}}} --- apiVersion: deploy.cloud.google.com/v1 kind: Target metadata: name: run-prod description: Cloud Run production service run: location: projects/$PROJECT_ID/locations/{{{project_0.default_region | "REGION"}}}
  1. Register the delivery pipeline and targets with Google Cloud Deploy:
gcloud deploy apply --file clouddeploy.yaml --region={{{project_0.default_region | "REGION"}}} Note: If asked to enable the Cloud Deploy API enter y and continue.

The output will look like this:

Waiting for the operation on resource projects/sample-project/locations/{{{project_0.default_region | "REGION"}}}/deliveryPipelines/my-run-demo-app-1...done. Created Cloud Deploy resource: projects/sample-project/locations/{{{project_0.default_region | "REGION"}}}/deliveryPipelines/my-run-demo-app-1. Waiting for the operation on resource projects/sample-project/locations/{{{project_0.default_region | "REGION"}}}/targets/run-dev...done. Created Cloud Deploy resource: projects/sample-project/locations/{{{project_0.default_region | "REGION"}}}/targets/run-dev. Waiting for the operation on resource projects/sample-project/locations/{{{project_0.default_region | "REGION"}}}/targets/run-prod...done. Created Cloud Deploy resource: projects/sample-project/locations/{{{project_0.default_region | "REGION"}}}/targets/run-prod.

Click Check my progress to verify the objective. Create the delivery pipeline and targets

Create a release and deploy the container

With the configuration files prepared and the delivery pipeline and targets registered, we can now create the release resource that represents the container image to deploy. We'll use the helloworld container image we built earlier.

  1. In the Cloud Shell Terminal, run the following command: gcloud deploy releases create run-release-001 --project=$PROJECT --region={{{project_0.default_region | "REGION"}}} --delivery-pipeline=my-run-demo-app-1 --images=my-app-image="{{{project_0.default_region | "REGION"}}}-docker.pkg.dev/$PROJECT/helloworld-repo/helloworld"

The output will look like this:

Creating temporary tarball archive of 4 file(s) totalling 2.0 KiB before compression. Uploading tarball of [.] to [gs://sample-project_clouddeploy_{{{project_0.default_region | "REGION"}}}/source/1643560782.447815-aed1fdf4973b4d25b9b7d09ff9fbbaa9.tgz] Waiting for operation [operation-1643560782826-5d6cf50a08a8d-e40f7a45-ac4aa0ae]...done. Created Cloud Deploy release run-release-001. Creating rollout projects/sample-project/locations/{{{project_0.default_region | "REGION"}}}/deliveryPipelines/my-run-demo-app-1/releases/run-release-001/rollouts/run-release-001-to-run-dev-0001 in target run-dev...done.

Click Check my progress to verify the objective. Create a release

Promote the release

Now that the application is deployed in the first target, run-dev, promote it to the prod environment.

  1. From the Cloud Deploy page, click the my-run-demo-app-1 pipeline.

The Delivery pipeline details page shows a graphical representation of your delivery pipeline's progress. In this case, it shows that the release was deployed to the run-dev target.

  1. On the first target in the delivery pipeline visualization, click Promote.

The Promote release dialog is shown. It shows the details of the target you're promoting to.

  1. Click Promote.

The release is now queued for deployment into run-prod. When deployment is complete, the delivery pipeline visualization shows it as deployed.

Click Check my progress to verify the objective. Promote the release

Enable unauthenticated access to Cloud Run services

To view the sample application in-browser, we'll enable unauthenticated access to the Cloud Run services.

  1. In the Cloud Shell Terminal, run the following commands and select the region if promoted: gcloud run services add-iam-policy-binding helloworld-dev \ --member="allUsers" \ --role="roles/run.invoker" gcloud run services add-iam-policy-binding helloworld-prod \ --member="allUsers" \ --role="roles/run.invoker"

View helloworld application

  1. In the Navigation menu, click Cloud Run. The list of deployed Cloud Run services appears.

  2. Click the helloworld-prod service. The service details page opens.

  3. Click the Copy to clipboard icon next to the URL field.

  4. Paste the URL into a new browser window and hit enter. The "Hello, World!" message appears in browser.

Task 5. View Security Insights

Security insights via Software Delivery Shield are available in the Cloud Build and Cloud Run interfaces.

Security Insights in Cloud Build

  1. In the Navigation menu, click Cloud Build.

  2. In the Navigation pane, click History.

  3. For Region, select global (non-regional).

  4. Click the 8-digit build ID of the most recent successful build to view the build details.

  5. Click the Build Artifacts tab.

  6. Click View under Security Insights for the artifact with the name helloworld:latest. A panel pulls out showing security insights for this artifact.

  7. The security insights show vulnerabilities detected via the Container Scanning API, information on software dependencies, and details on the build process for that container.

Security Insights in Cloud Run

  1. In the Navigation menu, click Cloud Run. The list of deployed Cloud Run services appears.

  2. Click helloworld-prod.

  3. Click the Revisions tab.

  4. In the right-side panel, click the Security tab.

  5. Similar to Cloud Build, this panel displays information on Vulnerabilities, Dependenices, and Build.

Congratulations!

In this lab, you learned how to build a containerized application, store the application container in Artifact Registry, and deploy the sample application to Cloud Run.

Next Steps / Learn More

Be sure to check out the following documentation for more practice with building and deploying applications on Google Cloud:

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated August 31, 2023

Lab Last Tested August 31, 2023

Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.