This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud SQL Proxy Issues in Cloud Build yaml

Posted on 03-29-2023 01:04 PM
jamfran
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi everyone,

I have a Postgres Cloud SQL instance, and I'm trying to run some basic migrations on it. I'm trying to run those migrations using the Cloud SQL Proxy via Cloud Build, and I'm having a very difficult time troubleshooting what's going on. I've started by copying and pasting the steps outlined in the "Connect to Cloud SQL from Cloud Build" docs.

Here's what my cloudbuild.yaml looks like:

 

steps:
    # Add Cloud SQL proxy binary to my existing app image and build it
  - id: 'docker-layer'
    name: 'gcr.io/cloud-builders/docker'
    entrypoint: /bin/bash
    args:
      - '-c'
      - |
        echo "FROM $_IMAGE_URL
        COPY --from=gcr.io/cloud-sql-connectors/cloud-sql-proxy /cloud-sql-proxy /cloudsql/cloud-sql-proxy" > Dockerfile-proxy;

        docker build -f Dockerfile-proxy -t ${_IMAGE_URL}-proxy .

  # Connect Cloud SQL proxy using unix socket
  - id: 'migrate-socket'
    name: '${_IMAGE_URL}-proxy'
    env:
      - DATABASE_NAME=${_DATABASE_NAME}
      - DATABASE_USER=${_DATABASE_USER}
      - INSTANCE_CONNECTION_NAME=${_INSTANCE_CONNECTION_NAME}
      - DATABASE_TYPE=${_DATABASE_TYPE}
    secretEnv:
      - DATABASE_PASS
    entrypoint: /bin/bash
    args:
      - '-c'
      - |
        /cloudsql/cloud-sql-proxy --unix-socket /cloudsql ${_INSTANCE_CONNECTION_NAME} & sleep 2;
        ./apps/web-app/migrate.sh

options:
  dynamic_substitutions: true

substitutions:
  _DATABASE_NAME: (MY_DB_NAME)
  _DATABASE_PASSWORD_KEY: DATABASE_PASSWORD
  _DATABASE_PORT: '5432'
  _DATABASE_TYPE: postgres
  _DATABASE_USER: postgres
  _IMAGE_URL: us-central1-docker.pkg.dev/${PROJECT_ID}/(REPO)/web-app
  _INSTANCE_CONNECTION_NAME: ${PROJECT_ID}:us-central1:(MY_DB_NAME)

availableSecrets:
  secretManager:
    - versionName: projects/$PROJECT_ID/secrets/${_DATABASE_PASSWORD_KEY}/versions/latest
      env: DATABASE_PASS

 

No matter how much I tweak my configuration, I keep getting the same error:

The proxy has encountered a terminal error: unable to start: failed to get instance: Refresh error: failed to get instance metadata (connection name = MY_INSTANCE_NAME): tls: failed to verify certificate: x509: certificate signed by unknown authority

I have verified the following:

  • My cloud build service worker has all required permissions
  • I have enabled the Cloud SQL Admin API
  • I can connect to my DB (Public IP) from an authorized network outside of this proxy

Any suggestions or help would be very, very, much appreciated.

 

 

0 1 465
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
marcanthonyb
Staff
Reply posted on --/--/---- --:-- AM

Hi @jamfran ,

Could you provide additional logging information when you encounter that issue. Thanks.

Regards, Marc

0 Likes
Top Solution Authors
View all