Multi-Container Pod in GKE to connect to CloudSQL

Multi-Container Pod in GKE to connect to CloudSQL

On one of my MLOps days I ran into a problem where I had to guarantee the connection between GKE and Google Cloud SQL for one of our workloads to work using a Private IP.

So I had to use SQL Proxy by Google to accomplish this task.

As I didn’t want to have to use a distroless Docker image and as well as I did’ t want to have to migrate my workloads, I decided to create a sidecar via multi-container pod to open the proxy.

That way, I would just have to change the IP number to the private IP to make everything work.

If you’re interested in Multi-Container Pods this post from Paul Linchpiner provides more insights into their usage and patterns.

Requirements

  • A service account created that contains the Cloud SQL Client, Cloud SQL Editor or Cloud SQL Admin IAM roles;
  • The service account key file that can be downloaded from the IAM console;

  • I’m assuming that the VPC that you’re using in your Cloud SQL is the same that you’re using in your GKE; and

  • I’m assuming also that you’re running it on top of GKE

Walkthrough

First at all let’s create a namespace to run it. In this case it will be named test-proxy-cloud-sql:

$ kubectl create namespace test-proxy-cloud-sql

After you download your account key file (in this case it’s the cloud_sql_key.json file) you will create a secret create the secret that will contains the sevice account and link it:

$ kubectl create secret generic cloud_sql_key_secret --from-file=/cloud_sql_key.json --namespace=test-proxy-cloud-sql

You will create a file that will contain the specifications for the k8s pods. This file will be called proxy_pod_sidecar.yaml:

apiVersion: v1
kind: Pod
metadata:
name: test-proxy-deploy
spec:
volumes:
- name: secret-volume
secret:
secretName: cloud_sql_key_secret
containers:
- name: test-proxy-pod
image: ubuntu
command: ["/bin/sh","-c"]
args:
- |
apt-get update \
&& apt-get -y install curl \
&& apt-get -y install wget \
&& apt-get -y install postgresql-client \
&& wget "https://storage.googleapis.com/cloudsql-proxy/v1.32.0/cloud_sql_proxy.linux.amd64" -O cloud_sql_proxy \
&& chmod +x cloud_sql_proxy \
&& ./cloud_sql_proxy -instances=PROJECT-NAME:REGION:DATABASE-NAME=tcp:0.0.0.0:5432 -ip_address_types=PRIVATE -credential_file=etc/config/cloud_sql_key.json
imagePullPolicy: IfNotPresent
volumeMounts:
- name: secret-volume
mountPath: /etc/config
readOnly: false
- name: test-connection-pod
image: ubuntu
command: ["/bin/sh","-c"]
args:
- |
apt-get update \
&& apt-get -y install curl \
&& apt-get -y install wget \
&& apt-get -y install postgresql-client \
&& sleep 1000000
imagePullPolicy: IfNotPresent
volumeMounts:
- name: secret-volume
mountPath: /etc/config
readOnly: false

Create the multi-Container pod:

$ kubectl create -f proxy_pod_sidecar.yaml --namespace=test-proxy-cloud-sql

On the terminal #1 - Go to the container running the proxy (test-proxy-pod):

$ kubectl exec -it test-proxy-deploy --namespace=test-proxy-cloud-sql -c test-proxy-pod -- /bin/bash

On the terminal #2 - Go to the container running only to establish a connection (test-connection-pod):

$ kubectl exec -it test-proxy-deploy --namespace=test-proxy-cloud-sql -c test-connection-pod -- /bin/bash

You can connect inside of the proxy pod (test-proxy-pod) or in the sidecar (test-connection-pod). To connect to the databse use the follow connection string and place your password after the prompt:

$ psql -h 127.0.0.1 -p 5432 -d database -U user -W

This will establish the connection to your CloudSQL database instance.

References and further reading