无法使用 cloud_sql_proxy 从容器连接到云 SQL
Unable to connect to cloud SQL from container using cloud_sql_proxy
所以出于某种原因我无法通过 cloud_sql_proxy.
连接到 SQL 实例
我尝试在 wordpress 容器上执行 telnet 127.0.0.1 3306(通过 kubectl exec ...):
bash-4.3# telnet 127.0.0.1 3306
Connection closed by foreign host
即使我 kubectl exec.. 进入 cloudsql-proxy 容器,我也会得到与上面相同的行为。
但是在本地执行此操作很好。
我如何诊断这个问题,可能是什么原因?
这是我的容器配置(在部署中):
containers:
- image: eu.gcr.io/abcxyz/wordpress:initial
name: wordpress
imagePullPolicy: "Always"
env:
- name: WORDPRESS_HOST
value: localhost
- name: WORDPRESS_DB_USERNAME
valueFrom:
secretKeyRef:
name: cloudsql-db-credentials
key: username
volumeMounts:
- name: wordpress-persistent-storage
mountPath: /var/www/html
- image: eu.gcr.io/abcxyz/nginx:initial
name: nginx
imagePullPolicy: "Always"
ports:
- containerPort: 80
name: nginx
volumeMounts:
- name: wordpress-persistent-storage
mountPath: /var/www/html
- image: gcr.io/cloudsql-docker/gce-proxy:1.09
name: cloudsql-proxy
command: ["/cloud_sql_proxy", "--dir=/cloudsql",
"-instances=abcxyz:europe-west1:wordpressdb=tcp:3306",
"-credential_file=/secrets/cloudsql/credentials.json"]
volumeMounts:
- name: cloudsql-instance-credentials
mountPath: /secrets/cloudsql
readOnly: true
- name: ssl-certs
mountPath: /etc/ssl/certs
- name: cloudsql
mountPath: /cloudsql
如果从 cloudsql-proxy 获取日志,我会看到以下内容:
2017/08/11 12:55:03 New connection for "abcxyz:europe-west1:wordpressdb"
2017/08/11 12:55:03 couldn't connect to "abcxyz:europe-west1:wordpressdb": ensure that the account has access to "abcxyz:europe-west1:wordpressdb" (and make sure there's no typo in that name). Error during createEphemeral for abcxyz:europe-west1:wordpressdb: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
有问题的服务帐户确实具有 Cloud SQL Admin 权限。
我需要向服务帐户添加 Cloud SQL Client 权限。
更新: 我又 运行 遇到了这个问题,出于某种原因,服务帐户会 运行 出现上述错误。我必须创建另一个有效的服务帐户...
所以出于某种原因我无法通过 cloud_sql_proxy.
连接到 SQL 实例我尝试在 wordpress 容器上执行 telnet 127.0.0.1 3306(通过 kubectl exec ...):
bash-4.3# telnet 127.0.0.1 3306
Connection closed by foreign host
即使我 kubectl exec.. 进入 cloudsql-proxy 容器,我也会得到与上面相同的行为。
但是在本地执行此操作很好。
我如何诊断这个问题,可能是什么原因?
这是我的容器配置(在部署中):
containers:
- image: eu.gcr.io/abcxyz/wordpress:initial
name: wordpress
imagePullPolicy: "Always"
env:
- name: WORDPRESS_HOST
value: localhost
- name: WORDPRESS_DB_USERNAME
valueFrom:
secretKeyRef:
name: cloudsql-db-credentials
key: username
volumeMounts:
- name: wordpress-persistent-storage
mountPath: /var/www/html
- image: eu.gcr.io/abcxyz/nginx:initial
name: nginx
imagePullPolicy: "Always"
ports:
- containerPort: 80
name: nginx
volumeMounts:
- name: wordpress-persistent-storage
mountPath: /var/www/html
- image: gcr.io/cloudsql-docker/gce-proxy:1.09
name: cloudsql-proxy
command: ["/cloud_sql_proxy", "--dir=/cloudsql",
"-instances=abcxyz:europe-west1:wordpressdb=tcp:3306",
"-credential_file=/secrets/cloudsql/credentials.json"]
volumeMounts:
- name: cloudsql-instance-credentials
mountPath: /secrets/cloudsql
readOnly: true
- name: ssl-certs
mountPath: /etc/ssl/certs
- name: cloudsql
mountPath: /cloudsql
如果从 cloudsql-proxy 获取日志,我会看到以下内容:
2017/08/11 12:55:03 New connection for "abcxyz:europe-west1:wordpressdb"
2017/08/11 12:55:03 couldn't connect to "abcxyz:europe-west1:wordpressdb": ensure that the account has access to "abcxyz:europe-west1:wordpressdb" (and make sure there's no typo in that name). Error during createEphemeral for abcxyz:europe-west1:wordpressdb: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
有问题的服务帐户确实具有 Cloud SQL Admin 权限。
我需要向服务帐户添加 Cloud SQL Client 权限。
更新: 我又 运行 遇到了这个问题,出于某种原因,服务帐户会 运行 出现上述错误。我必须创建另一个有效的服务帐户...