search

pulumi / pulumi-gcp

A Google Cloud Platform (GCP) Pulumi resource package, providing multi-language access to GCP
Apache License 2.0
183 stars 53 forks source link

Error creating Service: Post "https://-run.googleapis.com/..." #2384

Closed timharek closed 1 month ago

timharek commented 1 month ago

Describe what happened

I'm trying to create a new Cloud Run service based on a newly created and pushed Docker-image to Artifact Registry, but I get an error telling me that there was an error when creating the service.

Sample program

package main

import (
    "github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
    "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/artifactregistry"
    "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/cloudrun"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        cfg := config.New(ctx, "")
        key := cfg.RequireSecret("googleServiceAccountKey")
        imageName := cfg.Get("image-name")
        if len(imageName) == 0 {
            imageName = "cw-24so-staging"
        }
        location := cfg.Get("location")
        if len(location) == 0 {
            location = "europe-west4"
        }

        repositroyName := "contracting-works-staging"
        _, err := artifactregistry.NewRepository(ctx, repositroyName, &artifactregistry.RepositoryArgs{
            Format:       pulumi.String("DOCKER"),
            RepositoryId: pulumi.String(repositroyName),
        })
        if err != nil {
            return err
        }

        image, err := docker.NewImage(ctx, repositroyName, &docker.ImageArgs{
            Build: docker.DockerBuildArgs{
                Context:  pulumi.String("../.."),
                Platform: pulumi.String("linux/amd64"),
            },
            ImageName: pulumi.Sprintf("europe-west4-docker.pkg.dev/%s/%s/%s:latest", "projectId", repositroyName, imageName),
            Registry: &docker.RegistryArgs{
                Server:   pulumi.String("europe-west4-docker.pkg.dev"),
                Username: pulumi.String("_json_key"),
                // TODO: Add 1Password key
                Password: key,
            },
        })
        if err != nil {
            return err
        }

        service, err := cloudrun.NewService(ctx, "contracting-works-24-staging", &cloudrun.ServiceArgs{
            Location: pulumi.String(cfg.Get("location")),
            Template: cloudrun.ServiceTemplateArgs{
                Spec: cloudrun.ServiceTemplateSpecArgs{
                    Containers: cloudrun.ServiceTemplateSpecContainerArray{
                        cloudrun.ServiceTemplateSpecContainerArgs{
                            Image: image.ImageName,
                        },
                    },
                },
            },
        })
        if err != nil {
            return err
        }

        _, err = cloudrun.NewIamMember(ctx, "cw-everyone", &cloudrun.IamMemberArgs{
            Service:  service.Name,
            Location: pulumi.String(location),
            Role:     pulumi.String("roles/run.invoker"),
            Member:   pulumi.String("allUsers"),
        })

        if err != nil {
            return err
        }

        ctx.Export("imageName", image.ImageName)
        return nil
    })
}

Log output

Updating (dev):
     Type                     Name                          Status                  Info
     Type                     Name                          Status                  Info
     Type                     Name                          Status                  Info
     pulumi:pulumi:Stack      cloud-run-deploy-dev          **failed**              1 error
 ~   ├─ docker:index:Image    contracting-works-staging     updated (28s)           [diff: ~build]
 +   ├─ gcp:cloudrun:Service  contracting-works-24-staging  **creating failed**     1 error
     └─ gcp:cloudrun:Service  contracting-works-24-staging: sdk.h
  **failed**              1 error

Diagnostics:
  pulumi:pulumi:Stack (cloud-run-deploy-dev):
    error: update failed

  gcp:cloudrun:Service (contracting-works-24-staging):
    error: 1 error occurred:
        * Error creating Service: Post "https://-run.googleapis.com/apis/serving.knative.dev/v1/namespaces/value-tech-integrations/services?alt=json": tls: failed to verify certificate: x509: certificate is valid for *.googleapis.com, googleapis.com, cloudendpointsapis.com, *.cloudendpointsapis.com, *.p.googleapis.com, *.clients6.google.com, *.clients6.google.ac, *.clients6.google.ad, *.clients6.google.ae, *.clients6.google.af, *.clients6.google.ag, *.clients6.google.ai, *.clients6.google.al, *.clients6.google.am, *.clients6.google.as, *.clients6.google.at, *.clients6.google.az, *.clients6.google.ba, *.clients6.google.be, *.clients6.google.bf, *.clients6.google.bg, *.clients6.google.bi, *.clients6.google.bj, *.clients6.google.bs, *.clients6.google.bt, *.clients6.google.by, *.clients6.google.bzh, *.clients6.google.ca, *.clients6.google.cat, *.clients6.google.cc, *.clients6.google.cd, *.clients6.google.cf, *.clients6.google.cg, *.clients6.google.ch, *.clients6.google.ci, *.clients6.google.cl, *.clients6.google.cm, *.clients6.google.cn, *.clients6.google.co.ao, *.clients6.google.co.bw, *.clients6.google.co.ck, *.clients6.google.co.cr, *.clients6.google.co.hu, *.clients6.google.co.id, *.clients6.google.co.il, *.clients6.google.co.im, *.clients6.google.co.in, *.clients6.google.co.je, *.clients6.google.co.jp, *.clients6.google.co.ke, *.clients6.google.co.kr, *.clients6.google.co.ls, *.clients6.google.co.ma, *.clients6.google.co.mz, *.clients6.google.co.nz, *.clients6.google.co.th, *.clients6.google.co.tz, *.clients6.google.co.ug, *.clients6.google.co.uk, *.clients6.google.co.uz, *.clients6.google.co.ve, *.clients6.google.co.vi, *.clients6.google.co.za, *.clients6.google.co.zm, *.clients6.google.co.zw, *.clients6.google.com.af, *.clients6.google.com.ag, *.clients6.google.com.ai, *.clients6.google.com.ar, *.clients6.google.com.au, *.clients6.google.com.bd, *.clients6.google.com.bh, *.clients6.google.com.bn, *.clients6.google.com.bo, *.clients6.google.com.br, *.clients6.google.com.by, *.clients6.google.com.bz, *.clients6.google.com.co, *.clients6.google.com.cu, *.clients6.google.com.cy, *.clients6.google.com.do, *.clients6.google.com.ec, *.clients6.google.com.eg, *.clients6.google.com.et, *.clients6.google.com.fj, *.clients6.google.com.ge, *.clients6.google.com.gh, *.clients6.google.com.gi, *.clients6.google.com.gr, *.clients6.google.com.gt, *.clients6.google.com.hk, *.clients6.google.com.iq, *.clients6.google.com.jm, *.clients6.google.com.jo, *.clients6.google.com.kh, *.clients6.google.com.kw, *.clients6.google.com.lb, *.clients6.google.com.ly, *.clients6.google.com.mm, *.clients6.google.com.mt, *.clients6.google.com.mx, *.clients6.google.com.my, *.clients6.google.com.na, *.clients6.google.com.nf, *.clients6.google.com.ng, *.clients6.google.com.ni, *.clients6.google.com.np, *.clients6.google.com.nr, *.clients6.google.com.om, *.clients6.google.com.pa, *.clients6.google.com.pe, *.clients6.google.com.pg, *.clients6.google.com.ph, *.clients6.google.com.pk, *.clients6.google.com.pl, *.clients6.google.com.pr, *.clients6.google.com.py, *.clients6.google.com.qa, *.clients6.google.com.ru, *.clients6.google.com.sa, *.clients6.google.com.sb, *.clients6.google.com.sg, *.clients6.google.com.sl, *.clients6.google.com.sv, *.clients6.google.com.tj, *.clients6.google.com.tn, *.clients6.google.com.tr, *.clients6.google.com.tw, *.clients6.google.com.ua, *.clients6.google.com.uy, *.clients6.google.com.vc, *.clients6.google.com.ve, *.clients6.google.com.vn, *.clients6.google.cv, *.clients6.google.cz, *.clients6.google.de, *.clients6.google.dj, *.clients6.google.dk, *.clients6.google.dm, *.clients6.google.dz, *.clients6.google.ee, *.clients6.google.es, *.clients6.google.eus, *.clients6.google.fi, *.clients6.google.fm, *.clients6.google.fr, *.clients6.google.frl, *.clients6.google.ga, *.clients6.google.gal, *.clients6.google.ge, *.clients6.google.gg, *.clients6.google.gl, *.clients6.google.gm, *.clients6.google.gp, *.clients6.google.gr, *.clients6.google.gy, *.clients6.google.hk, *.clients6.google.hn, *.clients6.google.hr, *.clients6.google.ht, *.clients6.google.hu, *.clients6.google.ie, *.clients6.google.im, *.clients6.google.in, *.clients6.google.info, *.clients6.google.iq, *.clients6.google.ir, *.clients6.google.is, *.clients6.google.it, *.clients6.google.it.ao, *.clients6.google.je, *.clients6.google.jo, *.clients6.google.jobs, *.clients6.google.jp, *.clients6.google.kg, *.clients6.google.ki, *.clients6.google.kz, *.clients6.google.la, *.clients6.google.li, *.clients6.google.lk, *.clients6.google.lt, *.clients6.google.lu, *.clients6.google.lv, *.clients6.google.md, *.clients6.google.me, *.clients6.google.mg, *.clients6.google.mk, *.clients6.google.ml, *.clients6.google.mn, *.clients6.google.ms, *.clients6.google.mu, *.clients6.google.mv, *.clients6.google.mw, *.clients6.google.ne, *.clients6.google.ne.jp, *.clients6.google.net, *.clients6.google.ng, *.clients6.google.nl, *.clients6.google.no, *.clients6.google.nr, *.clients6.google.nu, *.clients6.google.off.ai, *.clients6.google.pk, *.clients6.google.pl, *.clients6.google.pn, *.clients6.google.ps, *.clients6.google.pt, *.clients6.google.ro, *.clients6.google.rs, *.clients6.google.ru, *.clients6.google.rw, *.clients6.google.sc, *.clients6.google.se, *.clients6.google.sh, *.clients6.google.si, *.clients6.google.sk, *.clients6.google.sm, *.clients6.google.sn, *.clients6.google.so, *.clients6.google.sr, *.clients6.google.st, *.clients6.google.td, *.clients6.google.tel, *.clients6.google.tg, *.clients6.google.tk, *.clients6.google.tl, *.clients6.google.tm, *.clients6.google.tn, *.clients6.google.to, *.clients6.google.tt, *.clients6.google.us, *.clients6.google.uz, *.clients6.google.vg, *.clients6.google.vu, *.clients6.google.ws, not -run.googleapis.com

  gcp:cloudrun:Service (contracting-works-24-staging
):
    error:   sdk-v2/provider2.go:385: sdk.helper_schema: Error creating Service: Post "https://-run.googleapis.com/apis/serving.knative.dev/v1/namespaces/value-tech-integrations/services?alt=json": tls: failed to verify certificate: x509: certificate is valid for *.googleapis.com, googleapis.com, cloudendpointsapis.com, *.cloudendpointsapis.com, *.p.googleapis.com, *.clients6.google.com, *.clients6.google.ac, *.clients6.google.ad, *.clients6.google.ae, *.clients6.google.af, *.clients6.google.ag, *.clients6.google.ai, *.clients6.google.al, *.clients6.google.am, *.clients6.google.as, *.clients6.google.at, *.clients6.google.az, *.clients6.google.ba, *.clients6.google.be, *.clients6.google.bf, *.clients6.google.bg, *.clients6.google.bi, *.clients6.google.bj, *.clients6.google.bs, *.clients6.google.bt, *.clients6.google.by, *.clients6.google.bzh, *.clients6.google.ca, *.clients6.google.cat, *.clients6.google.cc, *.clients6.google.cd, *.clients6.google.cf, *.clients6.google.cg, *.clients6.google.ch, *.clients6.google.ci, *.clients6.google.cl, *.clients6.google.cm, *.clients6.google.cn, *.clients6.google.co.ao, *.clients6.google.co.bw, *.clients6.google.co.ck, *.clients6.google.co.cr, *.clients6.google.co.hu, *.clients6.google.co.id, *.clients6.google.co.il, *.clients6.google.co.im, *.clients6.google.co.in, *.clients6.google.co.je, *.clients6.google.co.jp, *.clients6.google.co.ke, *.clients6.google.co.kr, *.clients6.google.co.ls, *.clients6.google.co.ma, *.clients6.google.co.mz, *.clients6.google.co.nz, *.clients6.google.co.th, *.clients6.google.co.tz, *.clients6.google.co.ug, *.clients6.google.co.uk, *.clients6.google.co.uz, *.clients6.google.co.ve, *.clients6.google.co.vi, *.clients6.google.co.za, *.clients6.google.co.zm, *.clients6.google.co.zw, *.clients6.google.com.af, *.clients6.google.com.ag, *.clients6.google.com.ai, *.clients6.google.com.ar, *.clients6.google.com.au, *.clients6.google.com.bd, *.clients6.google.com.bh, *.clients6.google.com.bn, *.clients6.google.com.bo, *.clients6.google.com.br, *.clients6.google.com.by, *.clients6.google.com.bz, *.clients6.google.com.co, *.clients6.google.com.cu, *.clients6.google.com.cy, *.clients6.google.com.do, *.clients6.google.com.ec, *.clients6.google.com.eg, *.clients6.google.com.et, *.clients6.google.com.fj, *.clients6.google.com.ge, *.clients6.google.com.gh, *.clients6.google.com.gi, *.clients6.google.com.gr, *.clients6.google.com.gt, *.clients6.google.com.hk, *.clients6.google.com.iq, *.clients6.google.com.jm, *.clients6.google.com.jo, *.clients6.google.com.kh, *.clients6.google.com.kw, *.clients6.google.com.lb, *.clients6.google.com.ly, *.clients6.google.com.mm, *.clients6.google.com.mt, *.clients6.google.com.mx, *.clients6.google.com.my, *.clients6.google.com.na, *.clients6.google.com.nf, *.clients6.google.com.ng, *.clients6.google.com.ni, *.clients6.google.com.np, *.clients6.google.com.nr, *.clients6.google.com.om, *.clients6.google.com.pa, *.clients6.google.com.pe, *.clients6.google.com.pg, *.clients6.google.com.ph, *.clients6.google.com.pk, *.clients6.google.com.pl, *.clients6.google.com.pr, *.clients6.google.com.py, *.clients6.google.com.qa, *.clients6.google.com.ru, *.clients6.google.com.sa, *.clients6.google.com.sb, *.clients6.google.com.sg, *.clients6.google.com.sl, *.clients6.google.com.sv, *.clients6.google.com.tj, *.clients6.google.com.tn, *.clients6.google.com.tr, *.clients6.google.com.tw, *.clients6.google.com.ua, *.clients6.google.com.uy, *.clients6.google.com.vc, *.clients6.google.com.ve, *.clients6.google.com.vn, *.clients6.google.cv, *.clients6.google.cz, *.clients6.google.de, *.clients6.google.dj, *.clients6.google.dk, *.clients6.google.dm, *.clients6.google.dz, *.clients6.google.ee, *.clients6.google.es, *.clients6.google.eus, *.clients6.google.fi, *.clients6.google.fm, *.clients6.google.fr, *.clients6.google.frl, *.clients6.google.ga, *.clients6.google.gal, *.clients6.google.ge, *.clients6.google.gg, *.clients6.google.gl, *.clients6.google.gm, *.clients6.google.gp, *.clients6.google.gr, *.clients6.google.gy, *.clients6.google.hk, *.clients6.google.hn, *.clients6.google.hr, *.clients6.google.ht, *.clients6.google.hu, *.clients6.google.ie, *.clients6.google.im, *.clients6.google.in, *.clients6.google.info, *.clients6.google.iq, *.clients6.google.ir, *.clients6.google.is, *.clients6.google.it, *.clients6.google.it.ao, *.clients6.google.je, *.clients6.google.jo, *.clients6.google.jobs, *.clients6.google.jp, *.clients6.google.kg, *.clients6.google.ki, *.clients6.google.kz, *.clients6.google.la, *.clients6.google.li, *.clients6.google.lk, *.clients6.google.lt, *.clients6.google.lu, *.clients6.google.lv, *.clients6.google.md, *.clients6.google.me, *.clients6.google.mg, *.clients6.google.mk, *.clients6.google.ml, *.clients6.google.mn, *.clients6.google.ms, *.clients6.google.mu, *.clients6.google.mv, *.clients6.google.mw, *.clients6.google.ne, *.clients6.google.ne.jp, *.clients6.google.net, *.clients6.google.ng, *.clients6.google.nl, *.clients6.google.no, *.clients6.google.nr, *.clients6.google.nu, *.clients6.google.off.ai, *.clients6.google.pk, *.clients6.google.pl, *.clients6.google.pn, *.clients6.google.ps, *.clients6.google.pt, *.clients6.google.ro, *.clients6.google.rs, *.clients6.google.ru, *.clients6.google.rw, *.clients6.google.sc, *.clients6.google.se, *.clients6.google.sh, *.clients6.google.si, *.clients6.google.sk, *.clients6.google.sm, *.clients6.google.sn, *.clients6.google.so, *.clients6.google.sr, *.clients6.google.st, *.clients6.google.td, *.clients6.google.tel, *.clients6.google.tg, *.clients6.google.tk, *.clients6.google.tl, *.clients6.google.tm, *.clients6.google.tn, *.clients6.google.to, *.clients6.google.tt, *.clients6.google.us, *.clients6.google.uz, *.clients6.google.vg, *.clients6.google.vu, *.clients6.google.ws, not -run.googleapis.com: provider=google-beta@7.38.0

Affected Resource(s)

No response

Output of pulumi about

CLI
Version      3.132.0
Go Version   go1.23.1
Go Compiler  gc

Plugins
KIND      NAME    VERSION
resource  docker  4.5.5
resource  gcp     7.38.0
language  go      unknown

Host
OS       darwin
Version  14.4.1
Arch     arm64

This project is written in go: executable='/opt/homebrew/bin/go' version='go version go1.23.1 darwin/arm64'

Current Stack: organization/cloud-run-deploy/dev

TYPE                                        URN
pulumi:pulumi:Stack                         urn:pulumi:dev::cloud-run-deploy::pulumi:pulumi:Stack::cloud-run-deploy-dev
pulumi:providers:gcp                        urn:pulumi:dev::cloud-run-deploy::pulumi:providers:gcp::default_7_38_0
gcp:artifactregistry/repository:Repository  urn:pulumi:dev::cloud-run-deploy::gcp:artifactregistry/repository:Repository::contracting-works-staging
pulumi:providers:docker                     urn:pulumi:dev::cloud-run-deploy::pulumi:providers:docker::default_4_5_5
docker:index/image:Image                    urn:pulumi:dev::cloud-run-deploy::docker:index/image:Image::contracting-works-staging

Found no pending operations associated with dev

Backend
Name           tbp14
URL            file://~
User           tim
Organizations
Token type     personal

Dependencies:
NAME                                 VERSION
github.com/pulumi/pulumi-gcp/sdk/v7  v7.38.0
github.com/pulumi/pulumi/sdk/v3      v3.129.0

Pulumi locates its logs in /var/folders/25/qh1ztyt92wj0q94n723xxdhc0000gn/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

iwahbe commented 1 month ago

Hi @timharek. It looks like the resource is hitting the wrong URL.

Post "https://-run.googleapis.com/apis/serving.knative.dev/v1/namespaces/value-tech-integrations/services?alt=json": tls: failed to verify certificate: x509: ...

I imagine that it should be hitting run.googleapis.com, not -run.googleapis.com. Can you try using location (since it has a default value) instead of cfg.Get("location")?


        service, err := cloudrun.NewService(ctx, "contracting-works-24-staging", &cloudrun.ServiceArgs{
-           Location: pulumi.String(cfg.Get("location")),
+           Location: pulumi.String(location),
            Template: cloudrun.ServiceTemplateArgs{
                Spec: cloudrun.ServiceTemplateSpecArgs{
                    Containers: cloudrun.ServiceTemplateSpecContainerArray{
                        cloudrun.ServiceTemplateSpecContainerArgs{
                            Image: image.ImageName,
                        },
                    },
                },
            },
        })

That error combined with templating like 👇 could produce this kind of error:

google-beta/transport/config.go
527:    CloudRunBasePathKey:                 "https://{{location}}-run.googleapis.com/",
timharek commented 1 month ago

Thank you! That was the issue 🤘