Kubernetes and Google Cloud SQL

This page was converted from my old blog and hasn't been reviewed. If you see an error please let me know in the comments.

Cloud SQL is a hosted SQL database similar to Amazon RDS for either Mysql or Postgres databases. It supports automated management including backup and deployment.  Since the database is created via the the GCP console it is very easy to create a scalable  and reliable database.

To create a new Database use the GCP Console. If you wish to have failover make sure and enable that option while creating the database.

In order for clients to be able to access the database an ingress rule must be created. Unfortunately GCP only allows the configuration of external IP addresses for ingress into Cloud SQL.  In order to allow your Kubernetes cluster to be able to access the database you would need to assign routable external IPs and add them to the ingress rules for the database.

To get around this issue Cloud SQL Proxy can be used. The Cloud SQL Proxy provides secure access to your Cloud SQL Second Generation instances without having to whitelist IP addresses or setup SSL tunneling.

The steps to setup the Cloud SQL Proxy are fairly straightforward and documented here. 

  1. Create a Service account to connect to the database.
  2. Create a new user to access the database
  3. Create the Secrets for the database
  4. Update the Pod configuration file.
apiVersion: extensions/v1beta1
kind: Deployment
  name: wordpress
    app: wordpress
        app: wordpress
        - name: web
          image: wordpress:4.8.2-apache
            - containerPort: 80
            - name: WORDPRESS_DB_HOST
            # These secrets are required to start the pod.
            # [START cloudsql_secrets]
            - name: WORDPRESS_DB_USER
                  name: cloudsql-db-credentials
                  key: username
            - name: WORDPRESS_DB_PASSWORD
                  name: cloudsql-db-credentials
                  key: password
            # [END cloudsql_secrets]
        # Change <INSTANCE_CONNECTION_NAME> here to include your GCP
        # project, the region of your Cloud SQL instance and the name
        # of your Cloud SQL instance. The format is
        # [START proxy_container]
        - name: cloudsql-proxy
          image: gcr.io/cloudsql-docker/gce-proxy:1.11
          command: ["/cloud_sql_proxy",
            - name: cloudsql-instance-credentials
              mountPath: /secrets/cloudsql
              readOnly: true
        # [END proxy_container]
      # [START volumes]
        - name: cloudsql-instance-credentials
            secretName: cloudsql-instance-credentials
        - name: cloudsql
      # [END volumes]

This is one of the few cases where it makes sense to have more than one container within a Pod.  The WordPress client application and the Cloud SQL proxy.

Apply the changes and create a service to expose the app.

kubectl expose deployment wordpress --port=8888 --target-port=80 --name=wordpress --type=LoadBalancer

Once the service has been created you should be able to access the WordPress blog at

Jeffreys-MacBook-Pro:wordpress jeff$ kubectl get services
NAME         TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)          AGE
kubernetes   ClusterIP    <none>         443/TCP          2h
wordpress    LoadBalancer   8888:31265/TCP   1m


comments powered by Disqus