ralsu091
commented
2 years ago
## Question
We are trying to use GKE Workload Identity to authenticate and authorize the KSA with a postgres CloudSQL instance. We are having troubles getting the SA to connect to the instance: `Cloud SQL IAM user authentication failed for user`
What's the purpose of `cloud_iam_service_account` if we have to supply a password?
We would like take advantage of the k8s-workloadidentity use case [here ](https://github.com/GoogleCloudPlatform/cloudsql-proxy/blob/main/examples/k8s-sidecar/proxy_with_workload_identity.yaml), but we don't want to supply a password. Is it possible? Various comments in issues suggest that we need to supply a password: https://github.com/GoogleCloudPlatform/cloudsql-proxy/issues/731#issuecomment-819615553
## Additional Context
An ideal configuration case would be the following:
```yaml
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# [START cloud_sql_proxy_k8s_sa]
apiVersion: apps/v1
kind: Deployment
metadata:
name:
spec:
selector:
matchLabels:
app:
template:
metadata:
labels:
app:
spec:
serviceAccountName:
# [END cloud_sql_proxy_k8s_sa]
# [START cloud_sql_proxy_k8s_secrets]
containers:
- name:
# ... other container configuration
env:
- name: DB_USER
value: "SA@project.iam"
- name: DB_NAME
value: "db_name"
# [END cloud_sql_proxy_k8s_secrets]
# [START cloud_sql_proxy_k8s_container]
- name: cloud-sql-proxy
# It is recommended to use the latest version of the Cloud SQL proxy
# Make sure to update on a regular schedule!
image: gcr.io/cloudsql-docker/gce-proxy:1.17
command:
- "/cloud_sql_proxy"
# If connecting from a VPC-native GKE cluster, you can use the
# following flag to have the proxy connect over private IP
- "-ip_address_types=PRIVATE"
# Replace DB_PORT with the port the proxy should listen on
# Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433
- "-instances==tcp:"
- "-enable_iam_login"
securityContext:
# The default Cloud SQL proxy image runs as the
# "nonroot" user and group (uid: 65532) by default.
runAsNonRoot: true
# Resource configuration depends on an application's requirements. You
# should adjust the following values based on what your application
# needs. For details, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
requests:
# The proxy's memory use scales linearly with the number of active
# connections. Fewer open connections will use less memory. Adjust
# this value based on your application's requirements.
memory: "2Gi"
# The proxy's CPU use scales linearly with the amount of IO between
# the database and the application. Adjust this value based on your
# application's requirements.
cpu: "1"
# [END cloud_sql_proxy_k8s_container]
```
CloudSQL-proxy logs:
```
2021/12/13 20:27:38 current FDs rlimit set to 1048576, wanted limit is 8500. Nothing to do here.
2021/12/13 20:27:38 Listening on 127.0.0.1:5432 for projectc:region:instance-name
2021/12/13 20:27:38 Ready for new connections
2021/12/13 20:27:38 Generated RSA key in 146.534376ms
2021/12/13 20:28:06 New connection for "projectc:region:instance-name"
2021/12/13 20:28:06 refreshing ephemeral certificate for instance projectc:region:instance-name
2021/12/13 20:28:06 Scheduling refresh of ephemeral certificate in 58m35.870262818s
2021/12/13 20:28:07 Client closed local connection on 127.0.0.1:5432
```
enocom
kurtisvg