DNS points straight to Cloud Run
The usual way to expose Cloud Run on a custom domain is to put a Google Cloud external HTTPS Load Balancer in front of it. The catch: an HTTPS LB carries a fixed hourly cost just to exist, on the order of ~€18 / month, before it serves a single request. For a few small personal sites, that is way too much.
So there is no load balancer here. Cloud DNS maps each domain
straight to its Cloud Run service: apex domains get Google-hosted
A/AAAA records, subdomains get a CNAME to
ghs.googlehosted.com, and Cloud Run domain mappings
terminate TLS with a Google-managed certificate. Same HTTPS, custom
domains, automatic certs, without the fixed monthly bill.