在使用cloud_sql_proxy的情况下,方法是使用GCP-GSA(服务账号),下载cloud sql proxy:
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
chmod +x cloud_sql_proxy
创建代理用户:
gcloud iam service-accounts create proxy-user --display-name "proxy-user"
gcloud iam service-accounts list
[SERVICE_ACCOUNT_EMAIL] 是 SQL 实例详情中的电子邮件。
gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role roles/cloudsql.client
gcloud iam service-accounts keys create key.json --iam-account [SERVICE_ACCOUNT_EMAIL]
gcloud sql instances describe [INSTANCE_ID] | grep connectionName
创建一个用于 Kube 引擎的关键 JSON 文件。
./cloud_sql_proxy -instances=[INSTANCE_CONNECTION_NAME]=tcp:3306 -credential_file=key.json &
kubectl create secret generic cloudsql-instance-credentials --from-file=credentials.json=key.json
您的部署:
apiVersion: apps/v1
kind: Deployment
metadata:
name: <DEPLOYMENT-NAME>
spec:
selector:
matchLabels:
app: <APPLICATION-NAME>
template:
metadata:
labels:
app: <APPLICATION-NAME>
spec:
serviceAccountName: <KSA-NAME>
containers:
- name: cloud-sql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.17
command:
- "/cloud_sql_proxy"
- "-instances=<INSTANCE_CONNECTION_NAME>=tcp:<DB_PORT>"
securityContext:
runAsNonRoot: true