Cloud Run Job Chart

A Helm chart to template the manifest of a Cloud Run Job.

Minimal JobJob with Direct VPC Connect

name: my-job
image: ghcr.io/my-org/my-image@sha256:abc123
region: us-central1
env: 
  MY_ENV_VAR: my-value

name: my-job
image: ghcr.io/my-org/my-image@sha256:abc123
region: us-central1
vpc: 
  network: my-network
  subnetwork: my-subnetwork

---

global

0.1.1 object

These values can be set globally and will be used for all subcharts. If you want to set them for a specific subchart, you can do so by setting the values in the subchart itself.

global: 
  project: my-project
  region: us-central1

---

project

0.3.0 string

The Google cloud project to deploy the Cloud Run Service or Job to.

global:
  project: my-project

region

0.3.0 string ^(asia|europe|me|us|africa|australia|northamerica|southamerica)-[a-z]+(\d+)$ us-central1

The region to deploy the CloudRun service to. Uses the default region if not provided.

Example 1Example 2Example 3

global:
  region: us-central1

global:
  region: europe-west1

global:
  region: asia-east1

name

0.1.1 string 63 ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

Name of the Cloud Run Service or Job. Must be unique within the project region combination.

name: my-cloudrun-container

project

0.1.1 string

The Google cloud project to deploy the Cloud Run Service or Job to.

project: my-project

region

0.1.1 string ^(asia|europe|me|us|africa|australia|northamerica|southamerica)-[a-z]+(\d+)$ us-central1

The region to deploy the CloudRun service to. Uses the default region if not provided.

Example 1Example 2Example 3

region: us-central1

region: europe-west1

region: asia-east1

image

0.1.1 object, string us-docker.pkg.dev/cloudrun/container/hello

Container image to deploy. You can provide a direct reference to an image using a string or split up the inputs using the object.

Direct image referenceSplit image referenceSplit image reference with tag and registry

image: ghcr.io/my-org/my-image@sha256:abc123

image: 
  repository: ghcr.io/my-project
  name: my-image

image: 
  registry: ghcr.io
  repository: my-project
  name: my-image
  tag: 0.3.0

---

name

0.1.0 string

Container image name.

image:
  name: my-image

registry

0.1.0 string

Container image registry.

image:
  registry: gcr.io

repository

0.1.0 string

Container image repository.

Example 1Example 2

image:
  repository: gcr.io/my-project

image:
  repository: my-project # if used with a registry

tag

0.1.0 string latest

Container image tag.

Example 1Example 2Example 3

image:
  tag: latest

image:
  tag: @sha256:abc123

image:
  tag: 0.3.0

revisionName

0.1.1 string

The name of the Cloud Run revision to deploy. If not provided, a random name will be generated. The revision will always be prefixed with the service name.

revisionName: my-revision

containerName

0.1.1 string

Optional name for the container within a revision. Automatically generated if not supplied.

containerName: my-container

serviceAccountName

0.1.0 string

Service account to use to run the CloudRun container. If not provided, the default service account of the project is used.

serviceAccountName: my-service-account@my-project.iam.gserviceaccount.com

description

0.1.1 string

A human-readable description of the CloudRun service.

description: My service does xyz.

env

0.1.0 object

Environment variables to set in the CloudRun container. Using an object allows merging of multiple values, e.g. env.staging and env.production.

env: 
  MY_ENV_VAR: my-value

secrets

0.1.0 object

Secrets to map as environment variables in the Cloud Run container.

Latest SecretSpecific Secret VersionCross Project Secret with Project NumberCross Project Secret with Project IDMixed Local and Cross Project Secrets

secrets: 
  MY_ENV_VAR: my-secret-name

secrets: 
  MY_ENV_VAR: 
    secret: my-secret-name
    version: 2

secrets: 
  MY_ENV_VAR: 
    secret: another-secret-name
    project: 123456789
    version: 1

secrets: 
  MY_ENV_VAR: 
    secret: another-secret-name
    project: my-project-id
    version: 1

secrets: 
  LOCAL_ENV_VAR: my-secret-name
  CROSS_ENV_VAR: 
    secret: another-secret-name
    project: my-project-id

command

0.1.0 array []

Command that runs when the container starts.

command:
  - echo
  - Hello, world!

args

0.1.0 array []

Arguments to pass to the command.

args:
  - --help

parallelism

0.1.1 integer 0

The number of instances of the job to run in parallel. The maximum number of instances is limited by the CPU and project quotas. It also highly depends on the consumed resources, e.g. database connections, etc.

parallelism: 1

taskCount

0.1.1 integer 1

Specifies the desired number of tasks the execution should run. Setting to 1 means that parallelism is limited to 1 and the success of that task signals the success of the execution. Defaults to 1.

taskCount: 10

timeoutSeconds

0.1.1 integer 600

The maximum duration in seconds to allow the job to run. If the job is still running after this time, it will be terminated.

timeoutSeconds: 3600

maxRetries

0.1.1 integer 3

The maximum number of retries for the job. If the job fails, it will be retried up to this number of times.

maxRetries: 0

resources

0.1.0 object

Resource requests and limits for the CloudRun container. If not provided, defaults are used.

DefaultReduced Scaling LatencyHigh Memory

resources: 
  cpuThrottling: true
  startupBoost: false
  limits: 
    cpu: 1
    memory: 512Mi

resources: 
  cpuThrottling: false
  startupBoost: true

resources: 
  limits: 
    cpu: 4
    memory: 8Gi

---

cpuThrottling

0.1.0 boolean True

Whether to throttle the CPU. This has significant impact on billing if set to false.

resources:
  cpuThrottling: false

gpu

0.1.0 boolean False

Whether to enable GPU support for the Cloud Run container. Only a single GPU per cloud run container is supported and will incur additional costs.

resources:
  gpu: true

limits

0.1.0 object

---

cpu

0.1.0 number 1

Maximum CPUs to allocate for the Cloud Run container.
Can be 1, 2, 4, 6, 8, or any fractional value from 0.08 to less than 1 in increments of 0.01.

The following are minimum memory requirements for CPUs:

CPUs	Minimum memory
4	2 GiB
6	4 GiB
8	4 GiB

If you use less than 1 CPU, the following requirments are enforced:

Setting	Requirement
Memory	A minimum of 0.5 CPU is needed to set a memory limit greater than 512MiB. A minimum of 1 CPU is needed to set a memory limit greater than 1GiB.
Concurrency	Maximum concurrency must be set to 1.
CPU allocated	CPU allocation must be set to CPU allocated only during request processing.
Execution environment	You must use the first generation execution environment.

MinimumMaximum

resources:
  limits:
    cpu: 0.08

resources:
  limits:
    cpu: 8

memory

0.1.0 string ^\d+(\.\d+)?(Mi|Gi)$ 512Mi

Maximum memory to allocate for the Cloud Run container. Must be at least 2GiB for 4 CPUs and 4GiB for 6-8 CPUs.

Example 1Example 2

resources:
  limits:
    memory: 2Gi

resources:
  limits:
    memory: 1024Mi

startupBoost

0.1.0 boolean False

Whether to boost the CPUs at the start of the container.

resources:
  startupBoost: false

volumes

0.1.0 object

Volume configurations for the Cloud Run container. Each key is the volume name and must be a valid k8s name (lowercase alphanumeric with dashes).

SecretEmptyDirGCSNFS

volumes: 
  config: 
    mountPath: /etc/config
    secret: 
      name: my-secret
      items:
        -
          version: 1
          path: config.json

volumes: 
  cache: 
    mountPath: /cache
    readOnly: false
    emptyDir: 
      sizeLimit: 256Mi
      medium: Memory

volumes: 
  data: 
    mountPath: /data
    gcs: 
      bucket: my-data-bucket
      mountOptions: 
        file-mode: 0644
        dir-mode: 0755

volumes: 
  shared: 
    mountPath: /shared
    nfs: 
      server: 10.0.0.1
      path: /exports/data

---

volume

0.1.0 object ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

---

mountPath

0.1.0 string ^/.*

Path where the volume should be mounted in the container

volumes:
  volume:
    mountPath: /data

readOnly

0.1.0 boolean False

Whether the volume should be mounted read-only

volumes:
  volume:
    readOnly: true

---

The volumes.volume setting requires exactly one of the following configurations:

secretemptyDirgcsnfs

secret

0.1.0 object

Mount a Secret Manager secret as a volume

Latest Secret Version MountMultiple Secret Versions MountCross-Project Secret Mount

volumes:
  volume:
    secret: 
      name: my-secret
      items:
        -
          path: config.json

volumes:
  volume:
    secret: 
      name: my-secret
      items:
        -
          version: 1
          path: old_key.pem
        -
          version: 2
          path: new_key.pem

volumes:
  volume:
    secret: 
      name: my-secret
      project: my-project
      items:
        -
          version: 1
          path: config.json

---

name

0.1.0 string

Name of the secret in Secret Manager

project

0.1.0 string

Project ID for cross-project secrets. If not provided, the project of the Cloud Run service is used.

items

0.1.0 array

List of specific secret versions to mount

emptyDir

0.1.0 object

Create an ephemeral in memory volume that exists for the lifetime of the container

volumes:
  volume:
    emptyDir: 
      size: 256Mi

---

size

0.1.0 string ^\d+(\.\d+)?(Mi|Gi)$

Maximum size of the volume. Must not exceed the memory limit of the container.

gcs

0.1.0 object

Mounts a Google Cloud Storage bucket.

GCS BucketBucket with Mount Options

volumes:
  volume:
    gcs: 
      bucket: my-bucket

volumes:
  volume:
    gcs: 
      bucket: my-bucket
      mountOptions: 
        file-mode: 0644
        dir-mode: 0755

---

bucket

0.1.0 string

Name of the GCS bucket to mount

mountOptions

0.1.0 object

Additional mount options for gcsfuse

nfs

0.1.0 object

Mount an NFS share. The Cloud Run container must be connected via a VPC connector or direct VPC connection to the subnet where the NFS server is located.

volumes:
  volume:
    nfs: 
      server: 10.0.0.1
      path: /exports/data

---

server

0.1.0 string ^([0-9]{1,3}\.){3}[0-9]{1,3}$|^[a-zA-Z0-9][-a-zA-Z0-9.]*[a-zA-Z0-9]$

IP address or hostname of the NFS server

path

0.1.0 string ^/.*

Path that is exported by the NFS server

network

0.1.0 object

VPC and networking configuration for the Cloud Run service

Direct VPC ConnectionVPC ConnectorCross-Project VPC Access

network: 
  vpc: my-vpc
  subnetwork: my-subnet
  egress: all-traffic

network: 
  egress: private-ranges-only
  connector: my-connector

network: 
  vpc: projects/other-project/global/networks/my-vpc
  subnetwork: projects/other-project/regions/us-central1/subnetworks/my-subnet
  egress: all-traffic

---

egress

0.1.0 string private-ranges-only · all-traffic private-ranges-only

The egress type to use for the Cloud Run container if connected to a VPC. In general, use private-ranges-only to reduce latency and bottlenecks when calling external services. Can only be set when connector or vpc and subnetwork are set.

network:
  egress: all-traffic

---

The network setting requires exactly one of the following configurations:

connectorvpc

connector

0.1.0 string ^(projects/[^/]+/locations/[^/]+/connectors/[^/]+|[a-z][-a-z0-9]*[a-z0-9])$

Name of the VPC connector to use for the CloudRun container. Uses a serverless VPC access connector. Cannot be used with network.

Example 1Example 2

network:
  connector: projects/my-project/locations/us-central1/connectors/my-connector

network:
  connector: my-connector

vpc

0.1.0 string ^(projects/[^/]+/global/networks/[^/]+|[a-z][-a-z0-9]*[a-z0-9])$

Name of the VPC network to use to create a direct VPC connection. Must be used with subnetwork. Cannot be used with connector.

Example 1Example 2

network:
  vpc: projects/my-project/global/networks/my-vpc

network:
  vpc: my-vpc

subnetwork

0.1.0 string ^(projects/[^/]+/regions/[^/]+/subnetworks/[^/]+|[a-z][-a-z0-9]*[a-z0-9])$

Name of the VPC subnetwork to use to create a direct VPC connection. Must be used with vpc. Cannot be used with connector.

Example 1Example 2

network:
  subnetwork: projects/my-project/regions/us-central1/subnetworks/my-subnet

network:
  subnetwork: my-subnet

tags

0.1.0 array []

Tags to apply to the network interfaces created for the Cloud Run container. Use the network tags feature of VPC access connectors to control traffic to and from the service.

network:
  tags:
    - tag1
    - tag2

cloudsql

0.1.0 object

CloudSQL configuration for the Cloud Run service. If not provided, the service will not be connected to any CloudSQL instances.

Info

Defining this will automatically inject a CLOUD_SQL_CONNECTION environment variable with the format /cloudsql/project:region:instance. Some libraries will automatically append the required /.s.PGSQL.5432 suffix to connect to the correct unix socket, while others do not. The environment variable is provided without the socket suffix.

Direct CloudSQL Connection in same regionDirect CloudSQL Connection in different region

cloudsql: 
  instance: my-instance
  project: my-project

cloudsql: 
  instance: my-instance
  project: my-project
  region: europe-west1

---

instance

0.1.0 string

CloudSQL instance name.

cloudsql:
  instance: my-instance

project

0.1.0 string

CloudSQL project name.

cloudsql:
  project: my-project

region

0.1.0 string .region

CloudSQL region. Defaults to the region of the Cloud Run service.

cloudsql:
  region: us-central1

executionEnvironment

0.1.0 string gen2 · gen1 gen2

The execution environment to use for the Cloud Run container.

executionEnvironment: gen1

launchStage

0.1.0 string ALPHA · BETA · GA BETA

The launch stage of the Cloud Run service. Controls feature availability.

launchStage: GA

binaryAuthorization

0.1.0 boolean False

Whether to enforce Binary Authorization policy for this service.

binaryAuthorization: true

encryption

0.1.0 object

The KMS key to use for encrypting this service. Must be located in the same region and project as the Cloud Run service.

encryption: 
  key: my-key
  keyring: my-keyring

---

key

0.1.0 string

The KMS key to use for encrypting this service.

keyring

0.1.0 string

The KMS keyring where the key is stored.

---