fix(cloudrun): PoC Replace gcloud commands with a Client Library

Author: eapl-gemugami

run/service-auth/build_image.py

@@ -0,0 +1,158 @@
+import os
+import tarfile
+import tempfile
+import time
+
+from google.cloud.devtools import cloudbuild_v1
+from google.cloud.devtools.cloudbuild_v1.types import Build, BuildStep, BuildOptions, Source, StorageSource
+from google.cloud import storage
+
+# from google.api_core.exceptions import NotFound
+
+from deploy import deploy_cloud_run_service
+
+PROJECT_ID = os.environ["GOOGLE_CLOUD_PROJECT"]
+
+def build_image_from_source(
+    project_id: str,
+    region: str,
+    service_name: str,
+    source_directory: str = ".",
+    gcs_bucket_name: str = None,
+    image_tag: str = "latest",
+) -> str | None:
+    """Builds a container image from local source using Google Cloud Build
+    and Google Cloud Buildpacks."""
+
+    build_client = cloudbuild_v1.CloudBuildClient()
+    storage_client = storage.Client(project=project_id)
+
+    if not gcs_bucket_name:
+        gcs_bucket_name = f"{project_id}-cloud-build-source"
+        print(f"GCS bucket name not provided, using {gcs_bucket_name}. Ensure it exists.")
+
+        # TODO: Add bucket creation logic here
+
+    timestamp = int(time.time())
+    gcs_source_object = f"source/{service_name}-{timestamp}.tar.gz"
+
+    # Use a temporary directory for the archive
+    with tempfile.TemporaryDirectory() as tmpdir:
+        source_archive = os.path.join(tmpdir, f"{service_name}-{timestamp}.tar.gz")
+
+        print(f"Packaging source from {source_directory} to {source_archive}")
+        with tarfile.open(source_archive, "w:gz") as tar:
+            # Add files from source_directory directly, arcname='.' means they are at the root of the tar
+            tar.add(source_directory, arcname='.')
+
+        bucket = storage_client.bucket(gcs_bucket_name)
+        blob = bucket.blob(gcs_source_object)
+        print(f"Uploading {source_archive} to gs://{gcs_bucket_name}/{gcs_source_object}")
+        blob.upload_from_filename(source_archive)
+        print("Source uploaded.")
+
+    artifact_registry_repo = "cloud-run-source-deploy"
+    image_name = f"{region}-docker.pkg.dev/{project_id}/{artifact_registry_repo}/{service_name}"
+    full_image_uri = f"{image_name}:{image_tag}"
+
+    # Construct the Build request using the directly imported types
+    build_request = Build(
+        source=Source(
+            storage_source=StorageSource(
+                bucket=gcs_bucket_name,
+                object_=gcs_source_object,
+            )
+        ),
+        images=[full_image_uri],
+        steps=[
+            BuildStep(
+                name="gcr.io/k8s-skaffold/pack",
+                args=[
+                    "build",
+                    full_image_uri,
+                    "--builder", "gcr.io/buildpacks/builder:v1",
+                    "--path", ".",
+                ],
+            )
+        ],
+        timeout={"seconds": 1200},
+        options=BuildOptions(
+            # Example: machine_type=BuildOptions.MachineType.E2_MEDIUM
+        )
+    )
+
+    print(f"Starting Cloud Build for image {full_image_uri}...")
+    operation = build_client.create_build(project_id=project_id, build=build_request)
+
+    # The operation returned by create_build for google-cloud-build v1.x.x
+    # is actually a google.api_core.operation.Operation, which has a `result()` method
+    # or you can poll the build resource itself using build_client.get_build.
+    # The `operation.metadata.build.id` pattern is more for long-running operations from other APIs.
+    # Let's get the build ID from the name which is usually in the format projects/{project_id}/builds/{build_id}
+    build_id = operation.name.split("/")[-1] # Extract build ID from operation.name
+    print(f"Build operation created. Build ID: {build_id}")
+
+    # Get the initial build details to find the log URL
+    initial_build_info = build_client.get_build(project_id=project_id, id=build_id)
+    print(f"Logs URL: {initial_build_info.log_url}")
+    print("Waiting for build to complete...")
+
+    while True:
+        build_info = build_client.get_build(project_id=project_id, id=build_id)
+
+        if build_info.status == Build.Status.SUCCESS:
+            print(f"Build {build_info.id} completed successfully.")
+            print(f"Built image: {full_image_uri}")
+            return full_image_uri
+        elif build_info.status in [
+            Build.Status.FAILURE,
+            Build.Status.INTERNAL_ERROR,
+            Build.Status.TIMEOUT,
+            Build.Status.CANCELLED,
+        ]:
+            print(f"Build {build_info.id} failed with status: {build_info.status.name}")
+            print(f"Logs URL: {build_info.log_url}")
+            return None
+
+        time.sleep(10)
+
+
+if __name__ == "__main__":
+    REGION = "us-central1"
+    SERVICE_NAME = "my-app-from-source"
+    SOURCE_DIRECTORY = "./source/"
+    GCS_BUILD_BUCKET = f"{PROJECT_ID}_cloudbuild_sources"
+
+    ENVIRONMENT_VARIABLES = {
+        # "APP_MESSAGE": "Deployed from source via Python!",
+    }
+
+    built_image_uri = None
+    try:
+        print(f"--- Step 1: Building image for {SERVICE_NAME} from source {SOURCE_DIRECTORY} ---")
+        built_image_uri = build_image_from_source(
+            project_id=PROJECT_ID,
+            region=REGION,
+            service_name=SERVICE_NAME,
+            source_directory=SOURCE_DIRECTORY,
+            gcs_bucket_name=GCS_BUILD_BUCKET
+        )
+
+        if built_image_uri:
+            print(f"\n--- Step 2: Deploying image {built_image_uri} to Cloud Run service {SERVICE_NAME} ---")
+            deploy_cloud_run_service(
+                project_id=PROJECT_ID,
+                region=REGION,
+                service_name=SERVICE_NAME,
+                image_uri=built_image_uri,
+                env_vars=ENVIRONMENT_VARIABLES,
+                allow_unauthenticated=True,
+            )
+            print(f"\n--- Deployment process for {SERVICE_NAME} finished ---")
+        else:
+            print(f"Image build failed for {SERVICE_NAME}. Deployment aborted.")
+
+    except Exception as e:
+        print(f"An error occurred during the build or deployment process: {e}")
+        import traceback
+        traceback.print_exc()

run/service-auth/deploy.py

@@ -0,0 +1,159 @@
+import os
+from google.cloud import run_v2
+from google.cloud.run_v2 import types
+from google.cloud.run_v2.types import revision_template as revision_template_types
+from google.cloud.run_v2.types import k8s_min as k8s_min_types
+from google.protobuf import field_mask_pb2
+
+from google.api_core.exceptions import NotFound
+
+from google.iam.v1 import policy_pb2, iam_policy_pb2
+
+PROJECT_ID = os.environ["GOOGLE_CLOUD_PROJECT"]
+
+
+def deploy_cloud_run_service(
+    project_id: str,
+    region: str,
+    service_name: str,
+    image_uri: str,
+    env_vars: dict = None,
+    memory_limit: str = "512Mi",
+    cpu_limit: str = "1",
+    port: int = 8080,
+    allow_unauthenticated: bool = True,
+):
+    """Deploys or updates a Cloud Run service using the Python client library."""
+    client = run_v2.ServicesClient()
+
+    parent = f"projects/{project_id}/locations/{region}"
+    full_service_name = f"{parent}/services/{service_name}"
+
+    container = types.Container(
+        image=image_uri,
+        ports=[k8s_min_types.ContainerPort(container_port=port)],
+        resources=k8s_min_types.ResourceRequirements(
+            limits={"cpu": cpu_limit, "memory": memory_limit}
+        ),
+    )
+
+    if env_vars:
+        container.env = [
+            k8s_min_types.EnvVar(name=key, value=value) for key, value in env_vars.items()
+        ]
+
+    service_config = types.service.Service(
+        name=full_service_name,
+        template=revision_template_types.RevisionTemplate(
+            containers=[container],
+            scaling=types.RevisionScaling(
+                min_instance_count=0,
+                max_instance_count=1,
+            ),
+        ),
+        traffic=[
+            types.TrafficTarget(
+                type_=types.TrafficTargetAllocationType.TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST,
+                percent=100,
+            )
+        ]
+    )
+
+    deployed_service = None
+    try:
+        client.get_service(name=full_service_name)
+        print(f"Service {service_name} found. Attempting to update...")
+
+        update_mask = field_mask_pb2.FieldMask()
+        update_mask.paths.append("template")
+        update_mask.paths.append("traffic")
+
+        operation = client.update_service(service=service_config, field_mask=update_mask)
+        print(f"Update operation started for service {service_name}: {operation.operation.name}")
+        deployed_service = operation.result()
+        print(f"Service {service_name} updated successfully: {deployed_service.uri}")
+
+    except NotFound as e:
+        print(f"Service {service_name} not found. Attempting to create...")
+        service_config.name = "" # API will construct the full name based on service_id
+
+        operation = client.create_service(
+            parent=parent,
+            service=service_config,
+            service_id=service_name,
+        )
+        print(f"Create operation started for service {service_name}: {operation.operation.name}")
+        deployed_service = operation.result()
+        print(f"Service {service_name} created successfully: {deployed_service.uri}")
+    except Exception as e:
+            print(f"An error occurred during service deployment: {e}")
+            raise
+
+    # --- Allow unauthenticated requests if requested ---
+    if deployed_service and allow_unauthenticated:
+        try:
+            print(f"Attempting to allow unauthenticated access for {service_name}...")
+            # Get the current IAM policy
+            # The resource path for IAM is the full service name
+            policy_request = iam_policy_pb2.GetIamPolicyRequest(resource=deployed_service.name)
+            current_policy = client.get_iam_policy(request=policy_request)
+
+            # Create a new binding for allUsers
+            new_binding = policy_pb2.Binding(
+                role="roles/run.invoker",
+                members=["allUsers"],
+            )
+
+            # Add the new binding to the policy
+            # Be careful not to remove existing bindings.
+            # Check if this binding already exists to avoid duplicates (optional but good practice)
+            binding_exists = False
+            for binding in current_policy.bindings:
+                if binding.role == new_binding.role and "allUsers" in binding.members:
+                    print(f"Binding for allUsers with role {new_binding.role} already exists.")
+                    binding_exists = True
+                    break
+
+            if not binding_exists:
+                current_policy.bindings.append(new_binding)
+
+                set_policy_request = iam_policy_pb2.SetIamPolicyRequest(
+                    resource=deployed_service.name,
+                    policy=current_policy,
+                )
+                client.set_iam_policy(request=set_policy_request)
+                print(f"Successfully allowed unauthenticated access for {service_name}.")
+            else:
+                # If you want to ensure the policy is set even if only other bindings change,
+                # you might still call set_iam_policy here, but for just adding allUsers,
+                # this check avoids an unnecessary API call if it's already public.
+                pass
+
+
+        except Exception as e:
+            print(f"Failed to set IAM policy for unauthenticated access: {e}")
+            # Depending on requirements, you might want to raise this error or just log it.
+
+    return deployed_service
+
+
+if __name__ == "__main__":
+    REGION = "us-central1"
+    SERVICE_NAME = "my-python-deployed-service"
+    IMAGE_URI = "gcr.io/cloudrun/hello"
+
+    # Optional environment variables
+    ENVIRONMENT_VARIABLES = {}
+
+    deploy_cloud_run_service(
+            project_id=PROJECT_ID,
+            region=REGION,
+            service_name=SERVICE_NAME,
+            image_uri=IMAGE_URI,
+            env_vars=ENVIRONMENT_VARIABLES,
+        )
+
+    try:
+        pass
+    except Exception as e:
+        print(f"Deployment failed: {e}")

run/service-auth/receive.py

@@ -17,7 +17,7 @@
 For example for Cloud Run or Cloud Functions.
 """
 
-# This sample will be migrated to app.py
+# This sample is marked to be migrated to app.py
 
 # [START auth_validate_and_decode_bearer_token_on_flask]
 # [START cloudrun_service_to_service_receive]

run/service-auth/receive_auth_requests_test.py

@@ -23,6 +23,7 @@
 import backoff
 
 from google.auth.transport import requests as transport_requests
+from google.cloud import run_v2
 from google.oauth2 import id_token
 
 import pytest
@@ -32,6 +33,7 @@
 from requests.packages.urllib3.util.retry import Retry
 from requests.sessions import Session
 
+
 PROJECT_ID = os.environ["GOOGLE_CLOUD_PROJECT"]
 
 STATUS_FORCELIST = [

run/service-auth/requirements.txt

@@ -1,5 +1,6 @@
 google-auth==2.40.1
 google-cloud-run==0.10.18
+google-cloud-build==3.31.1
 requests==2.32.3
 Flask==3.1.0
 gunicorn==23.0.0