Getting started with Cloud Endpoints on Kubernetes

This tutorial shows you how to configure and deploy a sample API and the Extensible Service Proxy (ESP) to a Kubernetes cluster that isn't on Google Cloud Platform (GCP). If you want to use Google Kubernetes Engine (GKE), use Getting started with Endpoints on GKE.

The sample code's REST API is described using the OpenAPI specification. The tutorial also shows you how to create an API key to send requests to the API.

The tutorial uses prebuilt container images of the sample code and ESP, which are stored in Container Registry. If you are unfamiliar with containers, see the following for more information:

For an overview of Cloud Endpoints, see About Endpoints and Endpoints architecture.

Prerequisites

This tutorial assumes that you already have Minikube or a Kubernetes cluster set up. For more information, see the Kubernetes documentation.

Task list

Use the following high-level task list as you work through the tutorial. All tasks in Part 1 are required to successfully send requests to the API.

Before you begin

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. Select or create a GCP project.

    Go to the Manage resources page

  3. Make sure that billing is enabled for your project.

    Learn how to enable billing

  4. Make a note of the GCP project ID because it is needed later.

Installing and configuring required software

In this tutorial, you install the Cloud SDK to use the gcloud command-line interface to manage your project. You use kubectl, a command-line interface to run commands against Kubernetes clusters. You also need a way to test the API.

In the following procedure, if you already have the required software installed, continue with the next step.

To install and configure required software:

  1. You need an application to send requests to the sample API.

    • Linux and macOS users: This tutorial provides an example of using curl, which typically comes pre-installed on your operating system. If you don't have curl, you can download it from the curl Releases and downloads page.
    • Windows users: This tutorial provides an example using Invoke-WebRequest, which is supported in PowerShell 3.0 and later.
  2. Install and initialize the Cloud SDK.
  3. Update the Cloud SDK and install the Endpoints components:
    gcloud components update
  4. Make sure that the Cloud SDK (gcloud) is authorized to access your data and services on GCP:
    gcloud auth login
    In the new tab that opens, select an account.
  5. Set the default project to your project ID:
    gcloud config set project YOUR-PROJECT-ID

    Replace YOUR-PROJECT-ID with your project ID. If you have other GCP projects, and you want to use gcloud to manage them, see Managing Cloud SDK configurations.

  6. Install kubectl:
    gcloud components install kubectl
  7. Acquire new user credentials to use for application default credentials. The user credentials authorize kubectl.
    gcloud auth application-default login
  8. In the new tab that opens, choose an account.
  9. Run the following command to make sure your Kubernetes client is properly configured:
    kubectl version

    You should see output similar to the following:

    
       Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.4",
         GitCommit:"9befc2b8928a9426501d3bf62f72849d5cbcd5a3", GitTreeState:"clean",
         BuildDate:"2017-11-20T05:28:34Z", GoVersion:"go1.8.3", Compiler:"gc",
         Platform:"linux/amd64"}
       Server Version: version.Info{Major:"1", Minor:"7+",
         GitVersion:"v1.7.8-gke.0",
         GitCommit:"a7061d4b09b53ab4099e3b5ca3e80fb172e1b018", GitTreeState:"clean",
         BuildDate:"2017-10-10T18:48:45Z", GoVersion:"go1.8.3", Compiler:"gc",
         Platform:"linux/amd64"}
       

Downloading the sample code

Optionally, download the sample code. In this tutorial, you deploy a prebuilt container image, so you don't have to build a container from the sample code. However, you might want to download the sample code, which is provided in several languages to help you understand how the sample API works.

To download the sample code:

Java

To clone or download the sample API:

  1. Clone the sample app repository to your local machine:
    git clone https://github.com/GoogleCloudPlatform/java-docs-samples

    Alternatively, download the sample as a zip file and extract it.

  2. Change to the directory that contains the sample code:
    cd java-docs-samples/endpoints/getting-started
Python

To clone or download the sample API:

  1. Clone the sample app repository to your local machine:
    git clone https://github.com/GoogleCloudPlatform/python-docs-samples

    Alternatively, download the sample as a zip file and extract it.

  2. Change to the directory that contains the sample code:
    cd python-docs-samples/endpoints/getting-started
Go

To clone or download the sample API:

  1. Make sure your GOPATH environment variable is set.
  2. Clone the sample app repository to your local machine:
    go get -u -d github.com/GoogleCloudPlatform/golang-samples/endpoints/getting-started
  3. Change to the directory that contains the sample code:
    cd $GOPATH/src/github.com/GoogleCloudPlatform/golang-samples/endpoints/getting-started
PHP

To clone or download the sample API:

  1. Clone the sample app repository to your local machine:
    git clone https://github.com/GoogleCloudPlatform/php-docs-samples

    Alternatively, download the sample as a zip file and extract it.

  2. Change to the directory that contains the sample code:
    cd php-docs-samples/endpoints/getting-started
Ruby

To clone or download the sample API:

  1. Clone the sample app repository to your local machine:
    git clone https://github.com/GoogleCloudPlatform/ruby-docs-samples

    Alternatively, download the sample as a zip file and extract it.

  2. Change to the directory that contains the sample code:
    cd ruby-docs-samples/endpoints/getting-started
NodeJS

To clone or download the sample API:

  1. Clone the sample app repository to your local machine:
    git clone https://github.com/GoogleCloudPlatform/nodejs-docs-samples

    Alternatively, download the sample as a zip file and extract it.

  2. Change to the directory that contains the sample code:
    cd nodejs-docs-samples/endpoints/getting-started

Getting the Kubernetes configuration file

  1. Clone the GitHub repository that contains the yaml files used in this tutorial to your local machine:

    git clone https://github.com/googlecloudplatform/endpoints-samples
    

    Alternatively, download the sample as a zip file and extract it.

  2. Change to the directory that contains the configuration files:

    cd endpoints-samples/k8s
    

Configuring Endpoints

The sample code includes the OpenAPI configuration file, openapi.yaml, which is based on OpenAPI specification v2.0.

To configure Endpoints:

  1. In the sample code directory, open the openapi.yaml configuration file.

    swagger: "2.0"
    info:
      description: "A simple Google Cloud Endpoints API example."
      title: "Endpoints Example"
      version: "1.0.0"
    host: "echo-api.endpoints.YOUR-PROJECT-ID.cloud.goog"

    Note the following:

    • The configuration sample displays the lines near the host field, which you need to modify. To deploy the openapi.yaml file to Endpoints, the complete OpenAPI document is required.
    • The example openapi.yaml file contains a section for configuring authentication that isn't needed for this tutorial. You don't need to configure the lines with YOUR-SERVICE-ACCOUNT-EMAIL and YOUR-CLIENT-ID.
    • OpenAPI is a language-agnostic specification. The same openapi.yaml file is in the getting-started sample in each language GitHub repository for convenience.
  2. In the host field, replace the text with the Endpoints service name, which should be in the following format:
    host: "echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog"
    

    Replace YOUR_PROJECT_ID with your GCP project ID. For example:

    host: "echo-api.endpoints.example-project-12345.cloud.goog"
    

Note that echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog is the Endpoints service name. It isn't the fully qualified domain name (FQDN) that you use for sending requests to the API.

For information about the fields in the OpenAPI document that Endpoints requires, see Configuring Endpoints.

After you finish all the following configuration steps, such that you can successfully send requests to the sample API using an IP address, see Configuring DNS for Endpoints for information on how to configure echo-api.endpoints.YOUR-PROJECT-ID.cloud.goog to be the FQDN.

Deploying the Endpoints configuration

To deploy the Endpoints configuration, you use the gcloud endpoints services deploy command. This command uses Service Management to create a managed service.

To deploy the Endpoints configuration:

  1. Make sure you are in the endpoints-samples/k8s directory.
  2. Upload the configuration and create a managed service:
    gcloud endpoints services deploy openapi.yaml
    

The gcloud command then calls the Service Management API to create a managed service with the name that you specified in the host field of the openapi.yaml file. Service Management configures the service according to the settings in the openapi.yaml file. When you make changes to openapi.yaml, you must redeploy the file to update the Endpoints service.

As it is creating and configuring the service, Service Management outputs information to the terminal. You can safely ignore the warnings about the paths in openapi.yaml not requiring an API key. When it finishes configuring the service, Service Management displays a message with the service configuration ID and the service name, similar to the following:

Service Configuration [2017-02-13r0] uploaded for service [echo-api.endpoints.example-project-12345.cloud.goog]

In the preceding example, 2017-02-13r0 is the service configuration ID, and echo-api.endpoints.example-project-12345.cloud.goog is the Endpoints service. The service configuration ID consists of a date stamp followed by a revision number. If you deploy the openapi.yaml file again on the same day, the revision number is incremented in the service configuration ID. You can view the Endpoints service configuration on the Endpoints > Services page in the GCP Console.

If you get an error message, see Troubleshooting Endpoints configuration deployment.

See Deploying the Endpoints configuration for additional information.

Creating credentials for your service

To provide management for your API, ESP requires the services in Service Infrastructure. To call these services, ESP must use access tokens. When you deploy ESP to GCP environments, such as GKE, Compute Engine, or the App Engine flexible environment, ESP obtains access tokens for you through the GCP metadata service.

When you deploy ESP to a non-GCP environment, such as your local desktop, an on-premises Kubernetes cluster, or another cloud provider, you must provide ESP with a service account JSON file that contains a private key. ESP uses the service account to generate access tokens to call the services that it needs to manage your API.

You can use either the GCP Console or the gcloud command-line tool to create the service account and private key file and to assign the service account the following roles:

Console

  1. In the GCP Console, open the Service Accounts page .

    Go to the Service Accounts page

  2. Click Select a project.
  3. Select the project that your API was created in and click Open.
  4. Click + Create Service Account.
  5. In the Service account name field, enter the name for your service account.
  6. Click Create.
  7. Click Select a role and select Service Management > Service Controller.
  8. Click + Add another role.
  9. Click Select a role and select Cloud Trace > Cloud Trace Agent.
  10. Click Continue.
  11. Click + Create key.
  12. In the right-side panel, for the Key type, use the default type, JSON.
  13. Click Create.
  14. In the dialog, click Close.
  15. Click Done.

This creates the service account and downloads its private key to a JSON file.

gcloud

  1. Enter the following to display the project IDs for your GCP projects:

    gcloud projects list
    
  2. Replace PROJECT_ID in the following command to set the default project to the one that your API is in:

    gcloud config set project PROJECT_ID
    
  3. Make sure that the Cloud SDK (gcloud) is authorized to access your data and services on GCP:

    gcloud auth login
    

    If you have more than one account, make sure to choose the account that is in the GCP project that the API is in. If you run gcloud auth list, the account that you selected is shown as the active account for the project.

  4. To create a service account, run the following command and replace SERVICE_ACCOUNT_NAME and My Service Account with the name and display name that you want to use:

    gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \
      --display-name "My Service Account"
    

    The command assigns an email address for the service account in the following format:

    SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
    

    This email address is required in the subsequent commands.

  5. Create a service account key file:

    gcloud iam service-accounts keys create ~/service-account-creds.json \
      --iam-account SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
    
  6. Add the Service Controller role:

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
        --role roles/servicemanagement.serviceController
    
  7. Add the Cloud Trace Agent role to enable Stackdriver Trace:

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
        --role roles/cloudtrace.agent
    

See gcloud iam service-accounts for more information about the commands.

Deploying the API backend

So far you have deployed the OpenAPI document to Service Management, but you haven't yet deployed the code that serves the API backend. This section walks you through deploying prebuilt containers for the sample API and ESP to Kubernetes.

Providing ESP with the service credentials

ESP, which runs inside a container, needs access to the credentials stored locally in the service-account-creds.json file. To provide ESP with access to the credentials, you create a Kubernetes secret and mount the Kubernetes secret as a Kubernetes volume.

To create the Kubernetes secret and mount the volume:

  1. Make sure to rename the JSON file to service-account-creds.json and copy it to endpoints-samples/k8s if it was downloaded to a different directory. This way, the name matches the options specified in the esp_echo_http.yaml deployment manifest file.

  2. Make sure you are in the endpoints-samples/k8s directory.

  3. Create a Kubernetes secret with the service account credentials:

    kubectl create secret generic service-account-creds \
      --from-file=service-account-creds.json
    

    On success, the following message displays: secret "service-account-creds" created

The deployment manifest file that you use to deploy the API and ESP to Kubernetes already contains the secret volume, as shown in the following two sections of the file:

volumes:
  - name: service-account-creds
    secret:
      secretName: service-account-creds
volumeMounts:
  - mountPath: /etc/nginx/creds
    name: service-account-creds
    readOnly: true

Configuring the service name and starting the service

ESP needs to know the name of your service to find the configuration that you deployed previously (by using the gcloud endpoints services deploy command).

To configure the service name and start the service:

  1. Open the deployment manifest file, esp_echo_http.yaml, and replace SERVICE_NAME in the ESP startup options with the name of your service. This is the same name that you configured in the host field of your OpenAPI document. For example:

    "--service", "echo-api.endpoints.example-project-12345.cloud.goog"
    
    containers:
      - name: esp
        image: gcr.io/endpoints-release/endpoints-runtime:1
        args: [
          "--http_port", "8080",
          "--backend", "127.0.0.1:8081",
          "--service", "SERVICE_NAME",
          "--rollout_strategy", "managed",
          "--service_account_key", "/etc/nginx/creds/service-account-creds.json",
        ]

    The --rollout_strategy", "managed" option configures ESP to use the latest deployed service configuration. When you specify this option, within a minute after you deploy a new service configuration, ESP detects the change and automatically begins using it. We recommend that you specify this option instead of a specific configuration ID for ESP to use. For information about the other ESP options used, see ESP startup options.

  2. Start the service to deploy the Endpoints service on Kubernetes:

    kubectl create -f esp_echo_http.yaml
    

    If you see an error message similar to the following:

    The connection to the server localhost:8080 was refused - did you specify the right host or port?
    

    This indicates that kubectl isn't properly configured. See Configure kubectl for more information.

For more information, see Deploying Endpoints on Kubernetes.

Get the service's external IP address

If you are using Minikube, skip to Sending a request by using an IP address.

It can take a few minutes after you start your service in the container before the external IP address is ready.

To view the service's external IP address:

  1. Run the following command:

    kubectl get service
    
  2. Make a note of the value for EXTERNAL-IP. You use that IP address when you send a request to the sample API.

Sending a request by using an IP address

After the sample API is running in the container cluster, you can send requests to the API.

Create an API key and set an environment variable

The sample code requires an API key. To simplify the request, you set an environment variable for the API key.

  1. In the same GCP project that you used for your API, create an API key on the API credentials page. If you want to create an API key in a different GCP project, see Enabling an API in your GCP project.

    Go to the Credentials page

  2. Click Create credentials, and then select API key.
  3. Copy the key to the clipboard.
  4. Click Close.
  5. On your local computer, paste the API key to assign it to an environment variable:
    • In Linux or macOS: export ENDPOINTS_KEY=AIza...
    • In Windows PowerShell: $Env:ENDPOINTS_KEY="AIza..."

Send the request to minikube

The following commands use the ENDPOINTS_KEY environment variable that you set previously.

Linux or mac OS

NODE_PORT=`kubectl get service esp-echo --output='jsonpath={.spec.ports[0].nodePort}'`
MINIKUBE_IP=`minikube ip`
curl --request POST \
    --header "content-type:application/json" \
    --data '{"message":"hello world"}' \
    ${MINIKUBE_IP}:${NODE_PORT}/echo?key=${ENDPOINTS_KEY}

PowerShell

$Env:NODE_PORT=$(kubectl get service esp-echo --output='jsonpath={.spec.ports[0].nodePort}')
$Env:MINIKUBE_IP=$(minikube ip)
(Invoke-WebRequest -Method POST -Body '{"message": "hello world"}' `
    -Headers @{"content-type"="application/json"} `
    -URI "http://$Env:MINIKUBE_IP:$Env:NODE_PORT/echo?key=$Env:ENDPOINTS_KEY").Content

Send the request to other Kubernetes clusters

Linux or mac OS

Use curl to send an HTTP request by using the ENDPOINTS_KEY environment variable you set previously. Replace IP_ADDRESS with the external IP address of your instance.

curl --request POST \
   --header "content-type:application/json" \
   --data '{"message":"hello world"}' \
   "http://IP_ADDRESS:80/echo?key=${ENDPOINTS_KEY}"

In the above curl:

  • The --data option specifies the data to post to the API.
  • The --header option specifies that the data is in JSON format.

PowerShell

Use Invoke-WebRequest to send an HTTP request by using the ENDPOINTS_KEY environment variable you set previously. Replace IP_ADDRESS with the external IP address of your instance.

(Invoke-WebRequest -Method POST -Body '{"message": "hello world"}' `
    -Headers @{"content-type"="application/json"} `
    -URI "http://IP_ADDRESS:80/echo?key=$Env:ENDPOINTS_KEY").Content

In the above example, the first two lines end in a backtick. When you paste the example into PowerShell, make sure there isn't a space following the backticks. For information about the options used in the example request, see Invoke-WebRequest in the Microsoft documentation.

Third-party app

You can use a third-party application such as the Chrome browser extension Postman to send the request:

  • Select POST as the HTTP verb.
  • For the header, select the key content-type and the value application/json.
  • For the body, enter the following:
    {"message":"hello world"}
  • In the URL, use the actual API key rather than the environment variable. For example:
    http://192.0.2.0:80/echo?key=AIza...

The API echoes back the message that you send, and responds with the following:

{
  "message": "hello world"
}

If you didn't get a successful response, see Troubleshooting response errors.

You just deployed and tested an API in Endpoints!

Tracking API activity

To track API activity:

  1. Look at the activity graphs for your API in the Endpoints > Services page.

    Go to the Endpoints Services page


    It may take a few moments for the request to be reflected in the graphs.

  2. Look at the request logs for your API in the Logs Viewer page.

    Go to the Logs Viewer page

Configuring DNS for Endpoints

Because the Endpoints service name for the API is in the .endpoints.YOUR_PROJECT_ID.cloud.goog domain, you can use it as the fully qualified domain name (FQDN) by making a small configuration change in your openapi.yaml file. This way, you can send requests to the sample API by using echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog instead of the IP address.

To configure Endpoints DNS:

  1. Open your OpenAPI configuration file, openapi.yaml, and add the x-google-endpoints property at the top level of the file (not indented or nested) as shown in the following snippet:
        host: "echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog"
        x-google-endpoints:
        - name: "echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog"
          target: "IP_ADDRESS"
    
  2. In the name property, replace YOUR_PROJECT_ID with your project ID.
  3. In the target property, replace IP_ADDRESS with the IP address that you used when you sent a request to the sample API.
  4. Deploy your updated OpenAPI configuration file to Service Management:
        gcloud endpoints services deploy openapi.yaml
    

For example, assume the openapi.yaml file has the following configured:

    host: "echo-api.endpoints.example-project-12345.cloud.goog"
    x-google-endpoints:
    - name: "echo-api.endpoints.example-project-12345.cloud.goog"
      target: "192.0.2.1"

When you deploy the openapi.yaml file by using the preceding gcloud command, Service Management creates a DNS A-record, echo-api.endpoints.my-project-id.cloud.goog, which resolves to the target IP address, 192.0.2.1. It might take a few minutes for the new DNS configuration to propagate.

Configuring SSL

For more details on how to configure DNS and SSL, see Enabling SSL for Endpoints.

Sending a request to the FQDN

Now that you have the DNS record configured for the sample API, send a request to it by using the FQDN (replace YOUR_PROJECT_ID with your project ID) and the ENDPOINTS_KEY environment variable set previously:
  • In Linux or mac OS:
            curl --request POST \
                --header "content-type:application/json" \
                --data '{"message":"hello world"}' \
                "http://echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog:80/echo?key=${ENDPOINTS_KEY}"
  • In Windows PowerShell:
    (Invoke-WebRequest -Method POST -Body '{"message": "hello world"}' -Headers @{"content-type"="application/json"} -URI "http://echo-api.endpoints.[YOUR_PROJECT_ID].cloud.goog:80/echo?key=$Env:ENDPOINTS_KEY").Content

Creating a developer portal for the API

You can use Cloud Endpoints Portal to create a developer portal, a website that you can use to interact with the sample API. To learn more, see Cloud Endpoints Portal overview.

Clean up

To avoid incurring charges to your GCP account for the resources used in this quickstart:

  • Delete the Kubernetes service and deployment:

    kubectl delete -f esp_echo_http.yaml
    

See Deleting an API and API instances for information on stopping the services used by this tutorial.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Endpoints with OpenAPI
Need help? Visit our support page.