1

I'm using GCloud, I have a kubernate cluster and a cloud sql instance.

I have a simple node.js app, that uses database. When I deploy with gcloud app deploy it has an access to a database. However, when I build a dockerimage and expose it, it cannot reach database.

  1. I expose Docker application following: https://cloud.google.com/kubernetes-engine/docs/tutorials/hello-app
  2. Cloud SQL deosn't have Private IP enabled, Im connecting using cloud sql proxy
  3. In app.yaml I do specify base_settings:cloud_sql_instances. I use the same value in socketPath config for mysql connection.

  4. The error in docker logs is:

    (node:1) UnhandledPromiseRejectionWarning: Error: connect ENOENT /cloudsql/x-alcove-224309:europe-west1:learning at PipeConnectWrap.afterConnect [as oncomplete] (net.js:1097:14)

Can you please explain me how to connect to cloud sql from dockerized node application.

Rico
  • 362
  • 1
  • 4
  • 18

3 Answers3

1

When you deploy your app on App Engine with gcloud app deploy, the platform runs it in a container along with a side-car container in charge of running the cloud_sql_proxy (you ask for it by specifying the base_settings:cloud_sql_instances in your app.yaml file).

Kubernetes Engine doesn't use an app.yaml file and doesn't supply this side-car container to you so you'll have to set it up. The public doc shows how to do it by creating secrets for your database credentials and updating your deployment file with the side-car container config. An example shown in the doc would look like:

...
- name: cloudsql-proxy
  image: gcr.io/cloudsql-docker/gce-proxy:1.11
  command: ["/cloud_sql_proxy",
            "-instances=<INSTANCE_CONNECTION_NAME>=tcp:3306",
            "-credential_file=/secrets/cloudsql/credentials.json"]
  securityContext:
    runAsUser: 2  # non-root user
    allowPrivilegeEscalation: false
  volumeMounts:
    - name: cloudsql-instance-credentials
      mountPath: /secrets/cloudsql
      readOnly: true
...
LundinCast
  • 9,412
  • 4
  • 36
  • 48
1

Generally, the best method is to connect using a sidecar container inside the same pod as your application. You can find examples on the "Connecting from Google Kubernetes Engine" page here. There is also a codelab here that goes more in-depth and might be helpful.

kurtisvg
  • 3,412
  • 1
  • 8
  • 24
  • Why is sidecar container the best approach? – Rico Mar 16 '19 at 09:26
  • @RicoW I usually prefer it for a couple of different reasons: Security - The Cloud SQL proxy encrypts connections between itself and the instance, but doesn't do client side SSL. By using the sidecar you avoid exposing any unencrypted traffic. Control - By packaging the sidecar with application, you are ensuring that ONLY that applications that are supposed to have access to the database, do. Isolation - Since each pod has its own instance, any issues with a specific pod stay limited to that pod. This helps prevent problems in one pod spilling over and affecting another. – kurtisvg Mar 17 '19 at 03:49
0

The documentation mentions that it is possible to connect using an internal IP address. Did somebody try it?

BT3
  • 433
  • 6
  • 21