docs: Cloud Run / GCP Serverless (#1101)

* Add GCP Serverless and Cloud Run docs
2025-08-02 16:30:17 +02:00 · 2020-07-20 14:00:52 -04:00 · 2020-07-20 14:00:52 -04:00 · a1b6bfec56
commit a1b6bfec56
parent e8d3ce1a2e
15 changed files with 234 additions and 1 deletions
--- a/examples/cloudrun/README.md
+++ b/examples/cloudrun/README.md
@ -0,0 +1,33 @@
+# Pomerium on Cloud Run
+
+Run this demo with gcloud command line configured for your project.  The commands assume 
+all resources (Cloud Run, Cloud DNS, and Secret Manager) are in a single project.  
+
+We recommend a dedicated project that is easy to clean up.
+
+## Note
+When deployed to [Cloud Run](https://cloud.google.com/run), your protected application must authenticate requests from Pomerium
+by either inspecting the [X-Pomerium-Jwt-Assertion](https://www.pomerium.com/docs/reference/getting-users-identity.html),
+or [GCP Serverless Authorization](https://cloud.google.com/run/docs/authenticating/service-to-service) header.
+
+This demo includes a Cloud Run target configured to only accept requests from the Pomerium deployment.
+
+## Includes
+
+- Authentication and Authorization managed by pomerium
+- Custom Cloud Run domains
+- Cloud Run target
+- HTTPBin target
+
+## How
+
+- Update `config.yaml` for your e-mail address, if not using gmail/google.
+- Replace secrets in `config.yaml`.
+- Replace `cloudrun.pomerium.io` with your own domain.
+- Update your DNS
+- Deploy config.yaml to Secret Manager
+- Deploy the demo hello world app
+- Deploy pomerium with policy
+- Navigate to `https://httpbin.cloudrun.pomerium.io`
+- Navigate to `https://hello-direct.cloudrun.pomerium.io`
+- Navigate to `https://hello.cloudrun.pomerium.io`
--- a/examples/cloudrun/config.yaml
+++ b/examples/cloudrun/config.yaml
@ -0,0 +1,7 @@
+# config.yaml
+authenticate_service_url: https://authn.cloudrun.pomerium.io
+shared_secret: XXXXXX
+cookie_secret: XXXXXX
+idp_provider: "google"
+idp_client_id: XXXXXX
+idp_client_secret: "XXXXXX"
--- a/examples/cloudrun/deploy.sh
+++ b/examples/cloudrun/deploy.sh
@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Install gcloud beta
+gcloud components install beta
+
+# Capture current project number
+PROJECT=$(gcloud projects describe $(gcloud config get-value project) --format='get(projectNumber)')
+
+# Point a wildcard domain of *.cloudrun.pomerium.io to the cloudrun front end
+gcloud dns record-sets import --zone pomerium-io zonefile --zone-file-format
+
+# Deploy our protected application and associate a DNS name
+gcloud run deploy hello --image=gcr.io/cloudrun/hello --region us-central1 --platform managed --no-allow-unauthenticated
+gcloud run services add-iam-policy-binding hello --platform managed --region us-central1 \
+    --member=serviceAccount:${PROJECT}-compute@developer.gserviceaccount.com \
+    --role=roles/run.invoker
+gcloud beta run domain-mappings --platform managed --region us-central1 create --service=hello --domain hello-direct.cloudrun.pomerium.io
+
+# Rewrite policy file with unique 'hello' service URL
+HELLO_URL=$(gcloud run services describe hello --platform managed --region us-central1 --format 'value(status.address.url)') envsubst <policy.template.yaml >policy.yaml
+
+# Install our base configuration in a GCP secret
+gcloud secrets create --data-file config.yaml pomerium-config --replication-policy automatic
+
+# Grant the default compute account access to the secret
+gcloud secrets add-iam-policy-binding pomerium-config \
+    --member=serviceAccount:${PROJECT}-compute@developer.gserviceaccount.com \
+    --role=roles/secretmanager.secretAccessor
+
+# Deploy pomerium with policy and configuration references
+gcloud run deploy pomerium --region us-central1 --platform managed --allow-unauthenticated --max-instances 1 \
+    --image=gcr.io/pomerium-io/pomerium:v0.10.0-rc2-cloudrun \
+    --set-env-vars VALS_FILES="/pomerium/config.yaml:ref+gcpsecrets://${PROJECT}/pomerium-config",POLICY=$(base64 policy.yaml)
+
+# Set domain mappings for the protected routes and authenticate
+gcloud beta run domain-mappings --platform managed --region us-central1 create --service=pomerium --domain hello.cloudrun.pomerium.io
+gcloud beta run domain-mappings --platform managed --region us-central1 create --service=pomerium --domain authn.cloudrun.pomerium.io
+gcloud beta run domain-mappings --platform managed --region us-central1 create --service=pomerium --domain httpbin.cloudrun.pomerium.io
--- a/examples/cloudrun/policy.template.yaml
+++ b/examples/cloudrun/policy.template.yaml
@ -0,0 +1,11 @@
+# policy.template.yaml
+- from: https://hello.cloudrun.pomerium.io
+  to: ${HELLO_URL}
+  allowed_domains:
+    - gmail.com
+  enable_google_cloud_serverless_authentication: true
+- from: https://httpbin.cloudrun.pomerium.io
+  to: https://httpbin.org
+  pass_identity_headers: true
+  allowed_domains:
+    - gmail.com
--- a/examples/cloudrun/zonefile.txt
+++ b/examples/cloudrun/zonefile.txt
@ -0,0 +1,2 @@
+; zonefile.txt
+*.cloudrun.pomerium.io. 18000 IN CNAME ghs.googlehosted.com.