CODEWITHSUNDEEP
kubernetesgoogle-cloud-platformgoogle-cloud-sql
RAbraham
RAbraham

Reputation: 6324

Kubernetes Cloud SQL sidecar connection timed out. How to check if credentials work?

I'm trying to setup a Cloud SQL Proxy Docker image for PostgreSQL as mentioned here. I can get my app to connect to the proxy docker image but the proxy times out. I suspect it's my credentials or the port, so how do I debug and find out if it works? This is what I have on my project

kubectl create secret generic cloudsql-instance-credentials --from-file=credentials.json=my-account-credentials.json

My deploy spec snippet:

spec:
      containers:
        - name: mara ...
        - name: cloudsql-proxy
          image: gcr.io/cloudsql-docker/gce-proxy:1.11
          command: ["/cloud_sql_proxy",
                    "-instances=<MY INSTANCE NAME>=tcp:5432",
                    "-credential_file=/secrets/cloudsql/credentials.json"]
          volumeMounts:
            - name: cloudsql-instance-credentials
              mountPath: /secrets/cloudsql
              readOnly: true
      volumes:
        - name: cloudsql-instance-credentials
          secret:
            secretName: cloudsql-instance-credentials

The logs of my cloudsql-proxy show a timeout:

2019/05/13 15:08:25 using credential file for authentication; [email protected]
2019/05/13 15:08:25 Listening on 127.0.0.1:5432 for <MY INSTANCE NAME>
2019/05/13 15:08:25 Ready for new connections
2019/05/13 15:10:48 New connection for "<MY INSTANCE NAME>"
2019/05/13 15:10:58 couldn't connect to <MY INSTANCE NAME>: dial tcp <MY PRIVATE IP>:3307: getsockopt: connection timed out

Questions:

If I make the Cloud SQL instance available on a public IP, it works.

Upvotes: 2

Views: 3821

Answers (2)

alexandre-rousseau
alexandre-rousseau

Reputation: 2850

Proxy listen port 3307. This is mentioned on documentation

Port 3307 is used by the Cloud SQL Auth proxy to connect to the Cloud SQL Auth proxy server. -- https://cloud.google.com/sql/docs/postgres/connect-admin-proxy#troubleshooting

You may need to create a firewall like the following:

  • Direction: Egress
  • Action on match: Allow
  • Destination filters : IP ranges 0.0.0.0/0
  • Protocols and ports : tcp:3307 & tcp:5432

Upvotes: 1

kurtisvg
kurtisvg

Reputation: 3565

I specify 5432 as my port, but as you can see in the logs above,it's hitting 3307

The proxy listens locally on the port you specified (in this case 5432), and connects to your Cloud SQL instance via port 3307. This is expected and normal.

How do I check if it is a problem with my credentials?

The proxy returns an authorization error if the Cloud SQL instance doesn't exist, or if the service account doesn't have access. The connection timeout error means it failed to reach the Cloud SQL instance.

My credentials file is from my service account [email protected] and the service account shown when I go to my cloud sql console is [email protected]. They don't seem the same?

One is just the name of the file, the other is the name of the service account itself. The name of the file doesn't have to match the name of the service account. You can check the name and IAM roles of a service account on the Service Account page.

2019/05/13 15:10:58 couldn't connect to : dial tcp :3307: getsockopt: connection timed out

This error means that the proxy failed to establish a network connection to the instance (usually because a path from the current location doesn't exist). There are two common causes for this:

First, make sure there isn't a firewall or something blocking outbound connections on port 3307.

Second, since you are using Private IP, you need to make sure the resource you are running the proxy on meets the networking requirements.

Upvotes: 4

Related Questions