To answer your question directly about being able to connect to CloudSQL Instance from GKE using CloudSQL proxy in a different Project, I say Yes, it is possible.
-- There is this documentation[1] that explains how to connect to a CloudSQL from GKE however, to connect from within a different Project, there are a few changes that needed to be made:
Firstly, ensure that the network port 5434 (or whichever port you are deploying Cloud SQL **Proxy**) is not in use, then refresh the GKE pod. To do this, run "$ netstat -tulpn" in your console. If the port is listed at the end of one of the entires in the "Local Address" column, kill that connection by running "kill [PID]", where PID is the corresponding PID for that row. After this, reload the GKE pod that is trying to connect to Cloud SQL [2]. This is important to do because if the port is already occupied when the port runs Cloud SQL Proxy and attempts to bind to that port, the binding will fail and cause a connection error.
- Refresh the credentials for service account cloud-sql@[project-ID].iam.gserviceaccount.com. Validate that the service account has the "roles/cloudsql.client" role [3]. Delete the service account's .json key and generate a new one [4]. Delete the GKE secret holding the service account crednetials and redeploy a new one. For example, if your service account credentials file is called "key.json", the target secret name is "credentials.json", and your console is in the directory containing "key.json", run: "$ kubectl create secret generic cloudsql-instance-credentials --from-file=credentials.json=../key.json". Finally, reload the GKE pod that is trying to connect to Cloud SQL [2]. This reload is necessary to refresh the pod's consumption of the secret.
[1]https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine
[2] To restart your pods, go to Cloud Console > Kubernetes Engine > Workloads > select your workload > Overview tab. Then, under the "Managed pods" section, copy the pod name. In your console, first authenticate kubectl if you haven't already in this session ("$ gcloud container clusters get-credentials [CLUSTER_NAME] --zone europe-west1-b"). Then run "$ kubectl delete pod [POD_NAME]" to delete the pod. GKE will automatically spawn a new one, which will be ready to serve in a few seconds.
[3] https://cloud.google.com/sql/docs/mysql/project-access-control#roles
[4] https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/53cf552f-ada5-4ed7-9e97-600e747300b8%40googlegroups.com.
No comments:
Post a Comment