gcloud alpha run workers deploy

gcloud alpha run workers deploy - create or update a Cloud Run worker

gcloud alpha run workers deploy [WORKER] [--async] [--breakglass=JUSTIFICATION] [--description=DESCRIPTION] [--max-instances=MAX_INSTANCES] [--max-surge=MAX_SURGE] [--min-instances=MIN_INSTANCES] [--no-promote] [--region=REGION] [--revision-suffix=REVISION_SUFFIX] [--service-account=SERVICE_ACCOUNT] [--vpc-egress=VPC_EGRESS] [--add-cloudsql-instances=[CLOUDSQL-INSTANCES,…]     | --clear-cloudsql-instances     | --remove-cloudsql-instances=[CLOUDSQL-INSTANCES,…]     | --set-cloudsql-instances=[CLOUDSQL-INSTANCES,…]] [--add-volume=[KEY=VALUE,…] --clear-volumes --remove-volume=[VOLUME,…]] [--add-volume-mount=[volume=NAME,mount-path=MOUNT_PATH,…] --args=[ARG,…] --clear-volume-mounts --command=[COMMAND,…] --cpu=CPU --memory=MEMORY --remove-volume-mount=[MOUNT_PATH,…] --clear-env-vars     | --env-vars-file=FILE_PATH     | --set-env-vars=[KEY=VALUE,…]     | --remove-env-vars=[KEY,…] --update-env-vars=[KEY=VALUE,…] --clear-secrets     | --set-secrets=[KEY=VALUE,…]     | --remove-secrets=[KEY,…] --update-secrets=[KEY=VALUE,…] --image=IMAGE     | --source=SOURCE] [--binary-authorization=POLICY     | --clear-binary-authorization] [--clear-encryption-key-shutdown-hours     | --encryption-key-shutdown-hours=ENCRYPTION_KEY_SHUTDOWN_HOURS] [--clear-key     | --key=KEY] [--clear-labels     | --remove-labels=[KEY,…] --labels=[KEY=VALUE,…]     | --update-labels=[KEY=VALUE,…]] [--clear-network     | --network=NETWORK --subnet=SUBNET --clear-network-tags     | --network-tags=[TAG,…]] [--clear-post-key-revocation-action-type     | --post-key-revocation-action-type=POST_KEY_REVOCATION_ACTION_TYPE] [GCLOUD_WIDE_FLAG …]

gcloud alpha run workers deploy my-backend --image=us-docker.pkg.dev/project/image

You may also omit the worker name. Then a prompt will be displayed with a suggested default value:

gcloud alpha run workers deploy --image=us-docker.pkg.dev/project/image

Worker resource - Worker to deploy to. This represents a Cloud resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways.

To set the project attribute:

• provide the argument WORKER on the command line with a fully specified name;
• specify the worker name from an interactive prompt with a fully specified name;
• provide the argument --project on the command line;
• set the property core/project.

[WORKER]

ID of the worker or fully qualified identifier for the worker.

To set the worker attribute:

• provide the argument WORKER on the command line;
• specify the worker name from an interactive prompt.

--async

Return immediately, without waiting for the operation in progress to complete.

--breakglass=JUSTIFICATION

Justification to bypass Binary Authorization policy constraints and allow the operation. See https://cloud.google.com/binary-authorization/docs/using-breakglass for more information. Next update or deploy command will automatically clear existing breakglass justification.

--description=DESCRIPTION

Provides an optional, human-readable description of the service.

--max-instances=MAX_INSTANCES

The maximum number of container instances of the Worker to run. Use 'default' to unset the limit and use the platform default.

--max-surge=MAX_SURGE

A maximum percentage of instances that will be moved in each step of instance split changes. Use "default" to unset the limit and use the platform default.

--min-instances=MIN_INSTANCES

The minimum number of container instances for this Worker to run or 'default' to remove any minimum. These instances will be divided among all Revisions receiving a percentage of instance split.

--no-promote

True to avoid assign instances to the worker revision being deployed. Setting this flag assigns any instances assigned to the LATEST revision to the specific revision bound to LATEST before the deployment. The effect is that the revision being deployed will not receive instance split.

After a deployment with this flag the LATEST revision will not receive instances on future deployments. To restore assinging instances to the LATEST revision by default, run the gcloud run workers update-instance-split command with --to-latest.

--region=REGION

Region in which the resource can be found. Alternatively, set the property [run/region].

--revision-suffix=REVISION_SUFFIX

Specify the suffix of the revision name. Revision names always start with the service name automatically. For example, specifying [--revision-suffix=v1] for a service named 'helloworld', would lead to a revision named 'helloworld-v1'.

--service-account=SERVICE_ACCOUNT

Service account associated with the revision of the service. The service account represents the identity of the running revision, and determines what permissions the revision has. For the managed platform, this is the email address of an IAM service account. For the Kubernetes-based platforms (gke, kubernetes), this is the name of a Kubernetes service account in the same namespace as the service. If not provided, the revision will use the default service account of the project, or default Kubernetes namespace service account respectively.

--vpc-egress=VPC_EGRESS

Specify which of the outbound traffic to send through Direct VPC egress or the VPC connector for this resource. This resource must have Direct VPC egress enabled or a VPC connector to set this flag. VPC_EGRESS must be one of:

all

(DEPRECATED) Sends all outbound traffic through Direct VPC egress or the VPC connector. Provides the same functionality as 'all-traffic'. Prefer to use 'all-traffic' instead.

all-traffic

Sends all outbound traffic through Direct VPC egress or the VPC connector.

private-ranges-only

Default option. Sends outbound traffic to private IP addresses (RFC 1918 and Private Google Access IPs) through Direct VPC egress or the VPC connector.

Traffic to other Cloud Run services might require additional configuration. See https://cloud.google.com/run/docs/securing/private-networking#send_requests_to_other_services_and_services for more information.

These flags modify the Cloud SQL instances this Service connects to. You can specify a name of a Cloud SQL instance if it's in the same project and region as your Cloud Run service; otherwise specify <project>:<region>:<instance> for the instance.

At most one of these can be specified:

--add-cloudsql-instances=[CLOUDSQL-INSTANCES,…]

Append the given values to the current Cloud SQL instances.

--clear-cloudsql-instances

Empty the current Cloud SQL instances.

--remove-cloudsql-instances=[CLOUDSQL-INSTANCES,…]

Remove the given values from the current Cloud SQL instances.

--set-cloudsql-instances=[CLOUDSQL-INSTANCES,…]

Completely replace the current Cloud SQL instances with the given values.

--add-volume=[KEY=VALUE,…]

Adds a volume to the Cloud Run resource. To add more than one volume, specify this flag multiple times. Volumes must have a name and type key. Only certain values are supported for type. Depending on the provided type, other keys will be required. The following types are supported with the specified additional keys:

cloud-storage: A volume representing a Cloud Storage bucket. This volume type is mounted using Cloud Storage FUSE. See https://cloud.google.com/storage/docs/gcs-fuse for the details and limitations of this filesystem. Additional keys:

• bucket: (required) the name of the bucket to use as the source of this volume
• readonly: (optional) A boolean. If true, this volume will be read-only from all mounts.
• mount-options: (optional) A list of flags to pass to GCSFuse. Flags should be specified without leading dashes and separated by semicolons.

in-memory: An ephemeral volume that stores data in the instance's memory. With this type of volume, data is not shared between instances and all data will be lost when the instance it is on is terminated. Additional keys:

• size-limit: (optional) A quantity representing the maximum amount of memory allocated to this volume, such as "512Mi" or "3G". Data stored in an in-memory volume consumes the memory allocation of the container that wrote the data. If size-limit is not specified, the maximum size will be half the total memory limit of all containers.

nfs: Represents a volume backed by an NFS server. Additional keys:

• location: (required) The location of the NFS Server, in the form SERVER:/PATH
• readonly: (optional) A boolean. If true, this volume will be read-only from all mounts.

secret: Represents a secret stored in Secret Manager as a volume. Additional keys:

• secret: (required) The name of the secret in Secret Manager. Must be a secret in the same project being deployed or be an alias mapped in the run.googleapis.com/secrets annotation.
• version: (required) The version of the secret to make available in the volume.
• path: (required) The relative path within the volume to mount that version.

--clear-volumes

Remove all existing volumes from the Cloud Run resource, including volumes mounted as secrets

--remove-volume=[VOLUME,…]

Removes volumes from the Cloud Run resource.

The following flags apply to the container.

--add-volume-mount=[volume=NAME,mount-path=MOUNT_PATH,…]

Adds a mount to the current container. Must contain the keys volume=NAME and mount-path=/PATH where NAME is the name of a volume on this resource and PATH is the path within the container's filesystem to mount this volume.

--args=[ARG,…]

Comma-separated arguments passed to the command run by the container image. If not specified and no '--command' is provided, the container image's default Cmd is used. Otherwise, if not specified, no arguments are passed. To reset this field to its default, pass an empty string.

--clear-volume-mounts

Remove all existing mounts from the current container.

--command=[COMMAND,…]

Entrypoint for the container image. If not specified, the container image's default Entrypoint is run. To reset this field to its default, pass an empty string.

--cpu=CPU

Set a CPU limit in Kubernetes cpu units.

Cloud Run (fully managed) supports values 1, 2 and 4. For Cloud Run (fully managed), 4 cpus also requires a minimum 2Gi --memory value. Examples 2, 2.0, 2000m

Cloud Run for Anthos and Knative-compatible Kubernetes clusters support fractional values. Examples .5, 500m, 2

--memory=MEMORY

Set a memory limit. Ex: 1024Mi, 4Gi.

--remove-volume-mount=[MOUNT_PATH,…]

Removes the volume mounted at the specified path from the current container.

At most one of these can be specified:

--clear-env-vars

Remove all environment variables.

--env-vars-file=FILE_PATH

Path to a local YAML file with definitions for all environment variables. All existing environment variables will be removed before the new environment variables are added. Example YAML content:

KEY_1: "value1"
KEY_2: "value 2"

--set-env-vars=[KEY=VALUE,…]

List of key-value pairs to set as environment variables. All existing environment variables will be removed first.

Only --update-env-vars and --remove-env-vars can be used together. If both are specified, --remove-env-vars will be applied first.

--remove-env-vars=[KEY,…]

List of environment variables to be removed.

--update-env-vars=[KEY=VALUE,…]

List of key-value pairs to set as environment variables.

Specify secrets to mount or provide as environment variables. Keys starting with a forward slash '/' are mount paths. All other keys correspond to environment variables. Values should be in the form SECRET_NAME:SECRET_VERSION. For example: '--update-secrets=/secrets/api/key=mysecret:latest,ENV=othersecret:1' will mount a volume at '/secrets/api' containing a file 'key' with the latest version of secret 'mysecret'. An environment variable named ENV will also be created whose value is version 1 of secret 'othersecret'.

At most one of these can be specified:

--clear-secrets

Remove all secrets.

--set-secrets=[KEY=VALUE,…]

List of key-value pairs to set as secrets. All existing secrets will be removed first.

Only --update-secrets and --remove-secrets can be used together. If both are specified, --remove-secrets will be applied first.

--remove-secrets=[KEY,…]

List of secrets to be removed.

--update-secrets=[KEY=VALUE,…]

List of key-value pairs to set as secrets.

At most one of these can be specified:

--image=IMAGE

Name of the container image to deploy (e.g. gcr.io/cloudrun/hello:latest).

--source=SOURCE

The location of the source to build. If a Dockerfile is present in the source code directory, it will be built using that Dockerfile, otherwise it will use Google Cloud buildpacks. See https://cloud.google.com/run/docs/deploying-source-code for more details. The location can be a directory on a local disk or a gzipped archive file (.tar.gz) in Google Cloud Storage. If the source is a local directory, this command skips the files specified in the --ignore-file. If --ignore-file is not specified, use .gcloudignore file. If a .gcloudignore file is absent and a .gitignore file is present in the local source directory, gcloud will use a generated Git-compatible .gcloudignore file that respects your .gitignored files. The global .gitignore is not respected. For more information on .gcloudignore, see gcloud topic gcloudignore.

At most one of these can be specified:

--binary-authorization=POLICY

Binary Authorization policy to check against. This must be set to "default".

--clear-binary-authorization

Remove any previously set Binary Authorization policy.

At most one of these can be specified:

--clear-encryption-key-shutdown-hours

Remove any previously set CMEK key shutdown hours setting.

--encryption-key-shutdown-hours=ENCRYPTION_KEY_SHUTDOWN_HOURS

The number of hours to wait before an automatic shutdown server after CMEK key revocation is detected.

At most one of these can be specified:

--clear-key

Remove any previously set CMEK key reference.

--key=KEY

CMEK key reference to encrypt the container with.

At most one of these can be specified:

--clear-labels

Remove all labels. If --update-labels is also specified then --clear-labels is applied first.

For example, to remove all labels:

gcloud alpha run workers deploy --clear-labels

To remove all existing labels and create two new labels, foo and baz:

gcloud alpha run workers deploy --clear-labels --update-labels foo=bar,baz=qux

--remove-labels=[KEY,…]

List of label keys to remove. If a label does not exist it is silently ignored. If --update-labels is also specified then --update-labels is applied first.

At most one of these can be specified:

--labels=[KEY=VALUE,…]

List of label KEY=VALUE pairs to add.

An alias to --update-labels.

--update-labels=[KEY=VALUE,…]

List of label KEY=VALUE pairs to update. If a label exists, its value is modified. Otherwise, a new label is created.

At most one of these can be specified:

--clear-network

Disconnect this Cloud Run worker from the VPC network it is connected to.

Direct VPC egress setting flags group.

--network=NETWORK

The VPC network that the Cloud Run worker will be able to send traffic to. If --subnet is also specified, subnet must be a subnetwork of the network specified by this --network flag. To clear existing VPC network settings, use --clear-network.

--subnet=SUBNET

The VPC subnetwork that the Cloud Run worker will get IPs from. The subnetwork must be /26 or larger. If --network is also specified, subnet must be a subnetwork of the network specified by the --network flag. If --network is not specified, network will be looked up from this subnetwork. To clear existing VPC network settings, use --clear-network.

At most one of these can be specified:

--clear-network-tags

Clears all existing Compute Engine tags from the Cloud Run worker.

--network-tags=[TAG,…]

Applies the given Compute Engine tags (comma separated) to the Cloud Run worker. To clear existing tags, use --clear-network-tags.

At most one of these can be specified:

--clear-post-key-revocation-action-type

Remove any previously set post CMEK key revocation action type.

--post-key-revocation-action-type=POST_KEY_REVOCATION_ACTION_TYPE

Action type after CMEK key revocation. POST_KEY_REVOCATION_ACTION_TYPE must be one of:

prevent-new

No new instances will be started after CMEK key revocation.

shut-down

No new instances will be started and the existing instances will be shut down after CMEK key revocation.

Run $ gcloud help for details.