An Eventarc trigger declares your interest in a certain event or set of events. You can configure event routing by specifying filters for the trigger, including the event source, and the target Google Kubernetes Engine (GKE) service running in a GKE cluster. Note that targets can only include services running in (public or private) GKE clusters with public endpoints. To target services in GKE clusters with private endpoints, route events to internal HTTP endpoints.
Eventarc delivers events to the event receiver in a CloudEvents format through an HTTP request.
These instructions show you how to configure event routing to your GKE service that is triggered by a direct Firebase Alerts event. For more details, see the list of supported direct events.
Before you begin
You must enable Workload Identity Federation for GKE on the GKE cluster that the destination service is running on. Workload Identity Federation for GKE is required to properly set up the event forwarder and is the recommended way to access Google Cloud services from applications running within GKE due to its improved security properties and manageability.
Workload Identity Federation for GKE
Applications running on GKE might need access to Google Cloud APIs. Workload Identity Federation for GKE allows a Kubernetes service account in your GKE cluster to act as an IAM service account. Pods that use the configured Kubernetes service account automatically authenticate as the IAM service account when accessing Google Cloud APIs. Using Workload Identity Federation for GKE lets you assign distinct, fine-grained identities and authorization for each application in your cluster. Note that specific permissions must be granted to the Eventarc trigger's service account. In this document, see the steps to Create a service account.
For more information on enabling and configuring Workload Identity Federation for GKE on your GKE clusters, refer to Use Workload Identity Federation for GKE.
Event forwarder
Eventarc's event forwarder pulls new events from Eventarc and forwards them to the GKE destination. This component acts as a mediator between the Pub/Sub transport layer and the GKE service. It works on existing services and also supports signaling services (including those not exposed outside of the fully-managed cluster) while simplifying setup and maintenance. At a networking level, to receive events in a GKE service, you don't need to open the service to external traffic as all events are delivered from an origin that resides within the same GKE cluster.
Note that the event forwarder's lifecycle is managed by Eventarc, and if you accidentally delete the event forwarder, Eventarc will restore this component.
For each trigger pointing to a GKE destination, the event
forwarder (a specifically configured gke-forwarder
pod) does the following:
It uses the Pub/Sub API to open a
StreamingPull
connection to the trigger transporter (a Pub/Sub topic and subscription) and receives events as they become available.It transforms events to the correct CloudEvents format and encodes and delivers them as an
HTTP POST
request to the target GKE service.
The Eventarc service agent needs the permission to run and
regularly update the gke-forwarder
instance. This permission must be granted
once-per-project. For details, in this document, see
Enable GKE destinations.
Prepare to create a trigger
For each trigger that targets a GKE service, Eventarc creates an event forwarder component. Eventarc requires permissions to install the component and manage resources in the GKE cluster. Before creating an Eventarc trigger for GKE destinations, ensure that you complete the following tasks.
Console
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Enable the Eventarc, Eventarc Publishing, Google Kubernetes Engine, and Resource Manager APIs.
If applicable, enable the API related to the direct events. For example, for Firebase Alerts events, enable the Firebase Alerts API.
If you don't already have one, create a user-managed service account, then grant it the roles and permissions necessary so that Eventarc can manage events for your target service.
In the Google Cloud console, go to the Create service account page.
Select your project.
In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
Service account for event trigger
.Click Create and continue.
To provide appropriate access, in the Select a role list, select the required Identity and Access Management (IAM) roles to grant to your service account. For more information, see Roles and permissions for GKE targets.
For additional roles, click
Add another role and add each additional role.Click Continue.
To finish creating the account, click Done.
gcloud
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Enable the Eventarc, Eventarc Publishing, Google Kubernetes Engine, and Resource Manager APIs.
gcloud services enable eventarc.googleapis.com \ eventarcpublishing.googleapis.com \ container.googleapis.com \ cloudresourcemanager.googleapis.com
If applicable, enable the API related to the direct events. For example, for Firebase Alerts events, enable
firestore.googleapis.com
.If you don't already have one, create a user-managed service account, then grant it the roles and permissions necessary so that Eventarc can manage events for your target GKE destination.
Create the service account:
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME
Replace
SERVICE_ACCOUNT_NAME
with the name of the service account. It must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes. After you create a service account, you cannot change its name.Grant the required Identity and Access Management (IAM) roles or permissions. For more information, see Roles and permissions for GKE targets.
Enable GKE destinations
To allow Eventarc to manage resources in the GKE cluster, enable GKE destinations, and bind the Eventarc service agent with the required roles.
Enable GKE destinations for Eventarc:
gcloud eventarc gke-destinations init
At the prompt to bind the required roles, enter
y
.The following roles are bound:
roles/compute.viewer
roles/container.developer
roles/iam.serviceAccountAdmin
Create a trigger
You can create an Eventarc trigger using the Google Cloud CLI or through the Google Cloud console.
Console
- In the Google Cloud console, go to the Eventarc Triggers page.
- Click Create trigger.
- Type a Trigger name.
This is the ID of the trigger and it must start with a letter. It can contain up to 63 lowercase letters, numbers, or hyphens.
- For the Trigger type, select Google sources.
- In the Event provider list, select
Firebase Alerts.
Note that the event provider name used in the associated Google Cloud documentation might not have a prefix of Cloud or Google Cloud. For example, on the console, Memorystore for Redis is referred to as Google Cloud Memorystore for Redis.
- In the Event type list, from the Direct events, select an event type.
- To specify the encoding of the event payload, in the Event data
content type list, select application/json or
application/protobuf.
Note that an event payload formatted in JSON is larger than one formatted in Protobuf. This might impact reliability depending on your event destination and its limits on event size. For more information, see Known issues.
- In the Region list, select global (Global).
For more information, see Eventarc locations.
- In the Attribute 1 field, the alerttype
resource ID acts as an
event filter. Select an operator for this filter:
- Equal
- Path pattern
For more information, see Understand path patterns.
- In the Attribute value 1 field, enter one of the
following:
appDistribution.inAppFeedback
: event is sent when a tester submits in-app feedback for a given appappDistribution.newTesterIosDevice
: event is sent when a new iOS tester device is registered for a given appbilling.planAutomatedUpdate
: event is sent when the billing plan for a Firebase project is automatically updated; for example, when a plan is downgraded due to payment issuesbilling.planUpdate
: event is sent when the billing plan for a Firebase project is modified by a user; for example, when a billing account is attached to or detached from a projectcrashlytics.missingSymbolFile
: event is sent when Firebase Crashlytics determines that it doesn't have the appropriate debug symbols to symbolicate an incoming crash reportcrashlytics.newAnrIssue
: event is sent when an app experiences a new application not responding (ANR) error (not for any subsequent, identical events)crashlytics.newFatalIssue
: event is sent when an app experiences a new fatal crash (not for any subsequent, identical events)crashlytics.newNonfatalIssue
: event is sent when an app experiences a new non-fatal error (not for any subsequent, identical events)crashlytics.regression
: event is sent when an app experiences a crash for an issue marked as closed for a previous app versioncrashlytics.stabilityDigest
: event is sent when there is a notification of the top trending issues in Crashlyticscrashlytics.velocity
: event is sent when a single issue is responsible for causing a significant number of app sessions to crashperformance.threshold
: event is sent when the performance of a metric crosses the set threshold
- Optionally, you can filter events for a specific Firebase App ID. Click add Add filter and specify the appid.
- Select the Service account that will invoke your service
or workflow.
Or, you can create a new service account.
This specifies the Identity and Access Management (IAM) service account email associated with the trigger and to which you previously granted specific roles required by Eventarc.
- In the Event destination list, select Kubernetes Engine.
- Select a service.
This is the name of the service that receives the events for the trigger. The service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (
/
), whenever the event is generated. - Optionally, you can specify the Service URL path to send
the incoming request to.
This is the relative path on the destination service to which the events for the trigger should be sent. For example:
/
,/route
,route
,route/subroute
. - Click Create.
After a trigger is created, the event source filters cannot be modified. Instead, create a new trigger and delete the old one. For more information, see Manage triggers.
gcloud
You can create a trigger by running a gcloud eventarc triggers create
command along with required and optional flags.
gcloud eventarc triggers create TRIGGER \ --location=global \ --destination-gke-cluster=DESTINATION_GKE_CLUSTER \ --destination-gke-location=DESTINATION_GKE_LOCATION \ --destination-gke-namespace=DESTINATION_GKE_NAMESPACE \ --destination-gke-service=DESTINATION_GKE_SERVICE \ --destination-gke-path=DESTINATION_GKE_PATH \ --event-filters="type=google.firebase.firebasealerts.alerts.v1.published" \ --event-filters="alerttype=ALERT_TYPE" \ --event-data-content-type="EVENT_DATA_CONTENT_TYPE" \ --service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com"
Replace the following:
TRIGGER
: the ID of the trigger or a fully qualified identifierDESTINATION_GKE_CLUSTER
: the name of the GKE cluster in which the target GKE service that receives events is running.DESTINATION_GKE_LOCATION
: (optional) the Compute Engine region of the GKE cluster in which the destination GKE service is running in. If not specified, it is assumed that the cluster is a regional cluster and is in the same region as the trigger.DESTINATION_GKE_NAMESPACE
: (optional) the namespace in which the destination GKE service is running. If not specified, thedefault
namespace is used.DESTINATION_GKE_SERVICE
: the name of the GKE service that receives the events for the trigger. The service can be in any of the GKE supported locations and does not need to be in the same location as the trigger. However, the service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/
), whenever the event is generated.DESTINATION_GKE_PATH
: (optional) the relative path you specify on the destination GKE service to which the events for the trigger should be sent. For example:/
,/route
,route
,route/subroute
.
ALERT_TYPE
: the type of Firebase alert and can be one of the following values:appDistribution.inAppFeedback
: event is sent when a tester submits in-app feedback for a given appappDistribution.newTesterIosDevice
: event is sent when a new iOS tester device is registered for a given appbilling.planAutomatedUpdate
: event is sent when the billing plan for a Firebase project is automatically updated; for example, when a plan is downgraded due to payment issuesbilling.planUpdate
: event is sent when the billing plan for a Firebase project is modified by a user; for example, when a billing account is attached to or detached from a projectcrashlytics.missingSymbolFile
: event is sent when Firebase Crashlytics determines that it doesn't have the appropriate debug symbols to symbolicate an incoming crash reportcrashlytics.newAnrIssue
: event is sent when an app experiences a new application not responding (ANR) error (not for any subsequent, identical events)crashlytics.newFatalIssue
: event is sent when an app experiences a new fatal crash (not for any subsequent, identical events)crashlytics.newNonfatalIssue
: event is sent when an app experiences a new non-fatal error (not for any subsequent, identical events)crashlytics.regression
: event is sent when an app experiences a crash for an issue marked as closed for a previous app versioncrashlytics.stabilityDigest
: event is sent when there is a notification of the top trending issues in Crashlyticscrashlytics.velocity
: event is sent when a single issue is responsible for causing a significant number of app sessions to crashperformance.threshold
: event is sent when the performance of a metric crosses the set threshold
ALERT_TYPE
must be one of the following:- Equal; for example,
--event-filters="alerttype=appDistribution.inAppFeedback"
- Path pattern; for example,
--event-filters-path-pattern="alerttype=appDistribution.*"
or--event-filters-path-pattern="alerttype=crashlytics.new*"
.For more information, see Understand path patterns.
-
EVENT_DATA_CONTENT_TYPE
: (optional) the encoding of the event payload. This can beapplication/json
orapplication/protobuf
. The default encoding isapplication/json
.Note that an event payload formatted in JSON is larger than one formatted in Protobuf. This might impact reliability depending on your event destination and its limits on event size. For more information, see Known issues.
SERVICE_ACCOUNT_NAME
: the name of your user-managed service account.PROJECT_ID
: your Google Cloud project ID.
Notes:
- The
--location
flag must beglobal
. For more information, see Eventarc locations.
- These flags are required:
--event-filters="type=google.firebase.firebasealerts.alerts.v1.published"
--event-filters="alerttype=ALERT_TYPE"
or--event-filters-path-pattern="alerttype=ALERT_TYPE"
- Optionally, you can filter events for a specific Firebase App ID
by using the
--event-filters="appid=APP_ID"
flag and by specifying an exact match. - After a trigger is created, the event filter type can't be changed. For a different event type, you must create a new trigger and delete the old one.
- The
--service-account
flag is used to specify the Identity and Access Management (IAM) service account email associated with the trigger.
Example:
gcloud eventarc triggers create helloworld-trigger \ --location=us-central1 \ --destination-gke-cluster=gke-events-cluster \ --destination-gke-location=us-central1-a \ --destination-gke-namespace=default \ --destination-gke-service=helloworld-events \ --destination-gke-path=/ \ --event-filters="type=google.firebase.firebasealerts.alerts.v1.published" \ --event-filters="alerttype=crashlytics.velocity" \ --service-account="${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
This command creates a trigger called helloworld-trigger
for
the event identified as google.firebase.firebasealerts.alerts.v1.published
,
and for a crashlytics.velocity
alert type.
Terraform
You can create a trigger for a GKE destination using Terraform. For details, see Create a trigger using Terraform.
List a trigger
You can confirm the creation of a trigger by listing Eventarc triggers using the Google Cloud CLI or through the Google Cloud console.
Console
In the Google Cloud console, go to the Eventarc Triggers page.
This page lists your triggers in all locations, and includes details such as names, regions, event providers, destinations, and more.
To filter your triggers:
- Click Filter or the Filter triggers field.
- In the Properties list, select an option to filter the triggers by.
You can select a single property or use the logical operator OR
to add
more properties.
To sort your triggers, beside any supported column heading, click
Sort.gcloud
Run the following command to list your triggers:
gcloud eventarc triggers list --location=-
This command lists your triggers in all locations, and includes details such as names, types, destinations, and statuses.