Cloud Run guide doesn't work since 0.18.0

[JonnyDaenen]

What happened?

Trying to setup the Cloud Run sample from this guide.

Note that there is also a guide on Google Cloud, which has different instructions. I also tried these.

What did you expect to happen?

• ❌ I am able to deploy (not for all versions, see below)
• ❌ I am able to log in (not since 0.18.0)
• ❌ I am able to use verify endpoint (never, always returns couldn't get json web key: empty JSON Web Key Set payload)
• ❓ I am able to use httpbin endpoint (not sure if still relevant?)

How'd it happen?

1. Configured DNS subdomain cloudrun.mydomain.com
2. Executed all instructions
3. Set up web application in Google Cloud with callback to https://authn.cloudrun.mydomain.com/oauth2/callback
4. setup all urls: authn, httpbin, hello and verify - guide is unclear about httpbin vs verify

What's your environment like?

• Pomerium version (retrieve with pomerium --version): v0.21.3-cloudrun
• Server Operating System/Architecture/Cloud: Google Cloud

What's your config.yaml?

authenticate_service_url: "https://authn.cloudrun.mydomain.com"
shared_secret: "random genereted value"
cookie_secret: "random genereted value"
idp_provider: "google"
idp_client_id: "sample.apps.googleusercontent.com"
idp_client_secret: "secret from the GCP console"

policy:

- from: https://hello.cloudrun.mydomain.com
  to: https://hello-h2g2afqdba-uc.a.run.app
  allowed_domains:
    - gmail.com
  enable_google_cloud_serverless_authentication: true
- from: https://verify.cloudrun.mydomain.com
  to: https://verify.pomerium.com
  pass_identity_headers: true
  allowed_domains:
    - gmail.com

Also tried this with httpbin instructions.

What did you see in the logs?

message: "grpc check ext_authz_error"
level: "error"
error: "hpke: error requesting hpke-public-key endpoint: Get "https://127.0.0.1/.well-known/pomerium/hpke-public-key": dial tcp 127.0.0.1:443: connect: connection refused"

Additional context

Tested domain mapping

• [x] test whether cloud run is hit when hitting all the urls -> yes

Tested different images

I tested various versions of the image and it seems that the guide setup doesn't work anymore starting 0.18.0. Potentially new config values need to be provided?

• ❌ v0.21.3-cloudrun -> error in logs (See above)
• ❌ v0.21.2-cloudrun
• ❌ v0.20.0-cloudrun -> redirect to https://127.0.0.1/.pomerium/sign_in
• ❌ v0.19.1-cloudrun -> deployment failed: The user-provided container failed to start and listen on the port defined provided by the PORT=8080 environment variable.
• ❌ v0.19.0-cloudrun -> deployment failed
• ❌ v0.18.0-cloudrun -> deployment failed
• ✅ v0.17.3-cloudrun -> 500 error first, but second test in incognito worked
• ✅ v0.17.2-cloudrun
• ✅ v0.17.1-cloudrun
• ✅ v0.16.4-cloudrun
• ✅ v0.11.1-cloudrun
• ✅ v0.10.6-cloudrun

Tested verification endpoint

Verify endpoint never works, it just shows the following message:

couldn't get json web key: empty JSON Web Key Set payload

The location https://authn.cloudrun.mydomain.com/.well-known/pomerium/jwks.json yields:

{"keys":null}

[calebdoxsey]

This was broken with https://github.com/pomerium/pomerium/pull/3254

We no longer support loading configuration using the vals entrypoint. The guide was updated in https://github.com/pomerium/pomerium/pull/2270 but those changes were never merged. Substantial changes need to be made to this guide to get it to work.