This tutorial shows you how to configure and deploy a sample API and the Extensible Service Proxy V2 (ESPv2) to a Google Kubernetes Engine (GKE) cluster.
The sample code's REST API is described using the OpenAPI specification. The tutorial also shows you how to create an API key and use it when sending requests to the API.
The tutorial uses prebuilt container images of the sample code and ESPv2, which are stored in Artifact Registry.
For an overview of Cloud Endpoints, see About Endpoints and Endpoints architecture.
Objectives
Use the following high-level task list as you work through the tutorial. All tasks in Part 1 are required to successfully send requests to the API.
Part 1
- Set up a Google Cloud project. See Before you begin.
- Create a container cluster on GKE. See Creating a container cluster.
- Install and configure software used in the tutorial. See Installing and configuring required software.
- Download the sample code. See Getting the sample code.
- Configure the
openapi.yaml
file, which is used to configure Cloud Endpoints. See Configuring Endpoints. - Deploy the Endpoints configuration to create a Endpoints service. See Deploying the Endpoints configuration.
- Deploy the API and ESPv2 to the cluster. See Deploying the API backend.
- Get the cluster's IP address. See Getting the cluster's external IP address.
- Send a request to the API by using an IP address. See Sending a request by using an IP address.
- Track API activity. See Tracking API activity.
Part 2
- Configure a DNS record for the sample API. See Configuring DNS for Endpoints.
- Send a request to the API using the fully qualified domain name. See Sending a request by using FQDN.
Cleanup
When you're finished, see Cleaning up to avoid incurring charges to your Google Cloud account.
Costs
In this document, you use the following billable components of Google Cloud:
To generate a cost estimate based on your projected usage,
use the pricing calculator.
When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
- Make a note of the Google Cloud project ID, because it's needed later.
Creating a container cluster
You must create a container cluster on GKE for the sample API backend code to run on. The cluster needs an IP alias to use container native load balancing. To create a container cluster with an IP alias for the sample API:
gcloud container clusters create espv2-demo-cluster \ --enable-ip-alias \ --create-subnetwork="" \ --network=default \ --zone=us-central1-a
The above example command creates a cluster, espv2-demo-cluster
, with
an auto-provisioned subnetwork in zone us-central1-a
.
Make a note of the cluster name and zone because they are needed when you
authenticate kubectl
to the container cluster.
Installing and configuring required software
In this tutorial, you install the gcloud CLI so that you can use
the Google Cloud CLI to manage your project.
You use kubectl
to run commands against GKE
clusters. You also need a way to test the API.
In the following procedure, if you already have the required software installed, continue with the next step.
To install and configure required software:
-
You need an application to send requests to the sample API.
- Linux and macOS users: This tutorial provides an example of using
curl
, which typically comes pre-installed on your operating system. If you don't havecurl
, you can download it from thecurl
Releases and downloads page. - Windows users: This tutorial provides an example using
Invoke-WebRequest
, which is supported in PowerShell 3.0 and later.
- Linux and macOS users: This tutorial provides an example of using
- Install and initialize the gcloud CLI.
-
Update the gcloud CLI and install the Endpoints components:
gcloud components update
-
Make sure that the Google Cloud CLI (
gcloud
) is authorized to access your data and services on Google Cloud:gcloud auth login
In the new browser tab that opens, select an account. -
Set the default project to your project ID:
gcloud config set project YOUR_PROJECT_ID
Replace YOUR_PROJECT_ID with your project ID. If you have other Google Cloud projects, and you want to use
gcloud
to manage them, see Managing gcloud CLI configurations. - Install
kubectl
:gcloud components install kubectl
-
Acquire new user credentials to use for Application Default Credentials.
The user credentials are needed to authorize
kubectl
.gcloud auth application-default login
In the new browser tab that opens, select an account.
Downloading the sample code
To help you get up and running quickly, sample code is provided in several languages. To download the sample code to your local machine:
To clone or download the sample API:
- Clone the sample app repository to your local machine:
git clone https://github.com/GoogleCloudPlatform/java-docs-samples
Alternatively, download the sample as a zip file and extract it.
- Change to the directory that contains the sample code:
cd java-docs-samples/endpoints/getting-started
To clone or download the sample API:
- Clone the sample app repository to your local machine:
git clone https://github.com/GoogleCloudPlatform/python-docs-samples
Alternatively, download the sample as a zip file and extract it.
- Change to the directory that contains the sample code:
cd python-docs-samples/endpoints/getting-started
To clone or download the sample API:
- Make sure your
GOPATH
environment variable is set. - Clone the sample app repository to your local machine:
go get -d github.com/GoogleCloudPlatform/golang-samples/endpoints/getting-started
- Change to the directory that contains the sample code:
cd $GOPATH/src/github.com/GoogleCloudPlatform/golang-samples/endpoints/getting-started
To clone or download the sample API:
- Clone the sample app repository to your local machine:
git clone https://github.com/GoogleCloudPlatform/php-docs-samples
Alternatively, download the sample as a zip file and extract it.
- Change to the directory that contains the sample code:
cd php-docs-samples/endpoints/getting-started
To clone or download the sample API:
- Clone the sample app repository to your local machine:
git clone https://github.com/GoogleCloudPlatform/ruby-docs-samples
Alternatively, download the sample as a zip file and extract it.
- Change to the directory that contains the sample code:
cd ruby-docs-samples/endpoints/getting-started
To clone or download the sample API:
- Clone the sample app repository to your local machine:
git clone https://github.com/GoogleCloudPlatform/nodejs-docs-samples
Alternatively, download the sample as a zip file and extract it.
- Change to the directory that contains the sample code:
cd nodejs-docs-samples/endpoints/getting-started
Configuring Endpoints
The sample code includes the OpenAPI configuration file, openapi.yaml
, which
is based on
OpenAPI Specification v2.0.
To configure Endpoints:
- In the sample code directory, open the
openapi.yaml
configuration file.Java Python Go PHP Ruby NodeJS Note the following:
- The configuration sample displays the lines near the
host
field, which you need to modify. To deploy theopenapi.yaml
file to Endpoints, the complete OpenAPI document is required. - The example
openapi.yaml
file contains a section for configuring authentication that isn't needed for this tutorial. You don't need to configure the lines with YOUR-SERVICE-ACCOUNT-EMAIL and YOUR-CLIENT-ID. - OpenAPI is a language-agnostic specification. The same
openapi.yaml
file is in thegetting-started
sample in each language GitHub repository for convenience.
- The configuration sample displays the lines near the
- In the
host
field, replace the text with the Endpoints service name, which should be in the following format:host: "echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog"
Replace YOUR_PROJECT_ID with your Google Cloud project ID. For example:
host: "echo-api.endpoints.example-project-12345.cloud.goog"
Note that echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog
is the Endpoints service name. It isn't the fully qualified
domain name (FQDN) that you use for sending requests to the API.
For information about the fields in the OpenAPI document that Endpoints requires, see Configuring Endpoints.
After you finish all the following configuration steps such that you can
successfully send requests to the sample API using an IP address, see
Configuring Endpoints DNS for information on how
to configure echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog
to be the
FQDN.
Deploying the Endpoints configuration
To deploy the Endpoints configuration, you use the gcloud endpoints
services deploy
command. This command uses Service Management
to create a managed service.
To deploy the Endpoints configuration:
- Make sure you are in the
endpoints/getting-started
directory. - Upload the configuration and create a managed service:
gcloud endpoints services deploy openapi.yaml
The gcloud
command then calls the Service Management
API to create a managed service with the name that you specified in the
host
field of the openapi.yaml
file.
Service Management configures the service according to the
settings in the openapi.yaml
file. When you make changes to
openapi.yaml
, you must redeploy the file to update the
Endpoints service.
As it is creating and configuring the service, Service Management
outputs information to the terminal. You can safely ignore the warnings about
the paths in the openapi.yaml
file not requiring an API key.
When it finishes configuring the service, Service Management displays a
message with the service configuration ID and the service name, similar to the
following:
Service Configuration [2017-02-13r0] uploaded for service [echo-api.endpoints.example-project-12345.cloud.goog]
In the preceding example, 2017-02-13r0
is the service
configuration ID, and echo-api.endpoints.example-project-12345.cloud.goog
is the
Endpoints service. The service configuration ID consists of a
date stamp followed by a revision number. If you deploy the
openapi.yaml
file again on the same day, the revision
number is incremented in the service configuration ID. You can view
the Endpoints service configuration on the Endpoints >
Services page in the Google Cloud console.
If you get an error message, see Troubleshooting Endpoints configuration deployment.
Checking required services
At a minimum, Endpoints and ESP require the following Google services to be enabled:Name | Title |
---|---|
servicemanagement.googleapis.com |
Service Management API |
servicecontrol.googleapis.com |
Service Control API |
In most cases, the gcloud endpoints services deploy
command enables these
required services. However, the gcloud
command completes successfully but
doesn't enable the required services in the following circumstances:
If you used a third-party application such as Terraform, and you don't include these services.
You deployed the Endpoints configuration to an existing Google Cloud project in which these services were explicitly disabled.
Use the following command to confirm that the required services are enabled:
gcloud services list
If you do not see the required services listed, enable them:
gcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com
Also enable your Endpoints service:
gcloud services enable ENDPOINTS_SERVICE_NAME
To determine the ENDPOINTS_SERVICE_NAME you can either:
After deploying the Endpoints configuration, go to the Endpoints page in the Cloud console. The list of possible ENDPOINTS_SERVICE_NAME are shown under the Service name column.
For OpenAPI, the ENDPOINTS_SERVICE_NAME is what you specified in the
host
field of your OpenAPI spec. For gRPC, the ENDPOINTS_SERVICE_NAME is what you specified in thename
field of your gRPC Endpoints configuration.
For more information about the gcloud
commands, see
gcloud
services.
Deploying the API backend
So far you have deployed the OpenAPI document to Service Management, but you haven't yet deployed the code that serves the API backend. This section walks you through deploying prebuilt containers for the sample API and ESPv2 to the cluster.
Checking required permissions
ESP and ESPv2 calls Google services which use IAM to verify if the calling identity has enough permissions to access the used IAM resources. The calling identity is the attached service account deploying ESP and ESPv2.
When deployed in GKE pod, the attached service account is the node service account. Usually it is the Compute Engine default service account. Please follow this permission recommendation to choose a proper node service account.
If Workload Identity is used, a separate service account other than the node service account can be used to talk to Google services. You can create a Kubernetes service account for the pod to run ESP and ESPv2, create a Google service account and associate the Kubernetes service account to the Google service account.
Follow these steps to associate a Kubernetes service account with a Google service account. This Google service account is the attached service account.
If the attached service account is the Compute Engine default service account of the project and the endpoint service configuration is deployed in the same project, the service account should have enough permissions to access the IAM resources, following IAM roles setup step can be skipped. Otherwise following IAM roles should be added to the attached service account.
Add required IAM roles:
This section describes the IAM resources used by ESP and ESPv2 and the IAM roles required for the attached service account to access these resources.
Endpoint Service Configuration
ESP and ESPv2 call Service Control which uses the endpoint service configuration. The endpoint service configuration is an IAM resource and ESP and ESPv2 need the Service Controller role to access it.
The IAM role is on the endpoint service configuration, not on the project. A project may have multiple endpoint service configurations.
Use the following gcloud command to add the role to the attached service account for the endpoint service configuration.
gcloud endpoints services add-iam-policy-binding SERVICE_NAME \ --member serviceAccount:SERVICE_ACCOUNT_NAME@DEPLOY_PROJECT_ID.iam.gserviceaccount.com \ --role roles/servicemanagement.serviceController
Where
* SERVICE_NAME
is the endpoint service name
* SERVICE_ACCOUNT_NAME@DEPLOY_PROJECT_ID.iam.gserviceaccount.com
is the attached service account.
Cloud Trace
ESP and ESPv2 call
Cloud Trace service to
export Trace to a project. This project is called the tracing
project. In ESP, the tracing project and the project that owns
the endpoint service configuration are the same. In ESPv2, the
tracing project can be specified by the flag --tracing_project_id
, and
defaults to the deploying project.
ESP and ESPv2 require the Cloud Trace Agent role to enable Cloud Trace.
Use the following gcloud command to add the role to the attached service account:
gcloud projects add-iam-policy-binding TRACING_PROJECT_ID \ --member serviceAccount:SERVICE_ACCOUNT_NAME@DEPLOY_PROJECT_ID.iam.gserviceaccount.com \ --role roles/cloudtrace.agent
Where
* TRACING_PROJECT_ID is the tracing project ID
* SERVICE_ACCOUNT_NAME@DEPLOY_PROJECT_ID.iam.gserviceaccount.com
is the attached service account.
For more information, see
What are roles and permissions?
Deploying the containers to the cluster
Containers offer a logical packaging mechanism in which you can abstract applications from the environment in which they actually run. You use the following procedure to deploy the sample API and ESPv2 to the cluster. To deploy the containers to the cluster:
- Get cluster credentials and make them available to
kubectl
:gcloud container clusters get-credentials NAME --zone ZONE
Replace NAME with the cluster name and ZONE with the cluster zone. - Deploy a Kubernetes service to the GKE cluster. The
Kubernetes service implements the API.
git clone
this repo,cd getting-started/
to folder and edit the Kubernetes configuration fileLANG-deployment.yaml
, and replace SERVICE_NAME in the ESPv2 startup options with the name of your service.Java Python Go PHP Ruby NodeJS For example:
args: [ "--listener_port=8081", "--backend=http://127.0.0.1:8080", "--service=echo-api.endpoints.example-project-12345.cloud.goog ", "--rollout_strategy=managed", ]
The
--rollout_strategy=managed
option configures ESPv2 to use the latest deployed service configuration. When you specify this option, within a minute after you deploy a new service configuration, ESPv2 detects the change and automatically begins using it. We recommend that you specify this option instead of providing a specific configuration ID for ESPv2 to use. For information about the other ESPv2 options used, see ESPv2 startup options. - Start the Kubernetes service using the
kubectl apply
command:Java kubectl apply -f java-deployment.yaml
Python kubectl apply -f python-deployment.yaml
Go kubectl apply -f golang-deployment.yaml
PHP kubectl apply -f php-deployment.yaml
Ruby kubectl apply -f ruby-deployment.yaml
NodeJS kubectl apply -f nodejs-deployment.yaml
If you get an error message, see Troubleshooting Endpoints in GKE. See Deploying the API backend for additional information.
Getting the cluster's external IP address
To send requests to the API, you need the external IP of the service. It can take a few minutes after you start your service in the container before the external IP address is ready.
- View the external IP address:
kubectl get ingress
- Make a note of the value for
EXTERNAL-IP
. You use that IP address when you send a request to the sample API.
Sending a request by using an IP address
Now that the service is running in the container cluster, and you have the external IP address, you can send requests to the API.
Create an API key and set an environment variable
The sample code requires an API key. To simplify the request, you set an environment variable for the API key.
In the same Google Cloud project that you used for your API, create an API key on the API credentials page. If you want to create an API key in a different Google Cloud project, see Enabling an API in your Google Cloud project.
- Click Create credentials, and then select API key.
- Copy the key to the clipboard.
- Click Close.
- On your local computer, paste the API key to assign it to an environment
variable:
- In Linux or macOS:
export ENDPOINTS_KEY=AIza...
- In Windows PowerShell:
$Env:ENDPOINTS_KEY="AIza..."
- In Linux or macOS:
Send the request
Linux or mac OS
Use curl
to send an HTTP request by using the ENDPOINTS_KEY environment
variable you set previously. Replace IP_ADDRESS with
the external IP address of your instance.
curl --request POST \ --header "content-type:application/json" \ --data '{"message":"hello world"}' \ "http://IP_ADDRESS:80/echo?key=${ENDPOINTS_KEY}"
In the preceding curl
:
- The
--data
option specifies the data to post to the API. - The
--header
option specifies that the data is in JSON format.
PowerShell
Use Invoke-WebRequest
to send an HTTP request by using the ENDPOINTS_KEY
environment variable you set previously. Replace
IP_ADDRESS with the external IP address of your
instance.
(Invoke-WebRequest -Method POST -Body '{"message": "hello world"}' ` -Headers @{"content-type"="application/json"} ` -URI "http://IP_ADDRESS:80/echo?key=$Env:ENDPOINTS_KEY").Content
In the previous example, the first two lines end in a backtick. When you paste the example into PowerShell, make sure there isn't a space following the backticks. For information about the options used in the example request, see Invoke-WebRequest in the Microsoft documentation.
Third-party app
You can use a third-party application such as the Chrome browser extension Postman to send the request:
- Select
POST
as the HTTP verb. - For the header, select the key
content-type
and the valueapplication/json
. - For the body, enter the following:
{"message":"hello world"}
-
In the URL, use the actual API key rather than the environment variable.
For example:
http://192.0.2.0:80/echo?key=AIza...
The API echoes back the message that you send, and responds with the following:
{
"message": "hello world"
}
If you didn't get a successful response, see Troubleshooting response errors.
You just deployed and tested an API in Endpoints!
Tracking API activity
To track API activity:
- Look at the activity graphs for your API in the
Endpoints > Services page.
Go to the Endpoints Services page
It may take a few moments for the request to be reflected in the graphs. - Look at the request logs for your API in the Logs Explorer page.
Configuring DNS for Endpoints
Because the Endpoints service name for the API is in the
.endpoints.YOUR_PROJECT_ID.cloud.goog
domain, you can
use it as the fully qualified domain name (FQDN) by making a small
configuration change in your openapi.yaml
file. This way, you can
send requests to the sample API by using
echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog
instead of the IP address.
To configure Endpoints DNS:
- Open your OpenAPI configuration file,
openapi.yaml
, and add thex-google-endpoints
property at the top level of the file (not indented or nested) as shown in the following snippet:host: "echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog" x-google-endpoints: - name: "echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog" target: "IP_ADDRESS"
- In the
name
property, replace YOUR_PROJECT_ID with your project ID. - In the
target
property, replace IP_ADDRESS with the IP address that you used when you sent a request to the sample API. - Deploy your updated OpenAPI configuration file to Service Management:
gcloud endpoints services deploy openapi.yaml
For example, assume the openapi.yaml
file has the following
configured:
host: "echo-api.endpoints.example-project-12345.cloud.goog" x-google-endpoints: - name: "echo-api.endpoints.example-project-12345.cloud.goog" target: "192.0.2.1"
When you deploy the openapi.yaml
file by using the preceding
gcloud
command, Service Management creates a DNS A-record,
echo-api.endpoints.my-project-id.cloud.goog
, which resolves to the
target IP address, 192.0.2.1
. It might take a few minutes for the
new DNS configuration to propagate.
Configuring SSL
For more details on how to configure DNS and SSL, see Enabling SSL for Endpoints.
Sending a request by using FQDN
Now that you have the DNS record configured for the sample API, send a request to it by using the FQDN (replace YOUR_PROJECT_ID with your project ID) and the ENDPOINTS_KEY environment variable set previously:- In Linux or mac OS:
curl --request POST \ --header "content-type:application/json" \ --data '{"message":"hello world"}' \ "http://echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog:80/echo?key=${ENDPOINTS_KEY}"
- In Windows PowerShell:
(Invoke-WebRequest -Method POST -Body '{"message": "hello world"}' -Headers @{"content-type"="application/json"} -URI "http://echo-api.endpoints.[YOUR_PROJECT_ID].cloud.goog:80/echo?key=$Env:ENDPOINTS_KEY").Content
Creating a developer portal for the API
You can use Cloud Endpoints Portal to create a developer portal, a website that you can use to interact with the sample API. To learn more, see Cloud Endpoints Portal overview.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.
See Deleting an API and API instances for information on stopping the services used by this tutorial.