Getting started with Cloud Endpoints for Kubernetes with ESPv2

Downloading the sample code

Optionally, download the sample code. In this tutorial, you deploy a prebuilt container image, so you don't have to build a container from the sample code. However, you might want to download the sample code, which is provided in several languages to help you understand how the sample API works.

To download the sample code:

Getting the Kubernetes configuration file

1. Clone the GitHub repository that contains the yaml files used in this tutorial to your local machine:

    git clone https://github.com/googlecloudplatform/endpoints-samples

   Alternatively, download the sample as a zip file and extract it.

2. Change to the directory that contains the configuration files:

    cd endpoints-samples/kubernetes

Configuring Endpoints

The sample code includes the OpenAPI configuration file, openapi.yaml, which is based on OpenAPI specification v2.0. To configure Endpoints:

1. In the sample code directory, open the openapi.yaml configuration file.
   swagger: "2.0"
   info:
     description: "A simple Google Cloud Endpoints API example."
     title: "Endpoints Example"
     version: "1.0.0"
   host: "echo-api.endpoints.YOUR-PROJECT-ID.cloud.goog"

   Note the following:

   • The configuration sample displays the lines near the host field, which you need to modify. To deploy the openapi.yaml file to Endpoints, the complete OpenAPI document is required.
   • The example openapi.yaml file contains a section for configuring authentication that isn't needed for this tutorial. You don't need to configure the lines with YOUR-SERVICE-ACCOUNT-EMAIL and YOUR-CLIENT-ID.
   • OpenAPI is a language-agnostic specification. The same openapi.yaml file is in the getting-started sample in each language GitHub repository for convenience.

2. In the host field, replace the text with the Endpoints service name, which should be in the following format:

   host: "echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog"

   Replace YOUR_PROJECT_ID with your Google Cloud project ID. For example:

   host: "echo-api.endpoints.example-project-12345.cloud.goog"

Note that echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog is the Endpoints service name. It isn't the fully qualified domain name (FQDN) that you use for sending requests to the API.

For information about the fields in the OpenAPI document that Endpoints requires, see Configuring Endpoints.

After you finish all the following configuration steps, and you can successfully send requests to the sample API using an IP address, see Configuring DNS for Endpoints for information on how to configure echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog to be the FQDN.

Deploying the Endpoints configuration

To deploy the Endpoints configuration, you use the gcloud endpoints services deploy command. This command uses Service Management to create a managed service.

To deploy the Endpoints configuration:

1. Make sure you are in the endpoints-samples/kubernetes directory.
2. Upload the configuration and create a managed service:

   gcloud endpoints services deploy openapi.yaml
   

The gcloud command then calls the Service Management API to create a managed service with the name that you specified in the host field of the openapi.yaml file. Service Management configures the service according to the settings in the openapi.yaml file. When you make changes to openapi.yaml, you must redeploy the file to update the Endpoints service.

As it is creating and configuring the service, Service Management outputs information to the terminal. You can safely ignore the warnings about the paths in the openapi.yaml file not requiring an API key. When it finishes configuring the service, Service Management displays a message with the service configuration ID and the service name, similar to the following:

Service Configuration [2017-02-13r0] uploaded for service [echo-api.endpoints.example-project-12345.cloud.goog]

In the preceding example, 2017-02-13r0 is the service configuration ID, and echo-api.endpoints.example-project-12345.cloud.goog is the Endpoints service. The service configuration ID consists of a date stamp followed by a revision number. If you deploy the openapi.yaml file again on the same day, the revision number is incremented in the service configuration ID. You can view the Endpoints service configuration on the Endpoints > Services page in the Google Cloud console.

If you get an error message, see Troubleshooting Endpoints configuration deployment.

Checking required services

In most cases, the gcloud endpoints services deploy command enables these required services. However, the gcloud command completes successfully but doesn't enable the required services in the following circumstances:

• If you used a third-party application such as Terraform, and you don't include these services.

• You deployed the Endpoints configuration to an existing Google Cloud project in which these services were explicitly disabled.

Use the following command to confirm that the required services are enabled:

gcloud services list

If you do not see the required services listed, enable them:

gcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com
gcloud services enable endpoints.googleapis.com

Also enable your Endpoints service:

gcloud services enable ENDPOINTS_SERVICE_NAME

To determine the ENDPOINTS_SERVICE_NAME you can either:

• After deploying the Endpoints configuration, go to the Endpoints page in the Cloud console. The list of possible ENDPOINTS_SERVICE_NAME are shown under the Service name column.

• For OpenAPI, the ENDPOINTS_SERVICE_NAME is what you specified in the host field of your OpenAPI spec. For gRPC, the ENDPOINTS_SERVICE_NAME is what you specified in the name field of your gRPC Endpoints configuration.

For more information about the gcloud commands, see gcloud services.

Creating credentials for your service

To provide management for your API, both ESP and ESPv2 require the services in Service Infrastructure. To call these services, ESP and ESPv2 must use access tokens. When you deploy ESP or ESPv2 to Google Cloud environments, such as GKE, Compute Engine, or the App Engine flexible environment, ESP and ESPv2 obtain access tokens for you through the Google Cloud metadata service.

When you deploy ESP or ESPv2 to a non-Google Cloud environment, such as your local desktop, an on-premises Kubernetes cluster, or another cloud provider, you must provide a service account JSON file that contains a private key. ESP and ESPv2 use the service account to generate access tokens to call the services that it needs to manage your API.

You can use either the Google Cloud console or the Google Cloud CLI to create the service account and private key file:

Add required IAM roles:

This section describes the IAM resources used by ESP and ESPv2 and the IAM roles required for the attached service account to access these resources.

Endpoint Service Configuration

ESP and ESPv2 call Service Control which uses the endpoint service configuration. The endpoint service configuration is an IAM resource and ESP and ESPv2 need the Service Controller role to access it.

The IAM role is on the endpoint service configuration, not on the project. A project may have multiple endpoint service configurations.

Use the following gcloud command to add the role to the attached service account for the endpoint service configuration.

gcloud endpoints services add-iam-policy-binding SERVICE_NAME \
  --member serviceAccount:SERVICE_ACCOUNT_NAME@DEPLOY_PROJECT_ID.iam.gserviceaccount.com \
  --role roles/servicemanagement.serviceController

Where
* SERVICE_NAME is the endpoint service name
* SERVICE_ACCOUNT_NAME@DEPLOY_PROJECT_ID.iam.gserviceaccount.com is the attached service account.

Cloud Trace

ESP and ESPv2 call Cloud Trace service to export Trace to a project. This project is called the tracing project. In ESP, the tracing project and the project that owns the endpoint service configuration are the same. In ESPv2, the tracing project can be specified by the flag --tracing_project_id, and defaults to the deploying project.

ESP and ESPv2 require the Cloud Trace Agent role to enable Cloud Trace.

Use the following gcloud command to add the role to the attached service account:

gcloud projects add-iam-policy-binding TRACING_PROJECT_ID \
  --member serviceAccount:SERVICE_ACCOUNT_NAME@DEPLOY_PROJECT_ID.iam.gserviceaccount.com \
  --role roles/cloudtrace.agent

Where
* TRACING_PROJECT_ID is the tracing project ID
* SERVICE_ACCOUNT_NAME@DEPLOY_PROJECT_ID.iam.gserviceaccount.com is the attached service account. For more information, see What are roles and permissions?

See gcloud iam service-accounts for more information about the commands.

Deploying the API backend

So far you have deployed the OpenAPI document to Service Management, but you haven't yet deployed the code that serves the API backend. This section walks you through deploying prebuilt containers for the sample API and ESPv2 to Kubernetes.

Checking required permissions

Grant required permissions to the service account associated with your cluster:

gcloud endpoints services add-iam-policy-binding SERVICE_NAME \
    --member "serviceAccount:SERVICE_ACCOUNT" \
    --role roles/servicemanagement.serviceController

For more information, see What are roles and permissions?

Providing ESPv2 with the service credentials

ESPv2, which runs inside a container, needs access to the credentials stored locally in the service-account-creds.json file. To provide ESPv2 with access to the credentials, you create a Kubernetes secret and mount the Kubernetes secret as a Kubernetes volume.

To create the Kubernetes secret and mount the volume:

1. Make sure to rename the JSON file to service-account-creds.json and copy it to endpoints-samples/kubernetes if it was downloaded to a different directory. This way, the name matches the options specified in the echo.yaml deployment manifest file.
2. Make sure you are in the endpoints-samples/kubernetes directory.

3. Create a Kubernetes secret with the service account credentials using the following command:

   kubectl create secret generic service-account-creds \
      --from-file=service-account-creds.json
   

   On success, the following message displays:

   secret "service-account-creds" created

The deployment manifest file that you use to deploy the API and ESPv2 to Kubernetes already contains the secret volume, as shown in the following two sections of the file:

volumes:
  - name: service-account-creds
    secret:
      secretName: service-account-creds

volumeMounts:
  - mountPath: /etc/esp/creds
    name: service-account-creds
    readOnly: true

Configuring the service name and starting the service

ESPv2 needs to know the name of your service to find the configuration that you deployed previously (by using the gcloud endpoints services deploy command).

To configure the service name and start the service:

1. Open the deployment manifest file, echo.yaml, and replace SERVICE_NAME in the ESPv2 startup options with the name of your service. This is the same name that you configured in the host field of your OpenAPI document. For example:

   "--service=echo-api.endpoints.example-project-12345.cloud.goog"

   containers:
   - name: esp
     image: gcr.io/endpoints-release/endpoints-runtime:2
     args: [
       "--listener_port=8080",
       "--backend=127.0.0.1:8081",
       "--service=SERVICE_NAME",
       "--rollout_strategy=managed",
       "--non_gcp",
       "--service_account_key=/etc/esp/creds/service-account-creds.json"
     ]
     ports:
       - containerPort: 8080
     volumeMounts:
       - mountPath: /etc/esp/creds
         name: service-account-creds
         readOnly: true
   - name: echo
     image: gcr.io/endpoints-release/echo:latest
     ports:
       - containerPort: 8081
   

   The "--rollout_strategy=managed" option configures ESPv2 to use the latest deployed service configuration. When you specify this option, within a minute after you deploy a new service configuration, ESPv2 detects the change and automatically begins using it. We recommend that you specify this option instead of providing a specific configuration ID for ESPv2 to use. For information about the other ESPv2 options used, see ESPv2 startup options.

2. Start the service to deploy the Endpoints service on Kubernetes with the following command:

   kubectl create -f echo.yaml

   If you see an error message similar to the following:

   The connection to the server localhost:8080 was refused - did you specify the right host or port?

   This indicates that kubectl isn't properly configured. See Configure kubectl for more information. For more information, see Deploying Endpoints on Kubernetes.

Get the service's external IP address

If you are using Minikube, skip to Sending a request by using an IP address. It can take a few minutes after you start your service in the container before the external IP address is ready.

To view the service's external IP address:

1. Run the following command:

   kubectl get service

2. Make a note of the value for EXTERNAL-IP. You use that IP address when you send a request to the sample API.

Sending a request by using an IP address

After the sample API is running in the container cluster, you can send requests to the API.

Create an API key and set an environment variable

The sample code requires an API key. To simplify the request, you set an environment variable for the API key.

1. In the same Google Cloud project that you used for your API, create an API key on the API credentials page. If you want to create an API key in a different Google Cloud project, see Enabling an API in your Google Cloud project.

   Go to the Credentials page

2. Click Create credentials, and then select API key.
3. Copy the key to the clipboard.
4. Click Close.
5. On your local computer, paste the API key to assign it to an environment variable:
   • In Linux or macOS: export ENDPOINTS_KEY=AIza...
   • In Windows PowerShell: $Env:ENDPOINTS_KEY="AIza..."

Send the request to minikube

The following commands use the ENDPOINTS_KEY environment variable that you set previously.

NODE_PORT=`kubectl get service esp-echo --output='jsonpath={.spec.ports[0].nodePort}'`
MINIKUBE_IP=`minikube ip`
curl --request POST \
    --header "content-type:application/json" \
    --data '{"message":"hello world"}' \
    ${MINIKUBE_IP}:${NODE_PORT}/echo?key=${ENDPOINTS_KEY}

$Env:NODE_PORT=$(kubectl get service esp-echo --output='jsonpath={.spec.ports[0].nodePort}')
$Env:MINIKUBE_IP=$(minikube ip)
(Invoke-WebRequest -Method POST -Body '{"message": "hello world"}' `
    -Headers @{"content-type"="application/json"} `
    -URI "http://$Env:MINIKUBE_IP:$Env:NODE_PORT/echo?key=$Env:ENDPOINTS_KEY").Content

Send the request to other Kubernetes clusters

curl --request POST \
   --header "content-type:application/json" \
   --data '{"message":"hello world"}' \
   "http://IP_ADDRESS:80/echo?key=${ENDPOINTS_KEY}"

(Invoke-WebRequest -Method POST -Body '{"message": "hello world"}' `
    -Headers @{"content-type"="application/json"} `
    -URI "http://IP_ADDRESS:80/echo?key=$Env:ENDPOINTS_KEY").Content

The API echoes back the message that you send, and responds with the following:

{
  "message": "hello world"
}

If you didn't get a successful response, see Troubleshooting response errors.

You just deployed and tested an API in Endpoints!

Tracking API activity

To track API activity:

1. Look at the activity graphs for your API in the Endpoints > Services page.
   

   Go to the Endpoints Services page

   
   It may take a few moments for the request to be reflected in the graphs.

2. Look at the request logs for your API in the Logs Explorer page.
   

   Go to the Logs Explorer page

Configuring DNS for Endpoints

Because the Endpoints service name for the API is in the .endpoints.YOUR_PROJECT_ID.cloud.goog domain, you can use it as the fully qualified domain name (FQDN) by making a small configuration change in your openapi.yaml file. This way, you can send requests to the sample API by using echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog instead of the IP address.

To configure Endpoints DNS:

1. Open your OpenAPI configuration file, openapi.yaml, and add the x-google-endpoints property at the top level of the file (not indented or nested) as shown in the following snippet:

   host: "echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog"
   x-google-endpoints:
   - name: "echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog"
     target: "IP_ADDRESS"

2. In the name property, replace YOUR_PROJECT_ID with your project ID.
3. In the target property, replace IP_ADDRESS with the IP address that you used when you sent a request to the sample API.
4. Deploy your updated OpenAPI configuration file to Service Management:

   gcloud endpoints services deploy openapi.yaml
   

For example, assume the openapi.yaml file has the following configured:

host: "echo-api.endpoints.example-project-12345.cloud.goog"
x-google-endpoints:
- name: "echo-api.endpoints.example-project-12345.cloud.goog"
  target: "192.0.2.1"

When you deploy the openapi.yaml file by using the preceding gcloud command, Service Management creates a DNS A-record, echo-api.endpoints.my-project-id.cloud.goog, which resolves to the target IP address, 192.0.2.1. It might take a few minutes for the new DNS configuration to propagate.

Configuring SSL

For more details on how to configure DNS and SSL, see Enabling SSL for Endpoints.

Sending a request to the FQDN

• In Linux or mac OS:

  curl --request POST \
      --header "content-type:application/json" \
      --data '{"message":"hello world"}' \
      "http://echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog:80/echo?key=${ENDPOINTS_KEY}"

• In Windows PowerShell:

  (Invoke-WebRequest -Method POST -Body '{"message": "hello world"}' -Headers @{"content-type"="application/json"} -URI "http://echo-api.endpoints.[YOUR_PROJECT_ID].cloud.goog:80/echo?key=$Env:ENDPOINTS_KEY").Content

Creating a developer portal for the API

You can use Cloud Endpoints Portal to create a developer portal, a website that you can use to interact with the sample API. To learn more, see Cloud Endpoints Portal overview.