Spaces:
Running on Zero
Running on Zero
File size: 4,307 Bytes
7939f87 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 | #!/usr/bin/env bash
# Deploy movimento text encoder service to Cloud Run.
# Usage:
# PROJECT_ID=movimento-text-encoder REGION=europe-west1 HF_TOKEN=hf_xxx ./cloud-run/deploy_text_encoder.sh
# PROJECT_ID=movimento-text-encoder REGION=europe-west1 HF_SECRET_NAME=hf-token ALLOW_UNAUTHENTICATED=false ./cloud-run/deploy_text_encoder.sh
# PROJECT_ID=movimento-text-encoder REGION=europe-west1 GPU_TYPE=nvidia-h200-141gb GPU_COUNT=1 ./cloud-run/deploy_text_encoder.sh
set -euo pipefail
: "${PROJECT_ID:?Set PROJECT_ID (e.g. movimento-text-encoder)}"
REGION="${REGION:-europe-west1}"
SERVICE_NAME="${SERVICE_NAME:-movimento-text-encoder}"
REPO_NAME="${REPO_NAME:-kimodo}"
IMAGE_NAME="${IMAGE_NAME:-kimodo}"
IMAGE_TAG="${IMAGE_TAG:-latest}"
HF_SECRET_NAME="${HF_SECRET_NAME:-hf-token}"
ALLOW_UNAUTHENTICATED="${ALLOW_UNAUTHENTICATED:-true}"
GPU_TYPE="${GPU_TYPE:-nvidia-l4}"
GPU_COUNT="${GPU_COUNT:-1}"
if ! command -v gcloud >/dev/null 2>&1; then
echo "gcloud CLI not found. Run this script from Cloud Shell or install gcloud."
exit 1
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
IMAGE_URI="$REGION-docker.pkg.dev/$PROJECT_ID/$REPO_NAME/$IMAGE_NAME:$IMAGE_TAG"
echo "[deploy] project=$PROJECT_ID region=$REGION service=$SERVICE_NAME image=$IMAGE_URI"
echo "[deploy] auth policy (allUsers invoker): $ALLOW_UNAUTHENTICATED"
echo "[deploy] gpu profile: type=$GPU_TYPE count=$GPU_COUNT"
gcloud config set project "$PROJECT_ID" >/dev/null
echo "[deploy] enabling required APIs"
gcloud services enable run.googleapis.com cloudbuild.googleapis.com artifactregistry.googleapis.com secretmanager.googleapis.com >/dev/null
if ! gcloud artifacts repositories describe "$REPO_NAME" --location="$REGION" >/dev/null 2>&1; then
echo "[deploy] creating Artifact Registry repo: $REPO_NAME"
gcloud artifacts repositories create "$REPO_NAME" \
--repository-format=docker \
--location="$REGION" \
--description="Movimento container images"
fi
if [[ -n "${HF_TOKEN:-}" ]]; then
if ! gcloud secrets describe "$HF_SECRET_NAME" >/dev/null 2>&1; then
echo "[deploy] creating secret: $HF_SECRET_NAME"
gcloud secrets create "$HF_SECRET_NAME" --replication-policy="automatic" >/dev/null
fi
echo "[deploy] updating secret version: $HF_SECRET_NAME"
printf '%s' "$HF_TOKEN" | gcloud secrets versions add "$HF_SECRET_NAME" --data-file=- >/dev/null
else
echo "[deploy] HF_TOKEN env var not set; expecting existing secret '$HF_SECRET_NAME'"
gcloud secrets describe "$HF_SECRET_NAME" >/dev/null
fi
PROJECT_NUMBER="$(gcloud projects describe "$PROJECT_ID" --format='value(projectNumber)')"
RUNTIME_SA="${PROJECT_NUMBER}-compute@developer.gserviceaccount.com"
echo "[deploy] granting Secret Manager access to runtime SA: $RUNTIME_SA"
gcloud secrets add-iam-policy-binding "$HF_SECRET_NAME" \
--member="serviceAccount:$RUNTIME_SA" \
--role="roles/secretmanager.secretAccessor" >/dev/null
echo "[deploy] building image: $IMAGE_URI"
gcloud builds submit "$REPO_ROOT" --config "$REPO_ROOT/cloudbuild.yaml" --substitutions="_IMAGE=$IMAGE_URI"
echo "[deploy] rendering Cloud Run manifest"
RENDERED_MANIFEST="/tmp/${SERVICE_NAME}-rendered.yaml"
sed \
-e "s|REGION-docker.pkg.dev/PROJECT_ID/kimodo/kimodo:latest|$IMAGE_URI|g" \
-e "s|HF_TOKEN_SECRET_NAME|$HF_SECRET_NAME|g" \
-e "s|GPU_TYPE_PLACEHOLDER|$GPU_TYPE|g" \
-e "s|GPU_COUNT_PLACEHOLDER|$GPU_COUNT|g" \
"$REPO_ROOT/cloud-run/text-encoder.yaml" > "$RENDERED_MANIFEST"
if grep -q 'HF_TOKEN_SECRET_NAME\|GPU_TYPE_PLACEHOLDER\|GPU_COUNT_PLACEHOLDER' "$RENDERED_MANIFEST"; then
echo "[deploy] rendered manifest still contains placeholders"
exit 1
fi
echo "[deploy] applying Cloud Run service"
gcloud run services replace "$RENDERED_MANIFEST" --region "$REGION" --project "$PROJECT_ID"
if [[ "$ALLOW_UNAUTHENTICATED" == "true" ]]; then
echo "[deploy] allowing unauthenticated invoke"
gcloud run services add-iam-policy-binding "$SERVICE_NAME" \
--region "$REGION" \
--project "$PROJECT_ID" \
--member "allUsers" \
--role "roles/run.invoker" >/dev/null || true
fi
SERVICE_URL="$(gcloud run services describe "$SERVICE_NAME" --region "$REGION" --project "$PROJECT_ID" --format 'value(status.url)')"
echo "[deploy] text encoder url: ${SERVICE_URL}/"
|