Introduction

This article discusses mapping custom domains for Google Cloud Run Managed. In a future article, I will cover Google Cloud Run on GKE.

Google Cloud Run supports using a custom domain rather than the default address provided for a deployed service. This custom domain supports both HTTP and HTTPS. Google Cloud Run provisions a custom managed SSL certificate for your custom domain automatically. This feature requires support from your domain’s DNS servers.

In the Cloud Run API, this is called “DomainMappingService”. The Go interface is NamespacesDomainmappingsService.

Routes

Route provides a network endpoint for a user’s service (which consists of a series of software and configuration Revisions over time). A kubernetes namespace can have multiple routes. The route provides a long-lived, stable, named, HTTP-addressable endpoint that is backed by one or more Revisions. The default configuration is for the route to automatically route traffic to the latest revision created by a Configuration. For more complex scenarios, the API supports splitting traffic on a percentage basis, and CI tools could maintain multiple configurations for a single route (e.g. “golden path” and “experiments”) or reference multiple revisions directly to pin revisions during an incremental rollout and n-way traffic split. The route can optionally assign addressable subdomains to any or all backing revisions.

Text source: link

Domain-mappings

Google Cloud Run provides the ability to map a custom domain name (myservice.example.com) to a Cloud Run network endpoint (see Routes) and supports creating custom managed SSL certificates to provide services over HTTPS.

If you are using HTTPS, the following considerations apply:

  • For Cloud Run Managed, a managed certificate for HTTPS connections is automatically issued when you map a service to a custom domain. Note that provisioning the SSL certificate should take about 15 minutes. You cannot upload and use your own certificates.
  • For Cloud Run on GKE, only HTTP is available by default. You can install a wildcard SSL certificate to enable SSL for all services mapped to domains included in the wildcard SSL certificate. For more information, see Enabling HTTPS.

You can map multiple custom domains to the same Cloud Run service.

Text source: link

Service Name

When you create a Google Cloud Run service, you specify a name for the deployed service. The Service Name is used as part of the deployed URL. Service Names must follow the rules for DNS names:

  • Start with a lowercase letter.
  • Up to 64 characters long.
  • Comprise lowercase letters, number or hyphens.
  • Cannot end with a hyphen.
  • Cannot include underscores.

For more information about DNS names, refer to RFC 2181.

Cloud Run Service URL

Google Cloud Run creates a Service URL based upon the Service Name concatenated with a hash identifier of your Google Cloud Project, plus the Google controlled Base Domain a.run.app. An example is cloudrun-a1b2c37qaq-uc.a.run.app. The Service URL supports both HTTP and HTTPS protocols. The SSL certificate contains the following details:

  • Issued by “Google Internet Authority G3”.
  • Issued to “*.appspot.com”.
  • Includes SAN for “*.a.run.app”.
  • Valid for 90 days (typically).

SAN: Subject Alternative Name

If you map a custom domain, without using Cloud Run Domain Mapping feature, with your DNS server, example cloudrun.example.com CNAME cloudrun-a1b2c37qaq-uc.a.run.app you will receive a certificate error “ERR_CERT_COMMON_NAME_INVALID” when you load the URL in your browser. The reason is that HTTPS requires the SSL certificate to contain the hostname of the URL that you are visiting in either the Subject or SAN fields. Cloud Run Domain Mapping adds the support to support custom domain names by creating a custom managed SSL certificate for you that matches your domain name.

The managed SSL certificate contains the following details:

  • Issued by “Let’s Encrypt Authority X3”.
  • Issued to “cloudrun.example.com”.
  • Includes SAN for “cloudrun.example.com”.
  • Valid for 90 days (typically).
  • Google manages SSL certificate renewal automatically.

Domain Ownership

For this section, let’s assume that the domain name that you want to use is example.com. You plan to deploy several Cloud Run services with custom domain names based from example.com. The domain example.com is the “Base Domain”.

Before you can use a Base Domain in Google Cloud Run, you must verify ownership. You can do this in the Google Cloud Console or with the Google Cloud SDK CLI. For these examples, we will use the CLI.

At your terminal, execute the following command to begin the process to verify domain ownership:

This command will launch the Google Webmaster Central. In the Webmaster console complete domain ownership verification. If you have already verified your domain, you will be notified of that and the verification process can be skipped. For more information about Webmaster Central, refer to Verify your site ownership.

Once the domain ownership verification is complete, you can map Cloud Run services to the Base Domain or any subdomains of the Base Domain. Example cloudrun.example.com.

Mapping a Custom Domain

Mapping a custom domain is a three-step process. First you create a domain-mapping in Google Cloud Run. Second, you create DNS Resource Records in your DNS server. Third, Google Cloud Run verifies the required DNS Resource Records and issues the custom SSL certificate bound to your Cloud Run service.

Step 1: Create a Domain Mapping

In this example, I have created a Cloud Run Service named cloudrun. The Base Domain is example.com and I want to create the custom domain cloudrun.example.com.

Important Note: In my Go code that creates Cloud Run Domain Mappings, I use a service account for authorization. I had to add the service accounts email address to the Webmaster Console as a verified owner of the domain name. I will be publishing this source code in another article in this series and on GitHub.

Step 2: Create the DNS Resource Records

At the bottom of the listing is the DNS Resource Record(s) that you need to create in your DNS server:

For my Google DNS Server, I have named my Zone “jhanley”. Example Google Cloud SDK CLI commands to add the required DNS Resource Record:

Step 3: Google Deploys Custom SSL Certificate

In Step 1, where we created the domain mapping, Google automatically started a background process that polls your DNS server looking for the correct DNS Resource Records. Once found, Google automatically provisions the SSL certificate. The entire process takes about five to ten minutes after the correct DNS Resource Records are created by you.

Displaying Google Cloud Run Domain Mappings

The following command will display the current domain mappings. In the source code that I wrote for this article, the same information is displayed.

Example Program to List Google Cloud Run Domain Mappings

This program requires a command-line option --project PROJECT_ID

There is one addition command-line option --debug. This option will enable displaying everything. This is useful for studying the various records and interfaces for Google Cloud Run.

This code only supports one region at a time. At line 21 is the constant endpoint. Select the region for your services.

 

Credits

I write free articles about technology. Recently, I learned about Pexels.com which provides free images. The image in this article is courtesy of Anthony at Pexels.