Hello, readers! This article talks about Cloud SQL Proxy setup in GKE with a practical demonstration.
If you’re looking for a managed Kubernetes hosting service, check out our simple, managed Kubernetes service built for growth.
So, let us begin! 😊
With the applications moving to the paved way of modernization, the components of the applications are now moving to host the resources on public Cloud environments such as Google, Azure, Amazon, etc.
Crucial components such as databases, cache storage have now paved their way towards modernization.
Most of the applications are now being containerized to optimize and reduce the carbon footprint.
Looking at this scenario, there must be a way or a path to form a connection between the applications hosted as containers and the cloud database instances.
For the same, the Cloud SQL Proxy comes into the picture.
With Cloud SQL Proxy, we can initiate the connection between the containerized application and the cloud database instance.
We can also have a connection using the private IP address of the instance, but the below advantages incline us to use Cloud SQL Proxy as the way to connect your applications to the cloud database instances.
Below is the list of pre-requisites which building up a cloud SQL Proxy pod.
For our application running in the cluster, we will be configuring the cloud SQL proxy as a sidecar. In this scenario, the application will communicate to the database instance through the proxy itself.
We thus need to populate the database configuration values to the application container for it to connect to the customized database.
To do so, we need to create a secret in the same namespace which is shared by the application container as shown below-
kubectl create secret generic <YOUR-DB-SECRET> \
--from-literal=username=<YOUR-DATABASE-USER> \
--from-literal=password=<YOUR-DATABASE-PASSWORD> \
--from-literal=database=<YOUR-DATABASE-NAME>
To connect the application to the database Instance, we need to set up the Cloud SQL proxy either as a VM or as a container (sidecar). For the same, we require the below information about the Cloud SQL Instance-
To run a Cloud SQL Proxy instance within a GKE cluster, we need to create a service account and give it the necessary permissions.
It is recommended to use a separate service account for a separate application to have a more secure experience and transition.
Requirements of the service account-
Once you create a service account, we need to mount the key of the service account into the Cloud SQL proxy container as a volume from a secret.
Let us understand this through the below example!
Create the credential key file using the gcloud command -
gcloud iam service-accounts keys create ~/key.json \
--iam-account=YOUR-SA-NAME@project-id.iam.gserviceaccount.com
Create a k8 secret from the credential file -
kubectl create secret generic YOUR-SA-SECRET \
--from-file=service_account.json=~/key.json
Use the above secret as a volume in the proxy container -
volumes:
- name: <YOUR-SA-SECRET-VOLUME>
secret:
secretName: <YOUR-SA-SECRET>
Once we reach Step 4, we need to create a sidecar proxy container within the application pod because of the below advantages-
Code -
apiVersion: apps/v1
kind: Deployment
metadata:
name: <YOUR-DEPLOYMENT-NAME>
spec:
selector:
matchLabels:
app: <YOUR-APPLICATION-NAME>
template:
metadata:
labels:
app: <YOUR-APPLICATION-NAME>
spec:
containers:
- name: <YOUR-APPLICATION-NAME>
# ... other container configuration
env:
- name: DB_USER
valueFrom:
secretKeyRef:
name: <YOUR-DB-SECRET>
key: username
- name: DB_PASS
valueFrom:
secretKeyRef:
name: <YOUR-DB-SECRET>
key: password
- name: DB_NAME
valueFrom:
secretKeyRef:
name: <YOUR-DB-SECRET>
key: database
- name: cloud-sql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.28.0 # make sure the use the latest version
command:
- "/cloud_sql_proxy"
- "-ip_address_types=PRIVATE"
# Replace DB_PORT with the port the proxy should listen on
# Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433
- "-instances=<INSTANCE_CONNECTION_NAME>=tcp:<DB_PORT>"
- "-credential_file=/secrets/service_account.json"
securityContext:
runAsNonRoot: true
volumeMounts:
- name: <YOUR-SA-SECRET-VOLUME>
mountPath: /secrets/
readOnly: true
resources:
requests:
memory: "2Gi"
cpu: "1"
volumes:
- name: <YOUR-SA-SECRET-VOLUME>
secret:
secretName: <YOUR-SA-SECRET>
By this, we have approached the end of this topic. Feel free to comment below in case you come across any questions.
For more such posts related to Cloud databases and Kubernetes native information, Stay tuned with us.
Till then, Happy Learning!! 😊
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
While we believe that this content benefits our community, we have not yet thoroughly reviewed it. If you have any suggestions for improvements, please let us know by clicking the “report an issue“ button at the bottom of the tutorial.
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.