search

jordic / k8s

Kubernetes tools and experiments
MIT License
13 stars 3 forks source link

CloudSQL Proxy and CloudSQLIP #3

Open jasonjei opened 8 years ago

jasonjei commented 8 years ago

The new CloudSQL Proxy tool can be installed on a docker image and run as a service in a container by broadcasting the port 3306 on address 0.0.0.0. Would this make the CloudSQL IP tool obsolete since you wouldn't need to manage IPs anymore and access CloudSQL through your CloudSQL proxy container? This seems desirable because there are no ACLs maintained.

Basically, I run a basic container with a folder called /cloudsql in the root, and copy the cloud_sql_proxy binary into the root of the container. You may need to build a binary from GoogleCloudPlatform/cloudsql-proxy#1 or GoogleCloudPlatform/cloudsql-proxy#2 to get the ability to specify the listening address (current cloud_sql_proxy only listens to 127.0.0.1).

My run.sh script for Dockerfile CMD assuming environmental variable CLOUDSQL_PATH=PROJECT_NAME:us-central1:DB_INSTANCE:

if [ -n "$CLOUDSQL_PATH" ] ; then
    echo "Using CloudSQL server"
    /cloud_sql_proxy -dir=/cloudsql -instances=$CLOUDSQL_PATH=tcp:3306:0.0.0.0

My Service:

apiVersion: v1
kind: Service
metadata:
  labels:
    name: cloudsql
  name: cloudsql
spec:
  ports:
    # The port that this service should serve on.
    - port: 3306
      targetPort: 3306
  # Label keys and values that must match in order to receive traffic for this service.
  selector:
    name: cloudsql

My ReplicationController:

{
  "apiVersion": "v1",
  "kind": "ReplicationController",
  "metadata": {
    "labels": {
      "name": "cloudsql",
      "version": "1"
    },
    "name": "cloudsql-v1"
  },
  "spec": {
    "replicas": 1,
    "selector": {
      "name": "cloudsql",
      "version": "1"
    }, 
    "template": {
      "metadata": {
        "labels": {
          "name": "cloudsql",
          "version": "1"
        }
      },
      "spec": {
        "containers": [
          {
            "env": [
              {
                "name": "CLOUDSQL_PATH",
                "value": "certain-reducer-123421:us-central1:quicklet"
              }
            ],
            "image": "gcr.io/certain-reducer-123421/mysql:v1",
            "name": "cloudsql",
            "ports": [
              {
                "containerPort": 3306
              }
            ]
          }
        ]
      }
    }    
  }
}
Carrotman42 commented 8 years ago

Note: I've (finally) merged GoogleCloudPlatform/cloudsql-proxy#1

I've kept the order as 'network:host:post', though, so your example should be tcp:0.0.0.0:3306. I also suggest that you mention the fact that it is important to ensure the firewall is configured such that only trusted entities can access that container's port. Opening up to 0.0.0.0 means that anything that can connect to that container/VM's port 3306 would be able to access your Cloud SQL Database.