Kubernetes Cloud SQL sidecar connection timed out. How to check if credentials work?

5/13/2019

I'm trying to setup a Cloud SQL Proxy Docker image for PostgreSQL as mentioned here. I can get my app to connect to the proxy docker image but the proxy times out. I suspect it's my credentials or the port, so how do I debug and find out if it works? This is what I have on my project

kubectl create secret generic cloudsql-instance-credentials --from-file=credentials.json=my-account-credentials.json

My deploy spec snippet:

spec:
      containers:
        - name: mara ...
        - name: cloudsql-proxy
          image: gcr.io/cloudsql-docker/gce-proxy:1.11
          command: ["/cloud_sql_proxy",
                    "-instances=<MY INSTANCE NAME>=tcp:5432",
                    "-credential_file=/secrets/cloudsql/credentials.json"]
          volumeMounts:
            - name: cloudsql-instance-credentials
              mountPath: /secrets/cloudsql
              readOnly: true
      volumes:
        - name: cloudsql-instance-credentials
          secret:
            secretName: cloudsql-instance-credentials

The logs of my cloudsql-proxy show a timeout:

2019/05/13 15:08:25 using credential file for authentication; email=646092572393-compute@developer.gserviceaccount.com
2019/05/13 15:08:25 Listening on 127.0.0.1:5432 for <MY INSTANCE NAME>
2019/05/13 15:08:25 Ready for new connections
2019/05/13 15:10:48 New connection for "<MY INSTANCE NAME>"
2019/05/13 15:10:58 couldn't connect to <MY INSTANCE NAME>: dial tcp <MY PRIVATE IP>:3307: getsockopt: connection timed out

Questions:

  • I specify 5432 as my port, but as you can see in the logs above,it's hitting 3307. Is that normal and if not, how do I specify 5432?

  • How do I check if it is a problem with my credentials? My credentials file is from my service account 123-compute@developer.gserviceaccount.com and the service account shown when I go to my cloud sql console is p123-<somenumber>@gcp-sa-cloud-sql.iam.gserviceaccount.com. They don't seem the same? Does that make a difference?

If I make the Cloud SQL instance available on a public IP, it works.

-- RAbraham
google-cloud-platform
google-cloud-sql
kubernetes

1 Answer

5/13/2019

I specify 5432 as my port, but as you can see in the logs above,it's hitting 3307

The proxy listens locally on the port you specified (in this case 5432), and connects to your Cloud SQL instance via port 3307. This is expected and normal.

How do I check if it is a problem with my credentials?

The proxy returns an authorization error if the Cloud SQL instance doesn't exist, or if the service account doesn't have access. The connection timeout error means it failed to reach the Cloud SQL instance.

My credentials file is from my service account 123-compute@developer.gserviceaccount.com and the service account shown when I go to my cloud sql console is p123-@gcp-sa-cloud-sql.iam.gserviceaccount.com. They don't seem the same?

One is just the name of the file, the other is the name of the service account itself. The name of the file doesn't have to match the name of the service account. You can check the name and IAM roles of a service account on the Service Account page.

2019/05/13 15:10:58 couldn't connect to : dial tcp :3307: getsockopt: connection timed out

This error means that the proxy failed to establish a network connection to the instance (usually because a path from the current location doesn't exist). There are two common causes for this:

First, make sure there isn't a firewall or something blocking outbound connections on port 3307.

Second, since you are using Private IP, you need to make sure the resource you are running the proxy on meets the networking requirements.

-- kurtisvg
Source: StackOverflow