-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't connect to Google Cloud Sql #6593
Comments
I got a similar issue where I wasn't able to connect from another container to the database using the cloudsql proxy (I was able to connect from inside cloudsql proxy using localhost, though) it is solved after I found the solution in https://groups.google.com/forum/#!topic/istio-users/-cNoLrE5904 The cloudsql proxy service port name should not be http, the problem solved after I changed it from http to db |
Any update on this? I am experiencing the same problem using the Edit:
It now prompts correctly the password after |
I confirm that solution suggested by @veryhumble works. It's actually documented at https://istio.io/blog/2018/egress-tcp/ Here is the complete configuration that works for me:
|
Hi, I am using https://github.com/GoogleCloudPlatform/cloud-sql-jdbc-socket-factory (NOT the CloudSQL Proxy). The way it worked for me was to configure the sidecas to only intercept mesh-internal traffic as described here: https://istio.io/docs/tasks/traffic-management/egress/#calling-external-services-directly However I was not able to make a successful connection to the MSQL Instance using ServiceEntries. "SSL peer shut down incorrectly" The same behaviour could be observed using a mysql client deployed in another container. I think that my ServiceEntry configuration is still wrong, but I could not figure out why. Maybe also worth mentioning: I am using the option "useSSL=false" in the jdbc connection string in the cloud-sql-jdbc library. Does anybody have an idea where the problem might be? thanks! This is the ServiceEntry configuration: apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: www.googleapis.com
# namespace: istio-example-cloud-sql
spec:
hosts:
- "*.googleapis.com"
- 169.254.169.254 # metadata.google.internal -> IP was being logged in istio-proxy with 404
ports:
- number: 443
name: https
protocol: HTTPS
# - number: 80
# name: http
# protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: cloud-sql-instance
# namespace: istio-example-cloud-sql
spec:
hosts:
# although blog article says that `hosts` field is ignored for TCP service entries,
# clients fail to establish connection when `hosts` is omitted,
# namely "curl: (56) Recv failure: Connection reset by peer"
#
# use `gcloud sql instances list` to find out the IP address of your Google Cloud Instance
- XXX.XXX.22.151
addresses:
# use `gcloud sql instances list` to find out the IP address of your Google Cloud Instance
- XXX.XXX.22.0/32 # a block of IPs in CIDR notation
ports:
- name: tcp
number: 3307 # at the moment, Google Cloud SQL always available on port 3307
protocol: tcp # enable TCP traffic
location: MESH_EXTERNAL I also tried unsuccessfully to add a VirtualService (because of the SSL /TLS handshake error) as described here https://istio.io/docs/tasks/traffic-management/egress/#configuring-istio-external-services and here #5288 apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: cloudsql-virtualservice-2
spec:
hosts:
- XXX.XXX.22.115
tls:
- match:
- port: 443
sni_hosts:
- XXX.XXX.22.115
route:
- destination:
host: XXX.XXX.22.115
port:
number: 443
weight: 100 |
UPDATE: I got it working with a slightly different configuration using jdbc Socket Factory connecting to CloudSQL Mysql 2.Gen. Difference to @yskopets @veryhumble configuration:
# Pod makes requests to `www.googleapis.com` for Authentication
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: www.googleapis.com
spec:
hosts:
- "*.googleapis.com"
- 169.254.169.254 # metadata.google.internal -> IP was being logged in istio-proxy with 404
ports:
- number: 443
name: https
protocol: HTTPS
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
---
# jdbc connection to CloudSQL instance
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: cloud-sql-instance
# namespace: istio-example-cloud-sql
spec:
hosts:
# use `gcloud sql instances list` to find out the IP address of your Google Cloud Instance
- 104.155.22.115
ports:
- name: tcp
number: 3307 # at the moment, Google Cloud SQL always available on port 3307
protocol: tcp # enable TCP traffic
location: MESH_EXTERNAL
resolution: DNS |
I'm also trying to connecting from GKE to the Cloud SQL using Cloud SQL Proxy as described here. I have disabled istio mtls and configured Service Entries But I get the following message
But the same setup works without enabling istio. My istio configuration
|
@ThusharaAma your configuration for www.googleapis.com and accounts.google.com looks correct, except for the IP 169.254.169.254 - can you check it works when you remove it? Just use the host www.googleapis.com. The TCP entry for mysql is incorrect. You should either specify a CIDR block for TCP, see https://preliminary.istio.io/blog/2018/egress-tcp/#mesh-external-service-entry-for-an-external-mysql-instance or if your mysql supports TLS, configure egress traffic for it in the same way as for www.googleapis.com. You can check if your mysql server supports TLS by running |
@danielfoehrKn I’m curious if you’re using the JDBC Socket Factory natively or as a part of the Spring Boot GCP project, which uses it under the hood. I’m having similar issues connecting a Java app to Cloud SQL in a GKE cluster with Istio 1.0.3. |
I'm working with this issue now, and it's still unclear what exactly needs to be in place for egress to work on |
@ermik The first question is if you need to direct the egress traffic thru a gateway, or you can just direct the traffic directly from the sidecar. If you need the gateway, and you want to use wildcard hosts like |
I'm having this same issue, can confirm am able to hit www.googleapis.com from the running container, but while on the sidecar, I'm unable to get a response and get this error: |
@Kampe Did you define the ServiceEntry for |
Yup here that is
|
@Kampe But in #6593 (comment) you show output of connecting to |
I have one for both at the moment, |
@Kampe Private IP may be the issue. I think there is a separate set of criteria as to how Google CloudSQL expects requests to be made to a Private IP you provision. |
I was using the Cloud SQL proxy, moving to private IP was just my workaround since it was an issue getting any egress comms out of the cluster via that sidecar in particular. I attached and tried a test of my own domain (which I have ServiceEntries for) and was unsuccessful in getting any traffic to egress out. It was almost as like the sidecar was not abiding by any of my policies at all. |
That is certainly odd, but I think as far as istio is concerned, Private IP for CloudSQL is still considered an Egress. Hopefully team will clarify. |
Any news from some of you with Istio in version 1.1 (I'm on Istio on GKE 1.1.3) and I'm trying to do the same 😅. Some solutions proposed here doesn't seem to be compatible with |
Yes I do have some news that may or may not help you resolve your issue as it's a bit different approach as I'm no longer utilizing the cloud sql proxy. I've gone ahead and utilized VPC-native (Alias IP) functionality on my GKE clusters to allow connections to Cloud SQL from GKE over private IP. Currently this is not enabled by default for GKE cluster creation, but I believe will become the default end of July 2019. My service entry from above has been changed to reflect the private IP and port of my Cloud SQL instance and I'm able to connect without issue, and the other virtual services and service entries defined above by others for http comms have been removed as we no longer needed them for authentication since we're not utilizing the cloud sql proxy sidecar. This is now all I need to facilitate traffic to my Cloud SQL instance
|
Just to add on to @Kampe's strategy - I was able to achieve the same connectivity using private IP via a private Cloud DNS entry, which offers some nice abstraction. My config looks like this for a MySQL instance: apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: staging-vpc-egress
spec:
hosts:
- "*.staging-vpc.example.com"
ports:
- number: 3306
name: tcp
protocol: TCP
location: MESH_EXTERNAL |
@Kampe I don't think listing IP address in hosts field is possible (istio version 1.1.8), how did you get around that. also do you have the case where you enable SSL on cloudSQL side? did you manage to get that done somehow? |
IP addresses are indeed not possible in newer versions |
The hosts can be whatever you like, think of it like giving the IP a DNS record. |
If it helps the ones that are stuck; using TCP connection with cloud_sql_proxy worked for me: - name: cloudsql-proxy
command: [
"-instances=<instance-name>=tcp:5432",
"-ip_address_types=PRIVATE",
"-credential_file=/secrets/cloudsql/credentials.json",
] But removing the TCP option and trying to use Unix Socket, always failed: - name: cloudsql-proxy
command: [
"/cloud_sql_proxy",
"-dir=/cloudsql",
"-instances=<instance-name>",
"-ip_address_types=PRIVATE",
"-credential_file=/secrets/cloudsql/credentials.json",
] With this error on the Cloud SQL logs:
Using both; private or public IP and with any ServiceEntry combination given on this post so far didn't work while using Unix Socket |
@vadimeisenbergibm I can confirm this works without the Is there another way to tell the sidecar to allow all egress traffic? |
@rshriram this one should be kept open. There's no defined solution for it. |
This should be kept open; there's no solution to it. |
This issue shouldn't be closed as there is no solution yet. Can someone (@vadimeisenbergibm ?) reopen? I'm currently stuck with the I'm using Istio 1.2-release on 1.13.11-gke.9
I'm also using mTLS. I'm not currently using the private IP approach - but if I we're, since I'm using mTLS in Istio, and my CloudSQL is using SSL - I'm not sure the best way to set this up? |
This issue has no valid solution atmo and should be kept open. |
sigh |
I'm quite new to Istio, but I think I kind of managed to make it work. I've created the following service entry in the namespace I'm running my service:
and then restarted Istio control plane (update: first, I assumed that restarting Pilot was enough, but it's not the case). Then after a few failures pod starts up correctly and after that new pods start up correctly with the first attempt. |
Seeing this issue as well. I'm using Private IP for Cloud SQL and VPC Alias, but have no luck getting the cloudsql-proxy to connect after installing the istio sidecar |
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2019-11-21. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
Hi all We are all also facing issues using a Cloud SQL sidecar. Our pods authenticate with localhost, which uses the sidecar to talk to Cloud SQL. While it was working perfectly fine without istio, we are getting connection refused errors. Has someone a working config, preferably with mTLS? Much appreciated! |
@LucBas if using the proxy is not 100% required, just connect directly using CloudSQL Private IP (which is basically the same the Proxy does). |
Thanks for your answer! When using the CloudSQL private IP, would we still have to apply the ServiceEntry's from above? If yes, I would prefer to continue using the CloudSQL proxies for security and performance as Google states it.
|
Using the cloudsql proxy does provide the benefit of automating the SSL cert setup to your SQL instance vs directly connecting to private IP. I've been using cloudsql proxy w/ istio 1.4+ for a while now as both a deployment + sidecar approach, one of the problems that i've seen is the race condition during startup that leads to the The workaround i've been using until sidecars KEP is available is to simply use shell/curl to wait until the proxy is ready before starting up Unless you are running with a restricted mesh command: ["/bin/sh", "-c"]
args:
- |
while ! curl -s -f http://127.0.0.1:15020/healthz/ready; do sleep 5; done
exec /cloud_sql_proxy -dir=/cloudsql -term_timeout=180s
env:
- name: INSTANCES
value: PROJECT:REGION:INSTANCE=tcp:0.0.0.0:3306 Note: Recent 1.16+ proxy releases have moved to distroless/no shell so you either need to build your custom image until GoogleCloudPlatform/cloud-sql-proxy#371 or use a older image. FROM alpine:3.11.6
ENV FILE="https://storage.googleapis.com/cloudsql-proxy/v1.17/cloud_sql_proxy.linux.amd64"
RUN apk add --no-cache curl && \
curl -SL --output /cloud_sql_proxy "$FILE" && \
chmod +x /cloud_sql_proxy
CMD ["/cloud_sql_proxy"] |
@LucBas I don't use the Service Entry, there's no need to using the Private IP. There's additional security with the Proxy, which you can also configure in Cloud SQL; but I can assure you there's no additional performance. If you'd like additional performance, you'd be better using Pgbouncer instead of the Proxy. A VPC-native GKE cluster is a cluster with ip-alias enabled. |
Thanks @Dev25 - That was definitely my issue |
Leaving a checklist that probably will save few hours for someone like me.
ports:
- containerPort: 5432
type: ClusterIP # check
spec:
ports:
- name: tcp
protocol: TCP
port: 5432 # check
targetPort: 5432 # check
containers:
- command:
- /cloud_sql_proxy
- -instances=PROJECT:COMPUTE_ZONE:INSTANCE=tcp:0.0.0.0:5432 # check this: tcp:0.0.0.0: won't produce any error.
- -credential_file=/secrets/cloudsql/credentials.json
- -term_timeout=30s
- -use_http_health_check # Since 1.25.0
- -health_check_port=8090 # See: https://github.com/GoogleCloudPlatform/cloudsql-proxy/blob/main/examples/k8s-health-check/proxy_with_http_health_check.yaml |
this worked for my private instance: apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: %{service}-googleapis
spec:
hosts:
- sqladmin.googleapis.com
ports:
- number: 443
name: https
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: %{service}-postgres
spec:
hosts:
- sqladmin.googleapis.com
addresses:
- %{dbPrivateIp}
ports:
- name: tcp
number: 3307
protocol: TCP
location: MESH_EXTERNAL
I have no idea why but for my staging project it was required to add also this service entry: apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: %{service}-googleapis-internal
spec:
hosts:
- metadata.google.internal
addresses:
- 169.254.169.254
ports:
- number: 80
name: http
protocol: HTTP
resolution: STATIC
location: MESH_EXTERNAL
endpoints:
- address: 169.254.169.254 |
Describe the bug
Can't connect to Cloud SQL (postgres 9.6) using istio in Google Container Engine (Kubernetes). The service uses the cloudsql proxy sidecar along with istio in the same pod. Tested with a docker container with psql installed to test the connection.
In vanilla kubernetes I can connect to the database:
But, with istio I got:
In the early tries I got blocked by the container (Cloud Proxy), and trying to connect to
googleapis.com
andaccounts.google.com
Expected behavior
Successful connection to the database
Steps to reproduce the bug
$ psql -h 127.0.0.1 -U auth -d passport
Version
Is Istio Auth enabled or not?
Installing following the Quick Start page without auth enabled
$ kubectl apply -f install/kubernetes/istio-demo.yaml
Environment
Kubernetes Engine in Google Cloud
Tested with version 1.9.7 and 1.10.4-gke.2
The text was updated successfully, but these errors were encountered: