Published on: January 15, 2025
6 min read
This tutorial demonstrates how to use GitLab’s Google Artifact Management integration to deploy to Google Cloud Run, a serverless runtime for containers application.
This tutorial is from a recent Arctiq, GitLab, and Google in-person workshop. The goal was to explore common security challenges faced by organizations as they journey to the cloud.
This tutorial will help you learn about the Google Cloud integrations in GitLab. These features are meant to help accelerate and improve security of deployments to Google Cloud.
In this step, we configure GitLab to connect Google Cloud's Workload Identity Federation to reduce the need for service accounts and let the two platforms use short-lived credentials on-demand.
As an alternative to GitLab's own place to host artifacts, deploying to Google Cloud's Artifact Registry is another way to leverage their infrastructure. This section will provide steps on how to use GitLab's native integration with Artifact Registry. Note that Workload Identity Federation must already be configured prior to this.
us-central1
is assumed.)GCP_PROJECT_ID="<PROJECT ID>"
GCP_PROJECT_NUMBER="<PROJECT NUMBER>"
GCP_WORKLOAD_IDENTITY_POOL="<POOL ID>"
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \
--role='roles/run.admin'
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \
--role='roles/iam.serviceAccountUser'
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \
--role='roles/cloudbuild.builds.editor'
In this section, you will use Gitlab's CI/CD components to deploy to Cloud Run, Google Cloud's serverless runtime for containers.
.gitlab-ci.yaml
. Click the file name and the single file editor will show up. Click the Edit button and select the Open in Web IDE option.stages:
- build
- upload
- deploy
This code snippet sets up three stages in the pipeline: build, upload, and deploy.
variables:
GITLAB_IMAGE: $CI_REGISTRY_IMAGE/main:$CI_COMMIT_SHORT_SHA
AR_IMAGE: $GOOGLE_ARTIFACT_REGISTRY_REPOSITORY_LOCATION-docker.pkg.dev/$GOOGLE_ARTIFACT_REGISTRY_PROJECT_ID/$GOOGLE_ARTIFACT_REGISTRY_REPOSITORY_NAME/main:$CI_COMMIT_SHORT_SHA
The first variable, GITLAB\_IMAGE
, denotes the container image that the pipeline creates by default. The second one, AR\_IMAGE
, denotes the location at Google Cloud's Artifact Registry where the container image will be pushed to.
build:
image: docker:24.0.5
stage: build
services:
- docker:24.0.5-dind
before_script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
script:
- docker build -t $GITLAB_IMAGE .
- docker push $GITLAB_IMAGE
This code uses pre-defined CI/CD variables for the Docker commands.
include:
- component: gitlab.com/google-gitlab-components/artifact-registry/upload-artifact-registry@main
inputs:
stage: upload
source: $GITLAB_IMAGE
target: $AR_IMAGE
- component: gitlab.com/google-gitlab-components/cloud-run/deploy-cloud-run@main
inputs:
stage: deploy
project_id: "<PROJECT_ID>"
service: "tanuki-racing"
region: "<REGION>"
image: $AR_IMAGE
Replace <PROJECT_ID> with your Google Cloud Project ID. Replace with the Google Cloud region most appropriate to your location. us-central1
is assumed.
Commit the changes and push to the main branch. For reference, the final .gitlab-ci.yaml
should look like this, noting to replace the
stages:
- build
- upload
- deploy
variables:
GITLAB_IMAGE: $CI_REGISTRY_IMAGE/main:$CI_COMMIT_SHORT_SHA
AR_IMAGE: $GOOGLE_ARTIFACT_REGISTRY_REPOSITORY_LOCATION-docker.pkg.dev/$GOOGLE_ARTIFACT_REGISTRY_PROJECT_ID/$GOOGLE_ARTIFACT_REGISTRY_REPOSITORY_NAME/main:$CI_COMMIT_SHORT_SHA
build:
image: docker:24.0.5
stage: build
services:
- docker:24.0.5-dind
before_script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
script:
- docker build -t $GITLAB_IMAGE .
- docker push $GITLAB_IMAGE
include:
- component: gitlab.com/google-gitlab-components/artifact-registry/upload-artifact-registry@main
inputs:
stage: upload
source: $GITLAB_IMAGE
target: $AR_IMAGE
- component: gitlab.com/google-gitlab-components/cloud-run/deploy-cloud-run@main
inputs:
stage: deploy
project_id: "<PROJECT_ID>"
service: "tanuki-racing"
region: "<REGION>"
image: $AR_IMAGE
tanuki-racing
should be created.By utilizing GitLab’s CI/CD pipelines to build and push a containerized application to Google Artifact Registry, you can see the power of GitLab’s AI-powered DevSecOps Platform as a means to building secure applications. GitLab also deployed the containerized application to Google’s Cloud Run as a low-cost running application on the public internet. Using GitLab to instrument building an application, pushing a container and triggering a cloud run deployment allows DevOps engineers to have the assurance that secure applications are being run on the public-facing internet.
Sign up for a 60-day free trial of GitLab Ultimate to begin working with these integrations. Also, check out our solutions architecture area for more Gitlab and Google Cloud tutorials.