[英]Google Cloud Run Service connection timeout when trying to call Auth0 OpenID configuration endpoint
I created a backend service that connects to the Auth0 oauth2 endpoint.我创建了一个连接到 Auth0 oauth2 端点的后端服务。 When testing all of this locally on
localhost
it works fine with the provided configurations.在
localhost
上本地测试所有这些时,它可以很好地使用提供的配置。 However as soon as I deploy the backend service to Google Cloud Run it fails to work because the configuration endpoint is having a connection timeout.但是,一旦我将后端服务部署到 Google Cloud Run,它就无法工作,因为配置端点出现连接超时。
Here is the error log:这是错误日志:
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://myproject.eu.auth0.com/.well-known/openid-configuration": Connection timed out (Connection timed out); nested exception is java.net.ConnectException: Connection timed out (Connection timed out)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:785)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:670)
at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:150)
... 77 common frames omitted
Here is my Cloud Run service configuration:这是我的 Cloud Run 服务配置:
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
entrypoint: gcloud
args:
- 'alpha'
- 'run'
- 'deploy'
- 'foo-service'
- '--image=eu.gcr.io/$PROJECT_ID/foo-service:$BUILD_ID'
- '--concurrency=80'
- '--cpu=2'
- '--memory=512Mi'
- '--region=europe-west4'
- '--min-instances=1'
- '--max-instances=2'
- '--platform=managed'
- '--port=8080'
- '--timeout=3000'
- '--set-env-vars=SQL_CONNECTION=10.113.160.3, SQL_USER=root, SQL_PASSWORD=root, SQL_DATABASE=dev'
- '--set-env-vars=LOG_LEVEL=debug'
- '--ingress=internal'
- '--allow-unauthenticated'
- '--vpc-connector=cloud-run'
- '--vpc-egress=all-traffic'
I guess the important part here is the --vpc-egress=all-traffic
option so I am sure that the service is able to communicate to the outside.我想这里的重要部分是
--vpc-egress=all-traffic
选项,所以我确信该服务能够与外部通信。
However the Ingress is configured to --ingress=internal
.但是 Ingress 配置为
--ingress=internal
。 Might this be a problem?这可能是个问题吗? I thought when I have an egress defined and there is a request being launched through that - that it will receive the response through that channel again and it should not be routed through the ingress and therefore be blocked by its policies?
我想当我定义了一个出口并且通过它启动了一个请求时 - 它会再次通过该通道接收响应并且它不应该通过入口路由并因此被其策略阻止?
Edit #1 Removing the ingress=internal
option did not seem to work.编辑 #1删除
ingress=internal
选项似乎不起作用。 I guess it's because it's being disabled by default if an egress is defined.我猜这是因为如果定义了出口,默认情况下它会被禁用。
The option --vpc-egress=all-traffic
means that all traffic originating from your Cloud Run service goes through the VPC connector you called cloud-run
.选项
--vpc-egress=all-traffic
意味着来自您的 Cloud Run 服务的所有流量都通过您称为cloud-run
的 VPC 连接器。 If you use that option, I don't think you can reach your Auth0 endpoint athttps://myproject.eu.auth0.com/.well-known/openid-configuration .如果您使用该选项,我认为您无法通过https://myproject.eu.auth0.com/.well-known/openid-configuration访问您的 Auth0 端点。 That's why the connection Cloud Run service => Auth0 times out.
这就是连接 Cloud Run 服务 => Auth0 超时的原因。
I guess you need the VPC connector to connect to the private IP of your Cloud SQL instance.我想您需要 VPC 连接器来连接到您的 Cloud SQL 实例的私有 IP。 So only the traffic from your Cloud Run service to your Cloud SQL instance's private IP should go through the VPC connector.
因此,只有从您的 Cloud Run 服务到您的 Cloud SQL 实例的私有 IP 的流量应该通过 VPC 连接器 go。 I think you can achieve this by using
--vpc-egress=private-ranges-only
instead.我认为您可以通过使用
--vpc-egress=private-ranges-only
来实现这一点。
Also, by setting --ingress=internal
you are saying that your Cloud Run service can only be called within your VPC.network .此外,通过设置
--ingress=internal
您是说您的 Cloud Run 服务只能在您的 VPC.network 内调用。 This means that Auth0 won't be able to call your Cloud Run service.这意味着 Auth0 将无法调用您的 Cloud Run 服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.