search

Neutrollized / hashicorp-vault-with-cloud-run

Running your own (serverless) HashiCorp Vault server using Google Cloud's Cloud Run
Apache License 2.0
20 stars 13 forks source link

Container cant start #3

Open Abdulaziz-MARIE opened 1 day ago

Abdulaziz-MARIE commented 1 day ago

container failed to start when deploying to cloud run:

ERROR: (gcloud.beta.run.deploy) Revision 'hashicorp-vault-00004-2fb' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=8200 environment variable within the allocated timeout. This can happen when the container port is misconfigured or if the timeout is too short. The health check timeout can be extended. Logs for this revision might contain more information.

here is my cloud service run: … Service hashicorp-vault in region europe-west3

URL: https://hashicorp-vault-XXXXXXXXX.europe-west3.run.app Ingress: all Traffic: 100% (currently -) LATEST (currently hashicorp-vault-00002-5zh)

Revision hashicorp-vault-00005-8vn Container vault-server-1 Image: europe-west3-docker.pkg.dev/XXXX-XXXXX/vault-docker-repository/vault-server:12421d80466a34d35f3be868b4587417fd369762 Port: 8200 Memory: 512Mi CPU: 1000m Secrets: /etc/vault vault-server-config:latest Startup Probe: TCP every 240s Port: 8200 Initial delay: 180s Timeout: 240s Failure threshold: 5 Type: Custom Service account: vault-server-sa@XXXX_XXXX.iam.gserviceaccount.com Concurrency: 20 Min Instances: 1 Max Instances: 1 Timeout: 300s Execution Environment: Second Generation

Neutrollized commented 1 day ago

Yes, there's an issue with the schema not recognizing the env parameter, which is the way I had been passing the 3 environment variables (near the bottom in the deploy step). As a result when the container starts, the required settings are not being passed to Vault's config file and hence it's failing to start. What you can do for now is add:

  - '--set-env-vars'
  - 'GOOGLE_PROJECT=${PROJECT_ID},GOOGLE_STORAGE_BUCKET=${_GCS_BUCKET_NAME},VAULT_GCPCKMS_SEAL_KEY_RING=${_KMS_KEY_RING}'

to pass the env vars instead. I was using the env method because it looked cleaner (but it doesn't seem to work anymore, but docs don't mention that in the Cloud Build schema

I'll be making this change when I release some updates most likely this weekend, but you can make the change to the cloudbuild.yaml file yourself and recommit to rerun your build.

Neutrollized commented 1 day ago

I created a bug report for this

Abdulaziz-MARIE commented 1 day ago

after adding 

  - '--set-env-vars'
  - 'GOOGLE_PROJECT=${PROJECT_ID},GOOGLE_STORAGE_BUCKET=${_GCS_BUCKET_NAME},VAULT_GCPCKMS_SEAL_KEY_RING=${_KMS_KEY_RING}'

it worked like a charm