I am trying to connect to my CloudSql Instance using cloudsql-proxy.
- name: cloudsql-proxy
command:
- /cloud_sql_proxy
- -instances=$(project):europe-west2:$(DB_INSTANCE_NAME)=tcp:5432
- -credential_file=/etc/secrets/google_credentials.json
image: gcr.io/cloudsql-docker/gce-proxy:1.13
I am getting the following error:
-> Throttling refreshCfg(project:europe-west2:db): it was only called 1.006390387s ago
-> couldn't connect to "project:europe-west2:db": Post https://www.googleapis.com/sql/v1beta4/projects/project/instances/db/createEphemeral?alt=json&prettyPrint=false: oauth2: cannot fetch token: Post https://oauth2.googleapis.com/token: read tcp 10.x.xx.4:59004->216.xx.xxx.202:443: read: connection reset by peer
The error message is so confusing that I could not get if it is a network issue or permissions issue. I have checked the key and secrets are mounted properly and same configuration. I have tried to see if it is a problem with Istio connection and created service entries
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: google-apis
spec:
hosts:
- "www.googleapis.com"
addresses:
- 216.xx.xx.202
ports:
- name: https
number: 443
protocol: HTTPS
- name: tcp
number: 5432
protocol: TCP
- name: sql
number: 3307
protocol: TCP
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: cloudsql-instances
spec:
hosts:
- "*.googleapis.com"
- "gkeconnect.googleapis.com"
- "oauth2.googleapis.com"
addresses:
- 172.xx.xx.xx
-
ports:
- name: tcp
number: 5432
protocol: TCP
- name: sql
number: 3307
protocol: TCP
location: MESH_EXTERNAL
Note:
- GKE Clusters is created using terraform-google-module with egress and and ingress enabled
- Both GKE cluster and Cloud SQL instance are private
On a similar note , I have a query -> can we connect to cloudsql instance which is already serving a different GKE cluster(This question may sound foolish, but I can't think of anything else).
