Nowadays, CI/CD is a common task during Software Development and almost all platforms enable us to do this automatically. It is not different on Gitlab.
Today, I'll show you how to configure your Gitlab project to automatically deploy to Google Cloud App Engine.
Google Cloud part
First things first
First, you need to setup your App Engine project on GCP console. It is necessary because App Engine requires you to set the region of your app.
If you didn't do this, first you will need to setup using this cmd:
and follow the instructions.
Updates
The stesp below were made a few years ago, so some permissions were changed.
To simplify the process, I paste here a script. Take a look, and change the appropriated information:
export SA_NAME=gitlab-sa
export GCLOUD_PROJECT=<YOUR_PROJECT_ID_HERE>
export SA_EMAIL=${SA_NAME}@${GCLOUD_PROJECT}.iam.gserviceaccount.com
gcloud services enable appengine.googleapis.com cloudbuild.googleapis.com
gcloud iam service-accounts create ${SA_NAME} --display-name 'Gitlab Service Account to deploy' --project ${GCLOUD_PROJECT}
gcloud iam service-accounts keys create ${SA_NAME}.json --iam-account=SA_EMAIL --project ${GCLOUD_PROJECT}
cat ${SA_NAME}.json
Copy the JSON content and save to include in the Gitlab CICD variables page.
Now continue the process, giving to the service account some permissions:
gcloud projects add-iam-policy-binding ${GCLOUD_PROJECT} \
--member="serviceAccount:${SA_EMAIL}" \
--role=roles/appengine.appAdmin
gcloud projects add-iam-policy-binding ${GCLOUD_PROJECT} \
--member="serviceAccount:${SA_EMAIL}" \
--role=roles/storage.objectAdmin
gcloud projects add-iam-policy-binding ${GCLOUD_PROJECT} \
--member="serviceAccount:${SA_EMAIL}" \
--role=roles/iam.serviceAccountUser
gcloud projects add-iam-policy-binding ${GCLOUD_PROJECT} \
--member="serviceAccount:${SA_EMAIL}" \
--role=roles/cloudbuild.builds.builder
Service Account and Permissions
Jump to Gitlab Config part, if you already did the script above.
The entire process should be made without human intervention. So, to do this on GCP you'll need a Service Account.
~~First, create a Service Account to be used during the process: ~~Service Account Create
Step2: Critical step, here you MUST give all those permissions. Without them, the automation will not work properly.
In the last step, you should open the file and copy the content. This content will be necessary to configure the Gitlab.
API Enabling
Some APIs must be enabled before trying to run the deploy.
-
Enable the App Engine Admin API, here:
Enable App Engine Admin API -
Enable Cloud Builder API: Cloud Builder API Enable
Gitlab Config
Now you have all done on GCP, Gitlab part!
Go to your project and configure the CI/CD options:
Instead of having the content of your Service Account in a file inside your repository, a best practice is to have this as a variable. So, configure a variable, following the image:
Gitlab CI file descriptor
To enable all these pieces together is required to "tell" to Gitlab: "Please my friend, run all these now". To do this, you should create a file in your repository called .gitlab-ci.yml, this file describes what you want to do.
File content available here.
https://gitlab.com/giulianobr/simple-go-app/blob/235de13e310d7614f9b8cb2dab0f804c6b82a041/.gitlab-ci.yml
The CI process runs inside the container platform in Gitlab. At the glance, it seems like a Dockerfile, as you should define and base image where your deploy will run.
In this case, I'm using Google's base image that contains the Google Cloud SDK already installed.
To understand more about all configs available on Gitlab CI, take a look here.
Conclusion
This post aims to help you to deploy an app to App Engine Standard. As my example is a Golang app in the 2nd gen runtime, it is a bit easier. To deploy a Java 8 app is a little bit different. If you want any help to setup your Java 8 app, ask me in the comments, I also have an example for this scenario.
I hope it helps you, people!
See you soon.
You can find this project in my Gitlab project.
Top comments (1)
Great guide - thanks!
Looks like a few things have changed since this was written.
You now create keys after you've created the service account. So in that step you go to your Service Accounts list, find the one you just created, hit the hamburger button / more options, and then generate the key from there.
You'll now need to give your account the App Engine x environment Service Agent role, where x is Flexible or Standard. There's a lot of discussion about the best way to give access to this role here (stackoverflow.com/questions/642364...) but that role should do it.