pod spring boot(jhipster) not connect cloud SQL

3/10/2019

I have tried to connect from a pod (jhipster) to a Google cloud SQL but I have not been successful. My pod is left in CrashLoopBackOff because Cloud SQL can not connect Error:

org.postgresql.util.PSQLException: Connection to localhost:5432 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IPconnections.atorg.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:280)atorg.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)......ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'liquibase' defined in class path resource [cl/databin/invoicing/folio/config/LiquibaseConfiguration.class]: Invocation of init method failed; nested exception is liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: Connection to localhost:5432 refused.

my folio-deployment.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: folio
  namespace: jhipster
spec:
  replicas: 2
  selector:
    matchLabels:
      app: folio
      version: "v1"
  template:
    metadata:
      labels:
        app: folio
        version: "v1"
    spec: 
       containers:
       - name: folio-app
        image: skilledboy/folio:v1
        env:
        - name: SPRING_PROFILES_ACTIVE
          value: prod
        - name: JHIPSTER_SECURITY_AUTHENTICATION_JWT_BASE64_SECRET
          valueFrom:
            secretKeyRef:
              name: jwt-secret
              key: secret
        - name: SPRING_DATASOURCE_URL
          value: jdbc:postgresql://localhost:5432/folio
        - name: POSTGRES_DB_USER
          value: user
        - name: POSTGRES_DB_PASSWORD
          value: password1
        - name: cloudsql-proxy
          image: gcr.io/cloudsql-docker/gce-proxy:1.11
          command: ["/cloud_sql_proxy",
                    "-instances=invo-project-233618:us-central1:folios=tcp:5432",
                    "-credential_file=/secrets/cloudsql/credentials.json"]
          securityContext:
            runAsUser: 2  # non-root user
            allowPrivilegeEscalation: false
          volumeMounts:
            - name: cloudsql-oauth-credential
              mountPath: /secrets/cloudsql
              readOnly: true
            - name: ssl-certs
              mountPath: /etc/ssl/certs
        - name: SPRING_SLEUTH_PROPAGATION_KEYS
          value: "x-request-id,x-ot-span-context"
        - name: JAVA_OPTS
          value: " -Xmx256m -Xms256m"
        resources:
          requests:
            memory: "256Mi"
            cpu: "500m"
          limits:
            memory: "512Mi"
            cpu: "1"
        ports:
        - name: http
          containerPort: 8081
        readinessProbe:
          httpGet:
            path: /folio/management/health
            port: http
          initialDelaySeconds: 20
          periodSeconds: 15
          failureThreshold: 6
        livenessProbe:
          httpGet:
            path: /folio/management/health
            port: http
          initialDelaySeconds: 120
      volumes:
        - name: cloudsql-oauth-credential
          secret:
            secretName: cloudsql-oauth-credential
        - name: ssl-certs
          hostPath:
            path: /etc/ssl/certs

and in the configuration of my application-prod.yml

datasource:
type: com.zaxxer.hikari.HikariDataSource
url: jdbc:postgresql://127.0.0.1:5432/folio
username: ${POSTGRES_DB_USER}
password: ${POSTGRES_DB_PASSWORD}

What will I have wrong? someone to give me an idea that I can have bad? thanks

-- Eduardo Rosales Fernandez
google-cloud-sql
google-kubernetes-engine
jhipster
kubernetes
spring-boot

1 Answer

3/11/2019

Your problem is that you are telling the Cloud SQL proxy to run with -credential_file=/secrets/cloudsql/credentials.json, but you haven't actually provided a file at /secrets/cloudsql/ for it to use. (The volume in your config is at /etc/ssl/certs).

It's also worth pointing out that the credential_file flag is for using a service account key, and token flag is used for an oauth token (it's unclear which you are trying to use)

-- kurtisvg
Source: StackOverflow