Sidecar pattern for gce-proxy when connecting to Cloud SQL instance

[MishaVeldhoen]

What is your feature request?
When deploying airflow on GKE, it would be nice to support connecting to a Cloud SQL instance through the sidecar pattern (as recommended in the docs), in a way similar to how git sync is supported currently.

What alternatives have you considered?

• Deploying postgres on kubernetes with a persistent storage.
• Running the proxy as a service in the airflow namespace.

[thesuperzapper]

@MishaVeldhoen I have a feeling it might already be possible with the airflow.extraContainers value (with the possible exception of flower, as that airflow.extraContainers doesn't apply to flower)

But I am not sure it will give you any more security, as the existing method of using a user/password with externalDatabase.user and externalDatabase.passwordSecret.

[MishaVeldhoen]

@thesuperzapper, yes, you are right, I had missed that option.

And about your point of more security, using the proxy I still need a user/password, but I don't have to whitelist any IP addresses or anything. And it seems to be the recommended way as per the docs linked in the issue, but I'm no expert on the topic.

[thesuperzapper]

@MishaVeldhoen if you get it working with airflow.extraContainers, please report back your configs.

[mdcsaenz]

@MishaVeldhoen Did you get this to work?

[MishaVeldhoen]

Hi, sorry for the late response, I did indeed get this to work using the suggestion of @thesuperzapper. Here's the relevant part of the configuration:

airflow:

  ## sidecar containers for web/scheduler/worker
  ##
  extraContainers:
  - name: cloud-sql-proxy
    ports:
    - containerPort: 5432
    env:
    - name: DB_INSTANCE
      valueFrom:
        secretKeyRef:
          key: cloud-sql-instance
          name: mz-database-connection
    image: gcr.io/cloudsql-docker/gce-proxy:1.18.0
    command: ["/cloud_sql_proxy"]
    args: ["-instances", "$(DB_INSTANCE)=tcp:5432", "-credential_file", "/secrets/service_account.json"]
    securityContext:
      # The default Cloud SQL proxy image runs as the
      # "nonroot" user and group (uid: 65532) by default.
      runAsNonRoot: true
    volumeMounts:
    - mountPath: /secrets/
      name: gcp-airflow-service-account-volume
      readOnly: true

  extraVolumes:
    - name: gcp-airflow-service-account-volume
      secret:
        secretName: gcp-airflow-service-account

[dunganle]

@MishaVeldhoen how did you pass an empty password for the external db in the helm chart?

[thesuperzapper]

@dunganle I am not sure it's possible to pass an empty password, but I might be mistaken.

[dunganle]

@thesuperzapper I'm not sure how this works then, as you cannot set a password for cloudsql IAM users?

[aksharma-gitpurpose]

@MishaVeldhoen Hi could you please upload your custom-values.yaml file for the configuration of airflow in GKE with MySQL (CloudSQL) using sidecar pattern. I have been trying without any success.

[mudravrik]

Hi @MishaVeldhoen Thank you so much for your example! I recently tried to implement same pattern as part of openmetadata deployment, but unfortunately failed.
It seems like (now?) initContainers check-db and wait-for-db-migrations run before gce-proxe defined as extraContainers. So they cannot use the proxy, check-db fails and blocks he whole pod from deploying.
Do you maybe have any suggestions for this?

[akashniranjan64]

mudravrik This behaviour is same for me. check-db continues to fail and so is my deployment. Any solution ?