GKE私有集群和Cloud sql代理连接 [英] GKE private cluster and cloud sql proxy connection
问题描述
我有2个私有和公共的GKE集群,并使用cloudproxy作为gke应用程序访问cloudsql实例的sidecar容器.
I have 2 GKE cluster both private and public and using cloudproxy as sidecar container for gke app to access cloudsql instance.
用于开发/测试的公共集群设置
同时使用私有IP和公共IP启用了Cloud SQL.GKE应用程序使用cloudproxy,其IP类型(公用,专用)的默认选项如下Cloud SQL没有任何授权的网络.
Cloud SQL is enabled with both private and public IP. GKE app is using cloudproxy with default option of ip types (public,private) as below Cloud SQL doesn't have any authorized network.
在这种情况下,我的应用程序能够连接CloudSQL并正常运行.据我了解,由于未配置任何授权网络,因此在这里与cloudsql的连接应该是私有的.
In this case, my app is able to connect CloudSQL and works smoothly. As far as I understand, here connection to cloudsql should be happening with private becuase there is no authorised network configured.
用于生产的专用群集设置
同时使用私有IP和公共IP启用了Cloud SQL.GKE应用程序使用带IP类型(公共,私有)默认选项的cloudproxy
Cloud SQL is enabled with both private and public IP. GKE app is using cloudproxy with default option of ip types (public,private)
部署文件中的cloudsql-proxy设置
cloudsql-proxy setting in deployment file
- name: cloudsql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.11
command: ["/cloud_sql_proxy"]
args: ["-instances=$(REAL_DB_HOST)=tcp:$(REAL_DB_PORT)","-credential_file=/secrets/cloudsql/credentials.json"]
案例1 Cloud SQL没有任何授权的网络.结果:应用程序无法与Cloud SQL连接
case 1 Cloud SQL doesn't have any authorized network. Result: Application is not able to connect with Cloud SQL
案例2 Cloud SQL将私有GKE NAT网关作为授权网络结果:应用程序无法与Cloud SQL连接
case 2 Cloud SQL have private GKE NAT gateway as authorized network Result: Application is not able to connect with Cloud SQL
也许可以从应用程序中删除cloudproxy可以工作(我尚待测试),但是由于在生产部署期间需要在部署文件中进行更改,因此不鼓励在开发环境中使用代理.
May be removing cloudproxy from application will work (I am yet to test) but it discourages the usage of proxy during dev env as it will need changes in deployment file during production deployment.
我无法理解是什么导致了gke私有集群中的cloudproxy连接失败.我们不应该在私有集群中使用cloudproxy吗?
I am not able to understand what is causing the connection failure with cloudproxy in gke private cluster. Should we not use cloudproxy in private cluster?
更新由于禁用了云代理无法连接云SQL的原因,云SQL管理员API已禁用.我已经在答案部分更新了答案.
Update The reason due to which cloud proxy not able to connect cloud sql was disabled Cloud SQL Admin API. I have updated my answer in answer section.
推荐答案
@kurtisvg提供了一个有帮助的答案.
@kurtisvg has provided an informative answer to it.
但是,真正的问题是SQL Admin API并启用它解决了该问题.在查看日志后,我在下面的条目中找到了.
However the real issue was SQL Admin API and enabling it fixed the issue. After looking into the logs I found below entry.
错误403:未配置访问.之前尚未在项目XXXXXX中使用Cloud SQL Admin API或将其禁用.通过访问 https://console.developers.google启用它.com/apis/api/sqladmin.googleapis.com/overview ?
Error 403: Access Not Configured. Cloud SQL Admin API has not been used in project XXXXXX before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview?
这篇关于GKE私有集群和Cloud sql代理连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
