Cloud SQL connection for Kubernetes using proxy
Im adding my deployment yaml which worked for me, check if adding the following will help:
under volumes:
volumes: - name: cloudsql emptyDir:
in the connection: --dir=/cloudsql
- name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.11 command: ["/cloud_sql_proxy", "--dir=/cloudsql", "-instances=<INSTANCE_CONNECTION_NAME=tcp:5432>", "-credential_file=/secrets/cloudsql/credentials.json"]
also make sure you enabled the Cloud SQL Administration API
here is my full deployment yaml
apiVersion: extensions/v1beta1kind: Deploymentmetadata: name: app-dummy-namespec: replicas: 1 revisionHistoryLimit: 1 strategy: type: RollingUpdate template: metadata: labels: app: app-dummy-name tier: backend spec: securityContext: runAsUser: 0 runAsNonRoot: false containers: - name: app-dummy-name image: <image url> ports: - containerPort: 80 env: - name: DB_HOST value: localhost - name: DB_USER valueFrom: secretKeyRef: name: cloudsql-db-credentials key: username - name: DB_PASSWORD valueFrom: secretKeyRef: name: cloudsql-db-credentials key: password # proxy_container - name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.11 command: ["/cloud_sql_proxy", "--dir=/cloudsql", "-instances=my-project-id:us-central1:postgres-instance-name=tcp:5432", "-credential_file=/secrets/cloudsql/credentials.json"] volumeMounts: - name: cloudsql-instance-credentials mountPath: /secrets/cloudsql readOnly: true - name: cloudsql mountPath: /cloudsql # volumes volumes: - name: cloudsql-instance-credentials secret: secretName: cloudsql-instance-credentials - name: cloudsql emptyDir:
here are my pre-delpoy script:
#!/bin/bash# https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine# 1. Go to the Cloud SQL Service accounts page of the Google Cloud Platform Console.# GO TO THE SERVICE ACCOUNTS PAGE# 2. If needed, select the project that contains your Cloud SQL instance.# 3. Click Create service account.# 4. In the Create service account dialog, provide a descriptive name for the service account.# 5. For Role, select Cloud SQL > Cloud SQL Client.# Alternatively, you can use the primitive Editor role by selecting Project > Editor, but the Editor role includes permissions across Google Cloud Platform.## 6. If you do not see these roles, your Google Cloud Platform user might not have the resourcemanager.projects.setIamPolicy permission. You can check your permissions by going to the IAM page in the Google Cloud Platform Console and searching for your user id.# Change the Service account ID to a unique value that you will recognize so you can easily find this service account later if needed.# 7. Click Furnish a new private key.# 8. The default key type is JSON, which is the correct value to use.# 9. Click Create.# 10. enable Cloud SQL Administration API [here](https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview)# make sure to choose your projectecho "create cloudsql secret"kubectl create secret generic cloudsql-instance-credentials \ --from-file=credentials.json=postgres-sql-credential.jsonecho "create cloudsql user and password"kubectl create secret generic cloudsql-db-credentials \ --from-literal=username=postgres --from-literal=password=123456789
postgres-sql-credential.json file:
{ "type": "service_account", "project_id": "my-project", "private_key_id": "1234567890", "private_key": "-----BEGIN PRIVATE KEY-----\n123445556\n123445\n-----END PRIVATE KEY-----\n", "client_email": "postgres-sql@my-project.iam.gserviceaccount.com", "client_id": "1234567890", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/postgres-sq%my-project.iam.gserviceaccount.com"}