GKE with Cloud SQl
- Overview
- Steps
- Create a cloud sql instance with postgres db.
- Ensure the cloud sql admin api is enabled
gcloud services enable sqladmin.googleapis.com - Create a GKE autopilot cluster
gcloud container clusters create-auto my-gke-cluster --network=default --region=us-central1 - Grant permissions to connect to cloud sql: Create a k8s service account and bind it to GKE workloads, granting it permissions to access Cloud SQL. Grant the roles/cloudsql.client
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member=serviceaccount:[KSA_EMAIL] \
--role=roles/cloudsql.client -
Connect GKE Autopilot to Cloud SQL
- Create a k8s secret for DB credentials
kubectl create secret generic lib-db-credentials \
--from-literal=DATABASE_URL=postgresql://user:password@<cloudsql>:5432/library - Install the cloud sql auth proxy
“`yaml
</ul>
<hr />
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
– name: myapp
image: shaikkhajaibrahim/libapp:1
resources:
limits:
memory: "256Mi"
cpu: "500m"
env:
– name: DATABASE_URL
valueFrom:
secretKeyRef:
name: lib-db-credentials
key: DATABASE_URL
ports:
– containerPort: 8000
– name: cloud-sql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.29.0
command: ["/cloud_sql_proxy", "–dir=/cloudsql",
"-instances=<PROJECT_ID>:<REGION>:<INSTANCE_NAME>=tcp:5432",
"-credential_file=/secrets/cloudsql/credentials.json"]
“`
* Deploy the app - Create a k8s secret for DB credentials
Managing Sensitive Information in Secrets Manager
- Create a Secret
- Navigate to secrets manager
- Create a secret i.e. name your secret (DATABSE Password) and add secret value
- Ensure GKE Service account has right permission (roles/secretmanager.secretAccessor) to access the secret
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member="serviceaccount:[GKE_SERVICE_ACCOUNT]" \
--role=roles/secretmanager.secretAccessor
- Enable Workload identity on GKE
gcloud cluster update [CLUSTER_NAME] \
--workload-pool=[PROJECT_ID].svc.id.goog
- Create a k8s service account
kubectl create serviceaccount [KSA_NAME]
- Grant the KSA access to the GCP service
gcloud iam service-accounts add-iam-policy-binding \
[GSA_NAME]@{PROJECT_ID}.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:${PROJECT_ID}.svc.id.goog[default/${KSA_NAME}]
- Annotate the KSA with the GSA
kubectl annotate serviceaccount [KSA_NAME] \
iam.gke.io/gcp-service-acount=[GSA]
- Now to get secrets we have two options
- FROM gcloud-sideecar
- Sync secrets with k8s secrets using CSI Driver
