Comments (8)
May I ask why you prefer UNIX sockets over TCP sockets?
Here is how I would have done that:
- Create sqlproxy pod (potentially with multiple tcp/instances)
- Expose multiple ports from your pod (with instance name in the port name, as seen below)
- Create one service per instance with the same port (or one service with multiple ports):
apiVersion: v1
kind: Service
metadata:
name: sqlproxy-service-INSTANCENAME
spec:
ports:
- name: sqlport
port: 3306
targetPort: sqlproxy-port-INSTANCENAME
selector:
app: sqlproxy
Then, simply connect to the SQL proxy of your choice:
mysql -h sqlproxy-service-INSTANCENAME ...
You end-up with only one pod/sqlproxy running in the cluster on one node (doesn't matter which), and of course this kind of service is not accessible from the outside. You can scale the sqlproxy by increasing the number of replicas.
On the other hand, if you absolutely want to use UNIX sockets and the DaemonSet, then this documentation shows you how to run the container in a privileged mode: http://kubernetes.io/docs/user-guide/security-context/. I'll try to get the documentation of HostPath updated to point to this URL.
from cloud-sql-proxy.
to me running 1 service and exposing the ports through TCP means that you are talking plain text inside your kubernetes cluster to the cloudsql proxy service. if anyone was inside of that network they would be able to see your username/passwords as you send them to the cloudsql proxy service (then cloudsql proxy will connect to your database over ssl)
I think using the unix sockets could actually be a way to not send raw tcp text around inside your kubernetes cluster. I just wanted to mention it here and see if that makes sense or if that is not something that is worth worrying about.
from cloud-sql-proxy.
@enocom
This is how I'm doing it with TCP. Curious how to do it with Unix sockets.
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cloud-sql-proxy
namespace: default
labels:
app: cloud-sql-proxy
spec:
selector:
matchLabels:
name: cloud-sql-proxy
template:
metadata:
labels:
name: cloud-sql-proxy
spec:
containers:
- name: cloudsql-proxy
image: 'gcr.io/cloudsql-docker/gce-proxy:1.25.0'
command:
- /cloud_sql_proxy
args:
- -instances={address}=tcp:0.0.0.0:5432
- -credential_file=/secrets/cloudsql/credentials
ports:
- name: cloudsql-port
containerPort: 5432
hostPort: 5432
livenessProbe:
tcpSocket:
port: cloudsql-port
initialDelaySeconds: 30
timeoutSeconds: 5
readinessProbe:
tcpSocket:
port: cloudsql-port
initialDelaySeconds: 5
timeoutSeconds: 1
resources:
limits:
cpu: 120m
memory: 150Mi
requests:
cpu: 80m
memory: 100Mi
volumeMounts:
- name: secret-name
mountPath: /secrets/cloudsql
readOnly: true
volumes:
- name: secret-name
secret:
secretName: secret-name
---
apiVersion: v1
kind: Secret
metadata:
name: secret-name
namespace: default
data:
credentials: {base64-of-service-account-key}
from cloud-sql-proxy.
I prefer UNIX sockets because I don't like to manage (duplicate) ports. However, the solution you suggest - using named ports and attaching a service to it - would solve this problem. Thanks, I will close this issue.
from cloud-sql-proxy.
@apelisse I like your idea of having one service for all instances. could you also post the yml file for the pod, I'm currently trying to figure out how to expose different ports for the different instances ... thanks!
from cloud-sql-proxy.
Anybody has been successful at running it with Unix sockets as k8 Daemonsets? It seems like a volume needs to be mounted on each pod and the socket needs to be placed in that volume.
from cloud-sql-proxy.
Given the number of comments on this thread, I'm going to re-open it as a docs issue. I don't know how to run the proxy with Daemonsets off the top of my head and will work on adding an example, either here or in the examples directory. For now, though, there are some higher priorities and so this work will probably take awhile.
from cloud-sql-proxy.
We've recently release a Kubernetes operator for the Proxy. And so while it's not an exact match for the request here, I'd suggest looking at https://github.com/googlecloudplatform/cloud-sql-proxy-operator at a better option.
from cloud-sql-proxy.
Related Issues (20)
- v2/tests: TestMySQLGcloudAuth failed HOT 1
- v2/tests: TestPostgresAuthentication failed HOT 1
- Define a Docker health check HOT 5
- security: cloudsql-docker/gce-proxy:alpine is vulnerable to CVE-2023-5363, CVE-2023-5678 HOT 1
- Run Snyk docker security scans nightly HOT 3
- Docker image labels are misplaced
- How can I ensure cloud-sql-proxy sidecar container is running before other containers connecting to cloudsql from k8s? HOT 6
- Align README and Proxy help message documentation
- Add support for Debian bookworm
- Cloud SQL Proxy have support GKE sidecar with replication or not? HOT 4
- Pinned vulnerable version of crypto library HOT 3
- v2/tests: TestMySQLAuthentication failed HOT 2
- Connection test occasionally causes TLS handshake failed errors HOT 15
- Wait command is missing CLI documentatation
- Readiness probe shouldn't depend on downstream services
- v2/tests: TestMySQLTCP failed HOT 1
- v2/tests: TestSQLServerImpersonation failed HOT 2
- v2/tests: TestSQLServerAuthentication failed HOT 3
- GKE - MySQL CloudSQL Conectivity Issue: ACCESS_TOKEN_SCOPE_INSUFFICIENT HOT 5
- Add FIPS (BoringCrypto) support HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloud-sql-proxy.