README
¶
Berglas App Engine (Flex) Example - Go
This guide assumes you have followed the setup instructions in the README. Specifically, it is assumed that you have created a project, Cloud Storage bucket, and Cloud KMS key.
-
Make sure you are in the
examples/appengineflex/gofolder before continuing! -
Enable the App Engine Flex API (this only needs to be done once per project):
gcloud services enable --project ${PROJECT_ID} \ appengineflex.googleapis.com -
Export the environment variables for your configuration:
Using Secret Manager storage:
export PROJECT_ID=my-projectUsing Cloud Storage storage:
export PROJECT_ID=my-project export BUCKET_ID=my-bucket export KMS_KEY=projects/${PROJECT_ID}/locations/global/keyRings/berglas/cryptoKeys/berglas-key -
Create two secrets using the
berglasCLI (see README for installation instructions):Using Secret Manager storage:
berglas create sm://${PROJECT_ID}/api-key "xxx-yyy-zzz"berglas create sm://${PROJECT_ID}/tls-key "=== BEGIN RSA PRIVATE KEY..."Using Cloud Storage storage:
berglas create ${BUCKET_ID}/api-key "xxx-yyy-zzz" \ --key ${KMS_KEY}berglas create ${BUCKET_ID}/tls-key "=== BEGIN RSA PRIVATE KEY..." \ --key ${KMS_KEY} -
Get the App Engine service account email:
PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format 'value(projectNumber)') export SA_EMAIL=service-${PROJECT_NUMBER}@gae-api-prod.google.com.iam.gserviceaccount.com -
Grant the service account access to the secrets:
Using Secret Manager storage:
berglas grant sm://${PROJECT_ID}/api-key --member serviceAccount:${SA_EMAIL} berglas grant sm://${PROJECT_ID}/tls-key --member serviceAccount:${SA_EMAIL}Using Google Cloud storage:
berglas grant ${BUCKET_ID}/api-key --member serviceAccount:${SA_EMAIL} berglas grant ${BUCKET_ID}/tls-key --member serviceAccount:${SA_EMAIL} -
Vendor the dependencies:
go mod vendor -
Build a container using Cloud Build and publish it to Container Registry:
gcloud builds submit \ --project ${PROJECT_ID} \ --tag gcr.io/${PROJECT_ID}/berglas-example-go:0.0.1 \ . -
Create environment:
cat > env.yaml <<EOF env_variables: API_KEY: berglas://${BUCKET_ID}/api-key TLS_KEY: berglas://${BUCKET_ID}/tls-key?destination=tempfile EOF -
Deploy the container on GAE:
gcloud app deploy \ --project ${PROJECT_ID} \ --image-url gcr.io/${PROJECT_ID}/berglas-example-go:0.0.1 \ --quiet -
Access the service:
curl $(gcloud app services browse berglas-example-go --no-launch-browser --project ${PROJECT_ID} --format 'value(url)') -
(Optional) Cleanup the deployment:
gcloud app services delete berglas-example-go \ --quiet \ --project ${PROJECT_ID}IMAGE=gcr.io/${PROJECT_ID}/berglas-example-go for DIGEST in $(gcloud container images list-tags ${IMAGE} --format='get(digest)'); do gcloud container images delete --quiet --force-delete-tags "${IMAGE}@${DIGEST}" done -
(Optional) Revoke access to the secrets:
Using Secret Manager storage:
berglas revoke sm://${PROJECT_ID}/api-key --member serviceAccount:${SA_EMAIL} berglas revoke sm://${PROJECT_ID}/tls-key --member serviceAccount:${SA_EMAIL}Using Cloud Storage storage:
berglas revoke ${BUCKET_ID}/api-key --member serviceAccount:${SA_EMAIL} berglas revoke ${BUCKET_ID}/tls-key --member serviceAccount:${SA_EMAIL}
Documentation
¶
There is no documentation for this package.
Source Files