RunJob
| Property | Value |
|---|---|
| Google Cloud Service Name | Run |
| Google Cloud Service Documentation | /run/docs/ |
| Google Cloud REST Resource Name | v2.projects.locations.jobs |
| Google Cloud REST Resource Documentation | /run/docs/reference/rest/v2/projects.locations.jobs |
| Config Connector Resource Short Names | gcprunjob gcprunjobs runjob |
| Config Connector Service Name | run.googleapis.com |
| Config Connector Resource Fully Qualified Name | runjobs.run.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | Yes |
| Supports IAM Conditions | No |
| Supports IAM Audit Configs | No |
| IAM External Reference Format |
projects/{{project}}/locations/{{location}}/jobs/{{name}} |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Spec
Schema
annotations:
string: string
binaryAuthorization:
breakglassJustification: string
useDefault: boolean
client: string
clientVersion: string
launchStage: string
location: string
projectRef:
external: string
kind: string
name: string
namespace: string
resourceID: string
template:
annotations:
string: string
parallelism: integer
taskCount: integer
template:
containers:
- args:
- string
command:
- string
dependsOn:
- string
env:
- name: string
value: string
valueSource:
secretKeyRef:
secretRef:
external: string
name: string
namespace: string
versionRef:
external: string
name: string
namespace: string
image: string
livenessProbe:
failureThreshold: integer
httpGet:
httpHeaders:
- name: string
value: string
path: string
port: integer
initialDelaySeconds: integer
periodSeconds: integer
tcpSocket:
port: integer
timeoutSeconds: integer
name: string
ports:
- containerPort: integer
name: string
resources:
limits:
string: string
startupProbe:
failureThreshold: integer
httpGet:
httpHeaders:
- name: string
value: string
path: string
port: integer
initialDelaySeconds: integer
periodSeconds: integer
tcpSocket:
port: integer
timeoutSeconds: integer
volumeMounts:
- mountPath: string
name: string
workingDir: string
encryptionKeyRef:
external: string
name: string
namespace: string
executionEnvironment: string
maxRetries: integer
serviceAccountRef:
external: string
name: string
namespace: string
timeout: string
volumes:
- cloudSqlInstance:
instanceRefs:
- external: string
name: string
namespace: string
emptyDir:
medium: string
sizeLimit: string
name: string
secret:
defaultMode: integer
items:
- mode: integer
path: string
versionRef:
external: string
name: string
namespace: string
secretRef:
external: string
name: string
namespace: string
vpcAccess:
connectorRef:
external: string
name: string
namespace: string
egress: string
networkInterfaces:
- networkRef:
external: string
name: string
namespace: string
subnetworkRef:
external: string
name: string
namespace: string
tags:
- string
| Fields | |
|---|---|
|
Optional |
Optional. User-provided annotations, which are stored in Google Cloud. |
|
Optional |
Optional. Settings for Binary Authorization feature. |
|
Optional |
Optional. If present, indicates to use Breakglass using this justification. If use_default is False, then it must be empty. For more information on breakglass, see https://cloud.google.com/binary-authorization/docs/using-breakglass |
|
Optional |
Optional. If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled. |
|
Optional |
Optional. Arbitrary identifier for the API client. |
|
Optional |
Optional. Arbitrary version identifier for the API client. |
|
Optional |
Optional. The launch stage of the job. Possible values are `LAUNCH_STAGE_UNSPECIFIED`, `UNIMPLEMENTED`, `PRELAUNCH`, `EARLY_ACCESS`, `ALPHA`, `BETA`, `GA`, `DEPRECATED`. |
|
Optional |
The location of the cloud run job |
|
Optional |
The project that this resource belongs to. |
|
Optional |
The `projectID` field of a project, when not managed by Config Connector. |
|
Optional |
The kind of the Project resource; optional but must be `Project` if provided. |
|
Optional |
The `name` field of a `Project` resource. |
|
Optional |
The `namespace` field of a `Project` resource. |
|
Optional |
The RunJob name. If not given, the metadata.name will be used. |
|
Required |
Required. The template used to create executions for this Job. |
|
Optional |
Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with `run.googleapis.com`, `cloud.googleapis.com`, `serving.knative.dev`, or `autoscaling.knative.dev` namespaces, and they will be rejected. All system annotations in v1 now have a corresponding field in v2 ExecutionTemplate. This field follows Kubernetes annotations' namespacing, limits, and rules. |
|
Optional |
Optional. Specifies the maximum desired number of tasks the execution should run at given time. When the job is run, if this field is 0 or unset, the maximum possible value will be used for that execution. The actual number of tasks running in steady state will be less than this number when there are fewer tasks waiting to be completed remaining, for example when the work left to do is less than max parallelism. |
|
Optional |
Specifies the desired number of tasks the execution should run. Setting to 1 means that parallelism is limited to 1 and the success of that task signals the success of the execution. Defaults to 1. |
|
Optional |
Required. Describes the task(s) that will be created when executing an execution. |
|
Optional |
Holds the single container that defines the unit of execution for this task. |
|
Optional |
|
|
Optional |
Arguments to the entrypoint. The docker image's CMD is used if this is not provided. |
|
Optional |
|
|
Optional |
Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. |
|
Optional |
|
|
Optional |
Names of the containers that must start before this container. |
|
Optional |
|
|
Optional |
List of environment variables to set in the container. |
|
Optional |
|
|
Optional |
Required. Name of the environment variable. Must not exceed 32768 characters. |
|
Optional |
Literal value of the environment variable. Defaults to "", and the maximum length is 32768 bytes. Variable references are not supported in Cloud Run. |
|
Optional |
Source for the environment variable's value. |
|
Optional |
Selects a secret and a specific version from Cloud Secret Manager. |
|
Optional |
Required. The name of the secret in Cloud Secret Manager. Format: {secret} if the secret is in the same project. projects/{project}/secrets/{secret} |
|
Optional |
A reference to an externally managed SecretManagerSecret resource. Should be in the format "projects/{{projectID}}/locations/{{location}}/secrets/{{secretID}}". |
|
Optional |
The name of a SecretManagerSecret resource. |
|
Optional |
The namespace of a SecretManagerSecret resource. |
|
Optional |
The Cloud Secret Manager secret version. Can be 'latest' for the latest version, an integer for a specific version, or a version alias. |
|
Optional |
A reference to an externally managed SecretManagerSecretVersion resource. Should be in the format "projects/{{projectID}}/locations/{{location}}/secretversions/{{secretversionID}}". |
|
Optional |
The name of a SecretManagerSecretVersion resource. |
|
Optional |
The namespace of a SecretManagerSecretVersion resource. |
|
Optional |
Required. Name of the container image in Dockerhub, Google Artifact Registry, or Google Container Registry. If the host is not provided, Dockerhub is assumed. |
|
Optional |
Periodic probe of container liveness. Container will be restarted if the probe fails. |
|
Optional |
Optional. Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. |
|
Optional |
Optional. HTTPGet specifies the http request to perform. Exactly one of httpGet, tcpSocket, or grpc must be specified. |
|
Optional |
Optional. Custom headers to set in the request. HTTP allows repeated headers. |
|
Optional |
|
|
Optional |
Required. The header field name |
|
Optional |
Optional. The header field value |
|
Optional |
Optional. Path to access on the HTTP server. Defaults to '/'. |
|
Optional |
Optional. Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. |
|
Optional |
Optional. Number of seconds after the container has started before the probe is initiated. Defaults to 0 seconds. Minimum value is 0. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. |
|
Optional |
Optional. How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. Must be greater or equal than timeout_seconds. |
|
Optional |
Optional. TCPSocket specifies an action involving a TCP port. Exactly one of httpGet, tcpSocket, or grpc must be specified. |
|
Optional |
Optional. Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. |
|
Optional |
Optional. Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 3600. Must be smaller than period_seconds. |
|
Optional |
Name of the container specified as a DNS_LABEL (RFC 1123). |
|
Optional |
List of ports to expose from the container. Only a single port can be specified. The specified ports must be listening on all interfaces (0.0.0.0) within the container to be accessible. If omitted, a port number will be chosen and passed to the container through the PORT environment variable for the container to listen on. |
|
Optional |
|
|
Optional |
Port number the container listens on. This must be a valid TCP port number, 0 < container_port < 65536. |
|
Optional |
If specified, used to specify which protocol to use. Allowed values are "http1" and "h2c". |
|
Optional |
Compute Resource requirements by this container. |
|
Optional |
Only `memory` and `cpu` keys in the map are supported. Notes:
|
|
Optional |
Startup probe of application within the container. All other probes are disabled if a startup probe is provided, until it succeeds. Container will not be added to service endpoints if the probe fails. |
|
Optional |
Optional. Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. |
|
Optional |
Optional. HTTPGet specifies the http request to perform. Exactly one of httpGet, tcpSocket, or grpc must be specified. |
|
Optional |
Optional. Custom headers to set in the request. HTTP allows repeated headers. |
|
Optional |
|
|
Optional |
Required. The header field name |
|
Optional |
Optional. The header field value |
|
Optional |
Optional. Path to access on the HTTP server. Defaults to '/'. |
|
Optional |
Optional. Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. |
|
Optional |
Optional. Number of seconds after the container has started before the probe is initiated. Defaults to 0 seconds. Minimum value is 0. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. |
|
Optional |
Optional. How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. Must be greater or equal than timeout_seconds. |
|
Optional |
Optional. TCPSocket specifies an action involving a TCP port. Exactly one of httpGet, tcpSocket, or grpc must be specified. |
|
Optional |
Optional. Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. |
|
Optional |
Optional. Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 3600. Must be smaller than period_seconds. |
|
Optional |
Volume to mount into the container's filesystem. |
|
Optional |
|
|
Optional |
Required when volumeMounts are set. Path within the container at which the volume should be mounted. Must not contain ':'. For Cloud SQL volumes, it can be left empty, or must otherwise be `/cloudsql`. All instances defined in the Volume will be available as `/cloudsql/[instance]`. For more information on Cloud SQL volumes, visit https://cloud.google.com/sql/docs/mysql/connect-run |
|
Optional |
Required. This must match the Name of a Volume. |
|
Optional |
Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. |
|
Optional |
A reference to a customer managed encryption key (CMEK) to use to encrypt this container image. For more information, go to https://cloud.google.com/run/docs/securing/using-cmek |
|
Optional |
A reference to an externally managed KMSCryptoKey. Should be in the format `projects/[kms_project_id]/locations/[region]/keyRings/[key_ring_id]/cryptoKeys/[key]`. |
|
Optional |
The `name` of a `KMSCryptoKey` resource. |
|
Optional |
The `namespace` of a `KMSCryptoKey` resource. |
|
Optional |
Optional. The execution environment being used to host this Task. |
|
Optional |
Number of retries allowed per Task, before marking this Task failed. Defaults to 3. |
|
Optional |
Optional. Email address of the IAM service account associated with the Task of a Job. The service account represents the identity of the running task, and determines what permissions the task has. If not provided, the task will use the project's default service account. |
|
Optional |
The `email` field of an `IAMServiceAccount` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
Optional. Max allowed time duration the Task may be active before the system will actively try to mark it failed and kill associated containers. This applies per attempt of a task, meaning each retry can run for the full timeout. Defaults to 600 seconds. |
|
Optional |
Optional. A list of Volumes to make available to containers. |
|
Optional |
|
|
Optional |
For Cloud SQL volumes, contains the specific instances that should be mounted. Visit https://cloud.google.com/sql/docs/mysql/connect-run for more information on how to connect Cloud SQL and Cloud Run. |
|
Optional |
Format: {project}:{location}:{instance}. The Cloud SQL instance connection names, as can be found in https://console.cloud.google.com/sql/instances. Visit https://cloud.google.com/sql/docs/mysql/connect-run for more information on how to connect Cloud SQL and Cloud Run. |
|
Optional |
The SQLInstance selfLink, when not managed by Config Connector. |
|
Optional |
The `name` field of a `SQLInstance` resource. |
|
Optional |
The `namespace` field of a `SQLInstance` resource. |
|
Optional |
Ephemeral storage used as a shared volume. |
|
Optional |
Optional. The medium on which the data is stored. Supported values are |
|
Optional |
Limit on the storage usable by this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers. The default is nil which means that the limit is undefined. More info: https://cloud.google.com/run/docs/configuring/in-memory-volumes#configure-volume. Info in Kubernetes: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir |
|
Optional |
Required. Volume's name. |
|
Optional |
Secret represents a secret that should populate this volume. |
|
Optional |
Integer representation of mode bits to use on created files by default. Must be a value between 0000 and 0777 (octal), defaulting to 0444. Directories within the path are not affected by this setting. This is an integer representation of the mode bits. So, the octal integer value should look exactly as the chmod numeric notation with a leading zero. For example, to set mode u=rw,g=r (640), you can specify 0640 (octal) or 416 (decimal). This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. |
|
Optional |
If unspecified, the volume will expose a file whose name is the secret, relative to VolumeMount.mount_path. If specified, the key will be used as the version to fetch from Cloud Secret Manager and the path will be the name of the file exposed in the volume. When items are defined, they must specify a path and a version. |
|
Optional |
|
|
Optional |
Integer octal mode bits to use on this file, must be a value between 01 and 0777 (octal). If 0 or not set, the Volume's default mode will be used. Internally, a umask of 0222 will be applied to any non-zero value. This is an integer representation of the mode bits. So, the octal integer value should look exactly as the chmod numeric notation with a leading zero. For example, to set mode u=rw,g=r (640), you can specify 0640 (octal) or 416 (decimal). This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. |
|
Optional |
Required. The relative path of the secret in the container. |
|
Optional |
The Cloud Secret Manager secret version. Can be 'latest' for the latest value, or an integer or a secret alias for a specific version. |
|
Optional |
A reference to an externally managed SecretManagerSecretVersion resource. Should be in the format "projects/{{projectID}}/locations/{{location}}/secretversions/{{secretversionID}}". |
|
Optional |
The name of a SecretManagerSecretVersion resource. |
|
Optional |
The namespace of a SecretManagerSecretVersion resource. |
|
Optional |
Required. The name of the secret in Cloud Secret Manager. Format: {secret} if the secret is in the same project. projects/{project}/secrets/{secret} if the secret is in a different project. |
|
Optional |
A reference to an externally managed SecretManagerSecret resource. Should be in the format "projects/{{projectID}}/locations/{{location}}/secrets/{{secretID}}". |
|
Optional |
The name of a SecretManagerSecret resource. |
|
Optional |
The namespace of a SecretManagerSecret resource. |
|
Optional |
Optional. VPC Access configuration to use for this Task. For more information, visit https://cloud.google.com/run/docs/configuring/connecting-vpc. |
|
Optional |
VPC Access connector name. Format: `projects/{project}/locations/{location}/connectors/{connector}`, where `{project}` can be project id or number. For more information on sending traffic to a VPC network via a connector, visit https://cloud.google.com/run/docs/configuring/vpc-connectors. |
|
Optional |
A reference to an externally managed VPCAccessConnector resource. Should be in the format `projects/{project_id}/locations/{location}/connectors/{connector_id}` |
|
Optional |
The name of a VPCAccessConnector resource. |
|
Optional |
The namespace of a VPCAccessConnector resource. |
|
Optional |
Optional. Traffic VPC egress settings. If not provided, it defaults to PRIVATE_RANGES_ONLY. |
|
Optional |
Optional. Direct VPC egress settings. Currently only single network interface is supported. |
|
Optional |
|
|
Optional |
Optional. The VPC network that the Cloud Run resource will be able to send traffic to. At least one of network or subnetwork must be specified. If both network and subnetwork are specified, the given VPC subnetwork must belong to the given VPC network. If network is not specified, it will be looked up from the subnetwork. |
|
Optional |
The value of an externally managed ComputeNetwork resource. Should be in the format "https://www.googleapis.com/compute/{{version}}/projects/{{projectId}}/global/networks/{{networkId}}" or "projects/{{projectId}}/global/networks/{{networkId}}" |
|
Optional |
The name of a ComputeNetwork resource. |
|
Optional |
The namespace of a ComputeNetwork resource. |
|
Optional |
Optional. The VPC subnetwork that the Cloud Run resource will get IPs from. At least one of network or subnetwork must be specified. If both network and subnetwork are specified, the given VPC subnetwork must belong to the given VPC network. If subnetwork is not specified, the subnetwork with the same name with the network will be used. |
|
Optional |
The ComputeSubnetwork selflink of form "projects/{{project}}/regions/{{region}}/subnetworks/{{name}}", when not managed by Config Connector. |
|
Optional |
The `name` field of a `ComputeSubnetwork` resource. |
|
Optional |
The `namespace` field of a `ComputeSubnetwork` resource. |
|
Optional |
Optional. Network tags applied to this Cloud Run resource. |
|
Optional |
|
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
createTime: string
creator: string
deleteTime: string
etag: string
executionCount: integer
expireTime: string
externalRef: string
lastModifiedCookie: string
lastModifier: string
latestCreatedExecution:
- completionStatus: string
completionTime: string
createTime: string
deleteTime: string
name: string
observedGeneration: integer
reconciling: boolean
terminalCondition:
- executionReason: string
lastTransitionTime: string
message: string
reason: string
revisionReason: string
severity: string
state: string
type: string
uid: string
updateTime: string
| Fields | |
|---|---|
conditions |
Conditions represent the latest available observations of the object's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
createTime |
Output only. The creation time. |
creator |
Output only. Email address of the authenticated creator. |
deleteTime |
Output only. The deletion time. It is only populated as a response to a Delete request. |
etag |
Output only. A system-generated fingerprint for this version of the resource. May be used to detect modification conflict during updates. |
executionCount |
Output only. Number of executions created for this job. |
expireTime |
Output only. For a deleted resource, the time after which it will be permanently deleted. |
externalRef |
A unique specifier for the RunJob resource in Google Cloud. |
lastModifiedCookie |
LastModifiedCookie contains hashes of the last applied spec and the last observed Google Cloud state. The format is " |
lastModifier |
Output only. Email address of the last authenticated modifier. |
latestCreatedExecution |
Output only. Name of the last created execution. |
latestCreatedExecution[] |
|
latestCreatedExecution[].completionStatus |
Status for the execution completion. |
latestCreatedExecution[].completionTime |
Creation timestamp of the execution. |
latestCreatedExecution[].createTime |
Creation timestamp of the execution. |
latestCreatedExecution[].deleteTime |
The deletion time of the execution. It is only populated as a response to a Delete request. |
latestCreatedExecution[].name |
Name of the execution. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
reconciling |
Output only. Returns true if the Job is currently being acted upon by the system to bring it into the desired state. When a new Job is created, or an existing one is updated, Cloud Run will asynchronously perform all necessary steps to bring the Job to the desired state. This process is called reconciliation. While reconciliation is in process, `observed_generation` and `latest_succeeded_execution`, will have transient values that might mismatch the intended state: Once reconciliation is over (and this field is false), there are two possible outcomes: reconciliation succeeded and the state matches the Job, or there was an error, and reconciliation failed. This state can be found in `terminal_condition.state`. If reconciliation succeeded, the following fields will match: `observed_generation` and `generation`, `latest_succeeded_execution` and `latest_created_execution`. If reconciliation failed, `observed_generation` and `latest_succeeded_execution` will have the state of the last succeeded execution or empty for newly created Job. Additional information on the failure can be found in `terminal_condition` and `conditions`. |
terminalCondition |
Output only. The Condition of this Job, containing its readiness status, and detailed error information in case it did not reach the desired state. |
terminalCondition[] |
|
terminalCondition[].executionReason |
A reason for the execution condition. |
terminalCondition[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
terminalCondition[].message |
Human readable message indicating details about the current status. |
terminalCondition[].reason |
A common (service-level) reason for this condition. |
terminalCondition[].revisionReason |
A reason for the revision condition. |
terminalCondition[].severity |
How to interpret failures of this condition, one of Error, Warning, Info |
terminalCondition[].state |
State of the condition. |
terminalCondition[].type |
type is used to communicate the status of the reconciliation process. See also: https://github.com/knative/serving/blob/main/docs/spec/errors.md#error-conditions-and-reporting Types common to all resources include: * "Ready": True when the Resource is ready. |
uid |
Output only. Server assigned unique identifier for the Execution. The value is a UUID4 string and guaranteed to remain unchanged until the resource is deleted. |
updateTime |
Output only. The last-modified time. |
Sample YAML(s)
Basic Job
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: run.cnrm.cloud.google.com/v1beta1
kind: RunJob
metadata:
name: runjob-sample
spec:
launchStage: "GA"
location: "us-central1"
projectRef:
external: ${PROJECT_ID?}
template:
template:
containers:
- image: "us-docker.pkg.dev/cloudrun/container/hello"
Job With IAMServiceAccount
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: run.cnrm.cloud.google.com/v1beta1
kind: RunJob
metadata:
name: runjob-sample-iamserviceaccount
spec:
launchStage: "GA"
location: "us-central1"
projectRef:
external: ${PROJECT_ID?}
template:
template:
containers:
- image: "us-docker.pkg.dev/cloudrun/container/hello"
serviceAccountRef:
name: runjob-dep-iamserviceaccount
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: runjob-dep-iamserviceaccount
spec:
displayName: runjob-dep-iamserviceaccount
Job With KMSCryptoKey
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: run.cnrm.cloud.google.com/v1beta1
kind: RunJob
metadata:
name: runjob-sample-kmscryptokey
spec:
launchStage: "GA"
location: "us-central1"
projectRef:
external: ${PROJECT_ID?}
template:
template:
containers:
- image: "us-docker.pkg.dev/cloudrun/container/hello"
encryptionKeyRef:
name: runjob-dep-kmscryptokey
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: runjob-dep-kmscryptokey
spec:
member: serviceAccount:service-${PROJECT_NUMBER?}@serverless-robot-prod.iam.gserviceaccount.com
role: roles/cloudkms.cryptoKeyEncrypterDecrypter # required by cloud run service agent to access KMS keys
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
external: projects/${PROJECT_ID?}
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSCryptoKey
metadata:
name: runjob-dep-kmscryptokey
spec:
keyRingRef:
name: runjob-dep-kmscryptokey
purpose: ENCRYPT_DECRYPT
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
metadata:
name: runjob-dep-kmscryptokey
spec:
location: us-central1
Job With SQL
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: run.cnrm.cloud.google.com/v1beta1
kind: RunJob
metadata:
name: runjob-sample-sql
spec:
launchStage: "GA"
location: "us-central1"
projectRef:
external: ${PROJECT_ID?}
template:
template:
containers:
- image: "us-docker.pkg.dev/cloudrun/container/hello"
volumeMounts:
- name: "cloudsql"
mountPath: "/cloudsql"
volumes:
- name: "cloudsql"
cloudSqlInstance:
instanceRefs:
- name: runjob-dep-sql
---
apiVersion: sql.cnrm.cloud.google.com/v1beta1
kind: SQLInstance
metadata:
name: runjob-dep-sql
spec:
region: us-central1
databaseVersion: MYSQL_5_7
settings:
tier: db-n1-standard-1
Job With SecretManagerSecret
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: run.cnrm.cloud.google.com/v1beta1
kind: RunJob
metadata:
name: runjob-sample-secretmanagersecret
spec:
launchStage: "GA"
location: "us-central1"
projectRef:
external: ${PROJECT_ID?}
template:
template:
containers:
- image: "us-docker.pkg.dev/cloudrun/container/hello"
env:
- name: "FOO"
value: "bar"
- name: "SECRET_ENV_VAR"
valueSource:
secretKeyRef:
secretRef:
name: runjob-dep-secretmanagersecret
versionRef:
name: runjob-dep-secretmanagersecret
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: runjob-dep-secretmanagersecret
spec:
member: serviceAccount:${PROJECT_NUMBER?}-compute@developer.gserviceaccount.com
role: roles/secretmanager.secretAccessor # required by default service account to access secrets
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
external: projects/${PROJECT_ID?}
---
apiVersion: v1
kind: Secret
metadata:
name: runjob-dep-secretmanagersecret
data:
secretData: SSBhbHdheXMgbG92ZWQgc3BhcnJpbmcgd2l0aCBnaWFudCBjYW5keSBzd29yZHMsIGJ1dCBJIGhhZCBubyBpZGVhIHRoYXQgd2FzIG15IHN1cGVyIHNlY3JldCBpbmZvcm1hdGlvbiE=
---
apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
kind: SecretManagerSecret
metadata:
annotations:
cnrm.cloud.google.com/project-id: ${PROJECT_ID?}
name: runjob-dep-secretmanagersecret
spec:
replication:
automatic: true
---
apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
kind: SecretManagerSecretVersion
metadata:
annotations:
cnrm.cloud.google.com/project-id: ${PROJECT_ID?}
name: runjob-dep-secretmanagersecret
spec:
enabled: true
secretData:
valueFrom:
secretKeyRef:
key: secretData
name: runjob-dep-secretmanagersecret
secretRef:
name: runjob-dep-secretmanagersecret