-
Notifications
You must be signed in to change notification settings - Fork 474
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sidecar pattern for gce-proxy when connecting to Cloud SQL instance #15
Comments
@MishaVeldhoen I have a feeling it might already be possible with the But I am not sure it will give you any more security, as the existing method of using a user/password with |
@thesuperzapper, yes, you are right, I had missed that option. And about your point of more security, using the proxy I still need a user/password, but I don't have to whitelist any IP addresses or anything. And it seems to be the recommended way as per the docs linked in the issue, but I'm no expert on the topic. |
@MishaVeldhoen if you get it working with |
@MishaVeldhoen Did you get this to work? |
Hi, sorry for the late response, I did indeed get this to work using the suggestion of @thesuperzapper. Here's the relevant part of the configuration: airflow:
## sidecar containers for web/scheduler/worker
##
extraContainers:
- name: cloud-sql-proxy
ports:
- containerPort: 5432
env:
- name: DB_INSTANCE
valueFrom:
secretKeyRef:
key: cloud-sql-instance
name: mz-database-connection
image: gcr.io/cloudsql-docker/gce-proxy:1.18.0
command: ["/cloud_sql_proxy"]
args: ["-instances", "$(DB_INSTANCE)=tcp:5432", "-credential_file", "/secrets/service_account.json"]
securityContext:
# The default Cloud SQL proxy image runs as the
# "nonroot" user and group (uid: 65532) by default.
runAsNonRoot: true
volumeMounts:
- mountPath: /secrets/
name: gcp-airflow-service-account-volume
readOnly: true
extraVolumes:
- name: gcp-airflow-service-account-volume
secret:
secretName: gcp-airflow-service-account |
@MishaVeldhoen how did you pass an empty password for the external db in the helm chart? |
@dunganle I am not sure it's possible to pass an empty password, but I might be mistaken. |
@thesuperzapper I'm not sure how this works then, as you cannot set a password for cloudsql IAM users? |
@MishaVeldhoen Hi could you please upload your custom-values.yaml file for the configuration of airflow in GKE with MySQL (CloudSQL) using sidecar pattern. I have been trying without any success. |
Hi @MishaVeldhoen Thank you so much for your example! I recently tried to implement same pattern as part of openmetadata deployment, but unfortunately failed. |
mudravrik This behaviour is same for me. |
What is your feature request?
When deploying airflow on GKE, it would be nice to support connecting to a Cloud SQL instance through the sidecar pattern (as recommended in the docs), in a way similar to how git sync is supported currently.
What alternatives have you considered?
The text was updated successfully, but these errors were encountered: