Multi-Container Pod in GKE to connect to CloudSQL
2022 Nov 01Multi-Container Pod in GKE to connect to CloudSQL
On one of my MLOps days I ran into a problem where I had to guarantee the connection between GKE and Google Cloud SQL for one of our workloads to work using a Private IP.
So I had to use SQL Proxy by Google to accomplish this task.
As I didn’t want to have to use a distroless Docker image and as well as I did’ t want to have to migrate my workloads, I decided to create a sidecar via multi-container pod to open the proxy.
That way, I would just have to change the IP number to the private IP to make everything work.
If you’re interested in Multi-Container Pods this post from Paul Linchpiner provides more insights into their usage and patterns.
Requirements
- A service account created that contains the
Cloud SQL Client,Cloud SQL EditororCloud SQL AdminIAM roles; -
The service account key file that can be downloaded from the IAM console;
-
I’m assuming that the VPC that you’re using in your Cloud SQL is the same that you’re using in your GKE; and
- I’m assuming also that you’re running it on top of GKE
Walkthrough
First at all let’s create a namespace to run it. In this case it will be named test-proxy-cloud-sql:
$ kubectl create namespace test-proxy-cloud-sql
After you download your account key file (in this case it’s the cloud_sql_key.json file)
you will create a secret create the secret that will contains the sevice account and link it:
$ kubectl create secret generic cloud_sql_key_secret --from-file=/cloud_sql_key.json --namespace=test-proxy-cloud-sql
You will create a file that will contain the specifications for the k8s pods. This file will be called proxy_pod_sidecar.yaml:
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: test-proxy-deploy | |
| spec: | |
| volumes: | |
| - name: secret-volume | |
| secret: | |
| secretName: cloud_sql_key_secret | |
| containers: | |
| - name: test-proxy-pod | |
| image: ubuntu | |
| command: ["/bin/sh","-c"] | |
| args: | |
| - | | |
| apt-get update \ | |
| && apt-get -y install curl \ | |
| && apt-get -y install wget \ | |
| && apt-get -y install postgresql-client \ | |
| && wget "https://storage.googleapis.com/cloudsql-proxy/v1.32.0/cloud_sql_proxy.linux.amd64" -O cloud_sql_proxy \ | |
| && chmod +x cloud_sql_proxy \ | |
| && ./cloud_sql_proxy -instances=PROJECT-NAME:REGION:DATABASE-NAME=tcp:0.0.0.0:5432 -ip_address_types=PRIVATE -credential_file=etc/config/cloud_sql_key.json | |
| imagePullPolicy: IfNotPresent | |
| volumeMounts: | |
| - name: secret-volume | |
| mountPath: /etc/config | |
| readOnly: false | |
| - name: test-connection-pod | |
| image: ubuntu | |
| command: ["/bin/sh","-c"] | |
| args: | |
| - | | |
| apt-get update \ | |
| && apt-get -y install curl \ | |
| && apt-get -y install wget \ | |
| && apt-get -y install postgresql-client \ | |
| && sleep 1000000 | |
| imagePullPolicy: IfNotPresent | |
| volumeMounts: | |
| - name: secret-volume | |
| mountPath: /etc/config | |
| readOnly: false | |
Create the multi-Container pod:
$ kubectl create -f proxy_pod_sidecar.yaml --namespace=test-proxy-cloud-sql
On the terminal #1 - Go to the container running the proxy (test-proxy-pod):
$ kubectl exec -it test-proxy-deploy --namespace=test-proxy-cloud-sql -c test-proxy-pod -- /bin/bash
On the terminal #2 - Go to the container running only to establish a connection (test-connection-pod):
$ kubectl exec -it test-proxy-deploy --namespace=test-proxy-cloud-sql -c test-connection-pod -- /bin/bash
You can connect inside of the proxy pod (test-proxy-pod) or in the sidecar (test-connection-pod). To connect to the databse use the follow connection string and place your password after the prompt:
$ psql -h 127.0.0.1 -p 5432 -d database -U user -W
This will establish the connection to your CloudSQL database instance.