Comments (5)
Looks good to me. I'd suggest using a non-default service account. Nonetheless, for the sake of completeness, you can use the default service account and then under Node pools -> Security (for standard clusters), enable the Cloud SQL Admin API access:
from cloud-sql-proxy.
I was using gcloud
. Adding the scope --scopes=https://www.googleapis.com/auth/cloud-platform
when creating the cluster fixes the issue.
I appreciate your help.
from cloud-sql-proxy.
Two things:
- You're using the Cloud SQL Java Connector and the Cloud SQL Proxy. In fact, only one is necessary. Either use the Proxy with a standard database driver, or drop the Proxy and use the Cloud SQL Java Connector.
- Instead of using a credentials file, I recommend using Workload Identity. This will simplify the connection path. For using a credentials file, though, see the Java Connector's docs. You'll also need to ensure your VMs have the Cloud SQL Admin API OAuth2 scope, but only if your GKE VMs are using the default Compute Service Account.
from cloud-sql-proxy.
Yeah, I was trying both approach and failed with both. I feel like I'm missing one or two things with either approach. if using Workload Identity is preferred, I can try to use it.
When I build the cluster, if I assign a service account (from AppEngine - that works with access to Cloud SQL on AppEngine instances), then it works. When I don't assign any service account, it falls back to the default compute engine service account, and I run into the issue. Both service account have the same roles, but the compute-engine SA has some weird IAM issues.
Update application.yml to use 127.0.0.1 for the database:
spring:
datasource:
url: jdbc:mysql://127.0.0.1:3306/db?serverTimezone=UTC
username: my-db-username
password: my-db-password
..
Here's the updated deployment.yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-gcloud-services
spec:
replicas: 1
selector:
matchLabels:
app: my-gcloud-services
template:
metadata:
labels:
app: my-gcloud-services
spec:
serviceAccountName: ksa-cloud-sql #my-gcloud-gke-service-account
containers:
- name: my-gcloud-services
image: gcr.io/my-gcloud-project/my-gcloud-services:gke1
ports:
- containerPort: 8080 # Your application port
env:
- name: PORT
value: "8080"
- name: INSTANCE_CONNECTION_NAME
value: my-gcloud-project:us-central1:my-gcloud-project-v1
- name: DB_HOST
value: "127.0.0.1"
- name: DB_PORT
value: "3306"
- name: DB_USER
valueFrom:
secretKeyRef:
name: sql-credentials
key: username
- name: DB_PASS
valueFrom:
secretKeyRef:
name: sql-credentials
key: password
- name: DB_NAME
valueFrom:
secretKeyRef:
name: sql-credentials
key: database
- name: cloud-sql-proxy
image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0
args:
- "--structured-logs"
- "--port=3306"
- "my-gcloud-project:us-central1:my-gcloud-project-v1"
securityContext:
runAsNonRoot: true
from cloud-sql-proxy.
Glad to hear it.
from cloud-sql-proxy.
Related Issues (20)
- Do not require strict order in env variables for connections HOT 2
- Add support for a lazy refresh
- pgbouncer + proxy with transaction pooling is slow HOT 23
- Is there any way to connect to MS SQL using domain credentials? HOT 7
- v2/tests: TestSQLServerAuthentication failed HOT 4
- Telemetry doesn't work with non-ADC
- v2/internal/proxy: TestCheckConnections failed HOT 2
- Connecting to cloud-sql using private-ip sometimes fails with a TLS handshake timeout HOT 7
- Availability of a Container Image on Google Artifact Registry HOT 2
- "Cloud SQL IAM service account authentication failed for user ..." intermittent errors when connecting to Postgres HOT 17
- CSQL_PROXY_ADDRESS requires an IP address but doesn't explicitly state so HOT 6
- 30s+ Hang When Using Manual Token Authentication HOT 7
- v2/internal/proxy: TestClientLimitsMaxConnections failed HOT 1
- v2/internal/proxy: TestClientCloseWaitsForActiveConnections failed HOT 1
- v2/internal/proxy: TestClientClosesCleanly failed HOT 1
- v2/internal/proxy: TestClosesWithError failed HOT 2
- v2/internal/proxy: TestClientConnCount failed HOT 2
- v2/internal/proxy: TestRunConnectionCheck failed HOT 2
- Automatic instance discovery isn't supported in v2 Proxy HOT 5
- Brief summary of the proposed feature
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloud-sql-proxy.