CSQL_PROXY_ADDRESS requires an IP address but doesn't explicitly state so

[ar-qun]

Description

When setting CSQL_PROXY_ADDRESS to cloud-sql-proxy I get the error below.

Error: not a valid IP address: "cloud-sql-proxy"

Potential Solution

Given that the word address is used for both domain names and IPs either it would be great to have disambiguation. I can also make a feature request.

Additional Details

No response

[enocom]

@ar-qun can you tell me a bit more about your use case? I'd expect CSQL_PROXY_ADDRESS to be set to either 127.0.0.1, a static IP, or possibly 0.0.0.0.

[ar-qun]

@enocom I am running Cloud SQL Proxy in GKE as a separate K8s Deployment and I want the pods to be accessible only from the current namespace. There is a low chance that someone will expose the service to the outside but using a domain name would for sure keep the traffic internal.

It also might be a bit confusing like it was to me.

[enocom]

Are you running the Proxy behind a connection pooler? Normally, we recommend running the Proxy as a sidecar (and only listen on localhost) or possibly put it behind a connection pooler (with the proxy also listening only on localhost).

There might still be a use-case here, but the root issue might be how you're using the Proxy.

[ar-qun]

Not, yet. Currently, Cloud SQL Proxy as single container in a deployment just to try things out. After my trials I will either put Cloud SQL Proxy behind pgbouncer, as is explained in the examples, or switch to the Cloud SQL Language Connectors.

My understanding the issue with running SQL that way is that it is not secure right?

[enocom]

Yes. Typically we expect traffic to and from the Proxy to be bound to localhost (or a pod), where the workload is contained onto a single VM.

[ar-qun]

Thanks, enocom.

I will follow the the example with PgBouncer then[1].

[2] https://github.com/GoogleCloudPlatform/cloud-sql-proxy/tree/main/examples/k8s-service