gcr | A node gitlab-ci-runner | Runtime Evironment library

If you want to use kubernetes inside a docker container my suggestion is to use k3d .

k3d is a lightweight wrapper to run k3s (Rancher Lab’s minimal Kubernetes distribution) in docker.k3d makes it very easy to create single- and multi-node k3s clusters in docker, e.g. for local development on Kubernetes.

You can Download , install and use it directly with Docker. For more information you can follow the official documentation from https://k3d.io/ .

To get the list of pods you dont' need to create a k8s cluster inside a docker container . what you need is a config file for any k8s cluster . ├── Dockerfile ├-- config └── main.py 0 directories, 3 files

after that :

Ingress internal means "Accept only the requests coming from the project's VPC or VPC SC perimeter".

When you use API Gateway, you aren't in your VPC, it's serverless, it's in Google Cloud managed VPC. Therefore, your query are forbidden.

And because API Gateway can't be plugged to a VPC Connector (for now) and thus can't route the request to your VPC, you can't use this ingress=internal mode.

Thus, the solution is to set an ingress to all, which is not a concern is you authorize only the legit accounts to access it.

For that, check in Cloud Run service is there is allUsers granted with the roles/run.invoker in your project.

• If yes, remove it

Then, create a service account and grant it the roles/run.invoker on the Cloud Run service.

Follow this documentation

• Step 4: update the x-google-backend in your OpenAPI spec file to add the correct authentication audience when you call your Cloud Run (it's the base service URL)
• Step 5: create a gateway with a backend service account; set the service account that you created previously

At the end, only the account authenticated and authorized will be able to reach your Cloud Run service

All the unauthorized access are filtered by Google Front End and discarded before reaching your service. Therefore, your service isn't invoked for nothing and therefore your pay nothing!

Only API Gateway (and the potential other accounts that you let on the Cloud Run service) can invoke to the Cloud Run service.

So, OK, your URL is public, reachable from the wild internet, but protected with Google Front End and IAM.

Looks like they key itself might not be correctly visible to the pod. I would start by getting into the pod with kubectl exec --stdin --tty -- /bin/bash and ensuring that the /var/key.json (per your config) is accessible and has the correct credentials.

The following would be a good way to mount the secret:

Cloud Build uses Docker to execute builds. To understand why Cloud Build creates intermediate containers, first you must understand the Docker build process.

For each build step, Cloud Build executes a Docker container as an instance of docker run. Each step is processed in an intermediate container.

"Those intermediate containers can succeed or fail. If they succeed, the intermediate container is merged with the image from the last successful build step, and then the intermediate container is deleted."

On the performance perspective, removing immediate containers are part of the build process and it helps reduce the size of your container image.

There are already some existing articles that further explains the Docker build process. Here are some interesting links:

• How are intermediate containers formed?
• https://blog.hipolabs.com/understanding-docker-without-losing-your-shit-cf2b30307c63
• https://medium.com/ihme-tech/troubleshooting-the-docker-build-process-454583c80665

Probably the wrapper-runner script generated by Bazel (you can find path to it by calling bazel build on a target) restrict set of modules available in your script. The proper approach is to fetch PyPI dependencies by Bazel, look at example

I'm unfamiliar with Watchtower but familiar with GCR.

If you want to authenticate to GCR and then interact with it solely through clients of the Docker Registry API (i.e. docker [push|pull] etc.), then you may want to consider creating a suitably IAM'd Service Account, a key and mounting the key via a volume mount into Watchtower. Then, you will be able to authenticate using docker login ... and avoid needing to install|use the Google Cloud SDK (gcloud).

See: https://cloud.google.com/container-registry/docs/advanced-authentication#json-key

You can't ignore some files from a pull request selectively. But there are 2 simple workarounds for this :

First -
Create a new branch from ‘develop’

Replace the non-required files from 'main'

Create pull request from this new branch

Second -
Create a new branch from 'main'

Put changes of required files from 'develop'

Create pull request from this new branch

Any of these methods will work. Which will be easier depends on how many files are to be included / excluded.

Example :
Considering main as target and dev as source

Something was wrong with firebase functions on google cloud sever. I just removed the faulty firebase function from functions dashboard and deployed my local function again. And it worked.

I solved this issue using maven settings xml file. I followed below steps.

1. Create maven settings.xml in root directory.