Error creating Service: Post "https://-run.googleapis.com/..." #2384

timharek · 2024-09-16T13:41:45Z

Describe what happened

I'm trying to create a new Cloud Run service based on a newly created and pushed Docker-image to Artifact Registry, but I get an error telling me that there was an error when creating the service.

Sample program

package main

import (
	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/artifactregistry"
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/cloudrun"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		cfg := config.New(ctx, "")
		key := cfg.RequireSecret("googleServiceAccountKey")
		imageName := cfg.Get("image-name")
		if len(imageName) == 0 {
			imageName = "cw-24so-staging"
		}
		location := cfg.Get("location")
		if len(location) == 0 {
			location = "europe-west4"
		}

		repositroyName := "contracting-works-staging"
		_, err := artifactregistry.NewRepository(ctx, repositroyName, &artifactregistry.RepositoryArgs{
			Format:       pulumi.String("DOCKER"),
			RepositoryId: pulumi.String(repositroyName),
		})
		if err != nil {
			return err
		}

		image, err := docker.NewImage(ctx, repositroyName, &docker.ImageArgs{
			Build: docker.DockerBuildArgs{
				Context:  pulumi.String("../.."),
				Platform: pulumi.String("linux/amd64"),
			},
			ImageName: pulumi.Sprintf("europe-west4-docker.pkg.dev/%s/%s/%s:latest", "projectId", repositroyName, imageName),
			Registry: &docker.RegistryArgs{
				Server:   pulumi.String("europe-west4-docker.pkg.dev"),
				Username: pulumi.String("_json_key"),
				// TODO: Add 1Password key
				Password: key,
			},
		})
		if err != nil {
			return err
		}

		service, err := cloudrun.NewService(ctx, "contracting-works-24-staging", &cloudrun.ServiceArgs{
			Location: pulumi.String(cfg.Get("location")),
			Template: cloudrun.ServiceTemplateArgs{
				Spec: cloudrun.ServiceTemplateSpecArgs{
					Containers: cloudrun.ServiceTemplateSpecContainerArray{
						cloudrun.ServiceTemplateSpecContainerArgs{
							Image: image.ImageName,
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}

		_, err = cloudrun.NewIamMember(ctx, "cw-everyone", &cloudrun.IamMemberArgs{
			Service:  service.Name,
			Location: pulumi.String(location),
			Role:     pulumi.String("roles/run.invoker"),
			Member:   pulumi.String("allUsers"),
		})

		if err != nil {
			return err
		}

		ctx.Export("imageName", image.ImageName)
		return nil
	})
}

Log output

Updating (dev):
     Type                     Name                          Status                  Info
     Type                     Name                          Status                  Info
     Type                     Name                          Status                  Info
     pulumi:pulumi:Stack      cloud-run-deploy-dev          **failed**              1 error
 ~   ├─ docker:index:Image    contracting-works-staging     updated (28s)           [diff: ~build]
 +   ├─ gcp:cloudrun:Service  contracting-works-24-staging  **creating failed**     1 error
     └─ gcp:cloudrun:Service  contracting-works-24-staging: sdk.h
  **failed**              1 error

Diagnostics:
  pulumi:pulumi:Stack (cloud-run-deploy-dev):
    error: update failed

  gcp:cloudrun:Service (contracting-works-24-staging):
    error: 1 error occurred:
        * Error creating Service: Post "https://-run.googleapis.com/apis/serving.knative.dev/v1/namespaces/value-tech-integrations/services?alt=json": tls: failed to verify certificate: x509: certificate is valid for *.googleapis.com, googleapis.com, cloudendpointsapis.com, *.cloudendpointsapis.com, *.p.googleapis.com, *.clients6.google.com, *.clients6.google.ac, *.clients6.google.ad, *.clients6.google.ae, *.clients6.google.af, *.clients6.google.ag, *.clients6.google.ai, *.clients6.google.al, *.clients6.google.am, *.clients6.google.as, *.clients6.google.at, *.clients6.google.az, *.clients6.google.ba, *.clients6.google.be, *.clients6.google.bf, *.clients6.google.bg, *.clients6.google.bi, *.clients6.google.bj, *.clients6.google.bs, *.clients6.google.bt, *.clients6.google.by, *.clients6.google.bzh, *.clients6.google.ca, *.clients6.google.cat, *.clients6.google.cc, *.clients6.google.cd, *.clients6.google.cf, *.clients6.google.cg, *.clients6.google.ch, *.clients6.google.ci, *.clients6.google.cl, *.clients6.google.cm, *.clients6.google.cn, *.clients6.google.co.ao, *.clients6.google.co.bw, *.clients6.google.co.ck, *.clients6.google.co.cr, *.clients6.google.co.hu, *.clients6.google.co.id, *.clients6.google.co.il, *.clients6.google.co.im, *.clients6.google.co.in, *.clients6.google.co.je, *.clients6.google.co.jp, *.clients6.google.co.ke, *.clients6.google.co.kr, *.clients6.google.co.ls, *.clients6.google.co.ma, *.clients6.google.co.mz, *.clients6.google.co.nz, *.clients6.google.co.th, *.clients6.google.co.tz, *.clients6.google.co.ug, *.clients6.google.co.uk, *.clients6.google.co.uz, *.clients6.google.co.ve, *.clients6.google.co.vi, *.clients6.google.co.za, *.clients6.google.co.zm, *.clients6.google.co.zw, *.clients6.google.com.af, *.clients6.google.com.ag, *.clients6.google.com.ai, *.clients6.google.com.ar, *.clients6.google.com.au, *.clients6.google.com.bd, *.clients6.google.com.bh, *.clients6.google.com.bn, *.clients6.google.com.bo, *.clients6.google.com.br, *.clients6.google.com.by, *.clients6.google.com.bz, *.clients6.google.com.co, *.clients6.google.com.cu, *.clients6.google.com.cy, *.clients6.google.com.do, *.clients6.google.com.ec, *.clients6.google.com.eg, *.clients6.google.com.et, *.clients6.google.com.fj, *.clients6.google.com.ge, *.clients6.google.com.gh, *.clients6.google.com.gi, *.clients6.google.com.gr, *.clients6.google.com.gt, *.clients6.google.com.hk, *.clients6.google.com.iq, *.clients6.google.com.jm, *.clients6.google.com.jo, *.clients6.google.com.kh, *.clients6.google.com.kw, *.clients6.google.com.lb, *.clients6.google.com.ly, *.clients6.google.com.mm, *.clients6.google.com.mt, *.clients6.google.com.mx, *.clients6.google.com.my, *.clients6.google.com.na, *.clients6.google.com.nf, *.clients6.google.com.ng, *.clients6.google.com.ni, *.clients6.google.com.np, *.clients6.google.com.nr, *.clients6.google.com.om, *.clients6.google.com.pa, *.clients6.google.com.pe, *.clients6.google.com.pg, *.clients6.google.com.ph, *.clients6.google.com.pk, *.clients6.google.com.pl, *.clients6.google.com.pr, *.clients6.google.com.py, *.clients6.google.com.qa, *.clients6.google.com.ru, *.clients6.google.com.sa, *.clients6.google.com.sb, *.clients6.google.com.sg, *.clients6.google.com.sl, *.clients6.google.com.sv, *.clients6.google.com.tj, *.clients6.google.com.tn, *.clients6.google.com.tr, *.clients6.google.com.tw, *.clients6.google.com.ua, *.clients6.google.com.uy, *.clients6.google.com.vc, *.clients6.google.com.ve, *.clients6.google.com.vn, *.clients6.google.cv, *.clients6.google.cz, *.clients6.google.de, *.clients6.google.dj, *.clients6.google.dk, *.clients6.google.dm, *.clients6.google.dz, *.clients6.google.ee, *.clients6.google.es, *.clients6.google.eus, *.clients6.google.fi, *.clients6.google.fm, *.clients6.google.fr, *.clients6.google.frl, *.clients6.google.ga, *.clients6.google.gal, *.clients6.google.ge, *.clients6.google.gg, *.clients6.google.gl, *.clients6.google.gm, *.clients6.google.gp, *.clients6.google.gr, *.clients6.google.gy, *.clients6.google.hk, *.clients6.google.hn, *.clients6.google.hr, *.clients6.google.ht, *.clients6.google.hu, *.clients6.google.ie, *.clients6.google.im, *.clients6.google.in, *.clients6.google.info, *.clients6.google.iq, *.clients6.google.ir, *.clients6.google.is, *.clients6.google.it, *.clients6.google.it.ao, *.clients6.google.je, *.clients6.google.jo, *.clients6.google.jobs, *.clients6.google.jp, *.clients6.google.kg, *.clients6.google.ki, *.clients6.google.kz, *.clients6.google.la, *.clients6.google.li, *.clients6.google.lk, *.clients6.google.lt, *.clients6.google.lu, *.clients6.google.lv, *.clients6.google.md, *.clients6.google.me, *.clients6.google.mg, *.clients6.google.mk, *.clients6.google.ml, *.clients6.google.mn, *.clients6.google.ms, *.clients6.google.mu, *.clients6.google.mv, *.clients6.google.mw, *.clients6.google.ne, *.clients6.google.ne.jp, *.clients6.google.net, *.clients6.google.ng, *.clients6.google.nl, *.clients6.google.no, *.clients6.google.nr, *.clients6.google.nu, *.clients6.google.off.ai, *.clients6.google.pk, *.clients6.google.pl, *.clients6.google.pn, *.clients6.google.ps, *.clients6.google.pt, *.clients6.google.ro, *.clients6.google.rs, *.clients6.google.ru, *.clients6.google.rw, *.clients6.google.sc, *.clients6.google.se, *.clients6.google.sh, *.clients6.google.si, *.clients6.google.sk, *.clients6.google.sm, *.clients6.google.sn, *.clients6.google.so, *.clients6.google.sr, *.clients6.google.st, *.clients6.google.td, *.clients6.google.tel, *.clients6.google.tg, *.clients6.google.tk, *.clients6.google.tl, *.clients6.google.tm, *.clients6.google.tn, *.clients6.google.to, *.clients6.google.tt, *.clients6.google.us, *.clients6.google.uz, *.clients6.google.vg, *.clients6.google.vu, *.clients6.google.ws, not -run.googleapis.com

  gcp:cloudrun:Service (contracting-works-24-staging
):
    error:   sdk-v2/provider2.go:385: sdk.helper_schema: Error creating Service: Post "https://-run.googleapis.com/apis/serving.knative.dev/v1/namespaces/value-tech-integrations/services?alt=json": tls: failed to verify certificate: x509: certificate is valid for *.googleapis.com, googleapis.com, cloudendpointsapis.com, *.cloudendpointsapis.com, *.p.googleapis.com, *.clients6.google.com, *.clients6.google.ac, *.clients6.google.ad, *.clients6.google.ae, *.clients6.google.af, *.clients6.google.ag, *.clients6.google.ai, *.clients6.google.al, *.clients6.google.am, *.clients6.google.as, *.clients6.google.at, *.clients6.google.az, *.clients6.google.ba, *.clients6.google.be, *.clients6.google.bf, *.clients6.google.bg, *.clients6.google.bi, *.clients6.google.bj, *.clients6.google.bs, *.clients6.google.bt, *.clients6.google.by, *.clients6.google.bzh, *.clients6.google.ca, *.clients6.google.cat, *.clients6.google.cc, *.clients6.google.cd, *.clients6.google.cf, *.clients6.google.cg, *.clients6.google.ch, *.clients6.google.ci, *.clients6.google.cl, *.clients6.google.cm, *.clients6.google.cn, *.clients6.google.co.ao, *.clients6.google.co.bw, *.clients6.google.co.ck, *.clients6.google.co.cr, *.clients6.google.co.hu, *.clients6.google.co.id, *.clients6.google.co.il, *.clients6.google.co.im, *.clients6.google.co.in, *.clients6.google.co.je, *.clients6.google.co.jp, *.clients6.google.co.ke, *.clients6.google.co.kr, *.clients6.google.co.ls, *.clients6.google.co.ma, *.clients6.google.co.mz, *.clients6.google.co.nz, *.clients6.google.co.th, *.clients6.google.co.tz, *.clients6.google.co.ug, *.clients6.google.co.uk, *.clients6.google.co.uz, *.clients6.google.co.ve, *.clients6.google.co.vi, *.clients6.google.co.za, *.clients6.google.co.zm, *.clients6.google.co.zw, *.clients6.google.com.af, *.clients6.google.com.ag, *.clients6.google.com.ai, *.clients6.google.com.ar, *.clients6.google.com.au, *.clients6.google.com.bd, *.clients6.google.com.bh, *.clients6.google.com.bn, *.clients6.google.com.bo, *.clients6.google.com.br, *.clients6.google.com.by, *.clients6.google.com.bz, *.clients6.google.com.co, *.clients6.google.com.cu, *.clients6.google.com.cy, *.clients6.google.com.do, *.clients6.google.com.ec, *.clients6.google.com.eg, *.clients6.google.com.et, *.clients6.google.com.fj, *.clients6.google.com.ge, *.clients6.google.com.gh, *.clients6.google.com.gi, *.clients6.google.com.gr, *.clients6.google.com.gt, *.clients6.google.com.hk, *.clients6.google.com.iq, *.clients6.google.com.jm, *.clients6.google.com.jo, *.clients6.google.com.kh, *.clients6.google.com.kw, *.clients6.google.com.lb, *.clients6.google.com.ly, *.clients6.google.com.mm, *.clients6.google.com.mt, *.clients6.google.com.mx, *.clients6.google.com.my, *.clients6.google.com.na, *.clients6.google.com.nf, *.clients6.google.com.ng, *.clients6.google.com.ni, *.clients6.google.com.np, *.clients6.google.com.nr, *.clients6.google.com.om, *.clients6.google.com.pa, *.clients6.google.com.pe, *.clients6.google.com.pg, *.clients6.google.com.ph, *.clients6.google.com.pk, *.clients6.google.com.pl, *.clients6.google.com.pr, *.clients6.google.com.py, *.clients6.google.com.qa, *.clients6.google.com.ru, *.clients6.google.com.sa, *.clients6.google.com.sb, *.clients6.google.com.sg, *.clients6.google.com.sl, *.clients6.google.com.sv, *.clients6.google.com.tj, *.clients6.google.com.tn, *.clients6.google.com.tr, *.clients6.google.com.tw, *.clients6.google.com.ua, *.clients6.google.com.uy, *.clients6.google.com.vc, *.clients6.google.com.ve, *.clients6.google.com.vn, *.clients6.google.cv, *.clients6.google.cz, *.clients6.google.de, *.clients6.google.dj, *.clients6.google.dk, *.clients6.google.dm, *.clients6.google.dz, *.clients6.google.ee, *.clients6.google.es, *.clients6.google.eus, *.clients6.google.fi, *.clients6.google.fm, *.clients6.google.fr, *.clients6.google.frl, *.clients6.google.ga, *.clients6.google.gal, *.clients6.google.ge, *.clients6.google.gg, *.clients6.google.gl, *.clients6.google.gm, *.clients6.google.gp, *.clients6.google.gr, *.clients6.google.gy, *.clients6.google.hk, *.clients6.google.hn, *.clients6.google.hr, *.clients6.google.ht, *.clients6.google.hu, *.clients6.google.ie, *.clients6.google.im, *.clients6.google.in, *.clients6.google.info, *.clients6.google.iq, *.clients6.google.ir, *.clients6.google.is, *.clients6.google.it, *.clients6.google.it.ao, *.clients6.google.je, *.clients6.google.jo, *.clients6.google.jobs, *.clients6.google.jp, *.clients6.google.kg, *.clients6.google.ki, *.clients6.google.kz, *.clients6.google.la, *.clients6.google.li, *.clients6.google.lk, *.clients6.google.lt, *.clients6.google.lu, *.clients6.google.lv, *.clients6.google.md, *.clients6.google.me, *.clients6.google.mg, *.clients6.google.mk, *.clients6.google.ml, *.clients6.google.mn, *.clients6.google.ms, *.clients6.google.mu, *.clients6.google.mv, *.clients6.google.mw, *.clients6.google.ne, *.clients6.google.ne.jp, *.clients6.google.net, *.clients6.google.ng, *.clients6.google.nl, *.clients6.google.no, *.clients6.google.nr, *.clients6.google.nu, *.clients6.google.off.ai, *.clients6.google.pk, *.clients6.google.pl, *.clients6.google.pn, *.clients6.google.ps, *.clients6.google.pt, *.clients6.google.ro, *.clients6.google.rs, *.clients6.google.ru, *.clients6.google.rw, *.clients6.google.sc, *.clients6.google.se, *.clients6.google.sh, *.clients6.google.si, *.clients6.google.sk, *.clients6.google.sm, *.clients6.google.sn, *.clients6.google.so, *.clients6.google.sr, *.clients6.google.st, *.clients6.google.td, *.clients6.google.tel, *.clients6.google.tg, *.clients6.google.tk, *.clients6.google.tl, *.clients6.google.tm, *.clients6.google.tn, *.clients6.google.to, *.clients6.google.tt, *.clients6.google.us, *.clients6.google.uz, *.clients6.google.vg, *.clients6.google.vu, *.clients6.google.ws, not -run.googleapis.com: provider=google-beta@7.38.0

Affected Resource(s)

No response

Output of `pulumi about`

CLI
Version      3.132.0
Go Version   go1.23.1
Go Compiler  gc

Plugins
KIND      NAME    VERSION
resource  docker  4.5.5
resource  gcp     7.38.0
language  go      unknown

Host
OS       darwin
Version  14.4.1
Arch     arm64

This project is written in go: executable='/opt/homebrew/bin/go' version='go version go1.23.1 darwin/arm64'

Current Stack: organization/cloud-run-deploy/dev

TYPE                                        URN
pulumi:pulumi:Stack                         urn:pulumi:dev::cloud-run-deploy::pulumi:pulumi:Stack::cloud-run-deploy-dev
pulumi:providers:gcp                        urn:pulumi:dev::cloud-run-deploy::pulumi:providers:gcp::default_7_38_0
gcp:artifactregistry/repository:Repository  urn:pulumi:dev::cloud-run-deploy::gcp:artifactregistry/repository:Repository::contracting-works-staging
pulumi:providers:docker                     urn:pulumi:dev::cloud-run-deploy::pulumi:providers:docker::default_4_5_5
docker:index/image:Image                    urn:pulumi:dev::cloud-run-deploy::docker:index/image:Image::contracting-works-staging


Found no pending operations associated with dev

Backend
Name           tbp14
URL            file://~
User           tim
Organizations
Token type     personal

Dependencies:
NAME                                 VERSION
github.com/pulumi/pulumi-gcp/sdk/v7  v7.38.0
github.com/pulumi/pulumi/sdk/v3      v3.129.0

Pulumi locates its logs in /var/folders/25/qh1ztyt92wj0q94n723xxdhc0000gn/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

The text was updated successfully, but these errors were encountered:

iwahbe · 2024-09-18T14:51:51Z

Hi @timharek. It looks like the resource is hitting the wrong URL.

Post "https://-run.googleapis.com/apis/serving.knative.dev/v1/namespaces/value-tech-integrations/services?alt=json": tls: failed to verify certificate: x509: ...

I imagine that it should be hitting run.googleapis.com, not -run.googleapis.com. Can you try using location (since it has a default value) instead of cfg.Get("location")?

		service, err := cloudrun.NewService(ctx, "contracting-works-24-staging", &cloudrun.ServiceArgs{
-			Location: pulumi.String(cfg.Get("location")),
+			Location: pulumi.String(location),
			Template: cloudrun.ServiceTemplateArgs{
				Spec: cloudrun.ServiceTemplateSpecArgs{
					Containers: cloudrun.ServiceTemplateSpecContainerArray{
						cloudrun.ServiceTemplateSpecContainerArgs{
							Image: image.ImageName,
						},
					},
				},
			},
		})

That error combined with templating like 👇 could produce this kind of error:

google-beta/transport/config.go
527:    CloudRunBasePathKey:                 "https://{{location}}-run.googleapis.com/",

timharek · 2024-09-19T07:34:39Z

Thank you! That was the issue 🤘

timharek added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Sep 16, 2024

iwahbe removed the needs-triage Needs attention from the triage team label Sep 18, 2024

iwahbe added the awaiting-feedback Blocked on input from the author label Sep 18, 2024

timharek closed this as completed Sep 19, 2024

pulumi-bot added needs-triage Needs attention from the triage team and removed awaiting-feedback Blocked on input from the author labels Sep 19, 2024

iwahbe added resolution/by-design This issue won't be fixed because the functionality is working as designed and removed needs-triage Needs attention from the triage team labels Sep 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Error creating Service: Post "https://-run.googleapis.com/..." #2384

Error creating Service: Post "https://-run.googleapis.com/..." #2384

timharek commented Sep 16, 2024

iwahbe commented Sep 18, 2024

timharek commented Sep 19, 2024

Error creating Service: Post "https://-run.googleapis.com/..." #2384

Error creating Service: Post "https://-run.googleapis.com/..." #2384

Comments

timharek commented Sep 16, 2024

Describe what happened

Sample program

Log output

Affected Resource(s)

Output of pulumi about

Additional context

Contributing

iwahbe commented Sep 18, 2024

timharek commented Sep 19, 2024

Output of `pulumi about`