So for some reason I'm not able to connect to the SQL instance via the cloud_sql_proxy.
I've tried doing a telnet 127.0.0.1 3306 on the wordpress container (via kubectl exec ...):
bash-4.3# telnet 127.0.0.1 3306
Connection closed by foreign host
Even if I kubectl exec.. into the cloudsql-proxy container I get the same behavior as above.
However doing this locally works fine.
How could I diagnose this issue, and what may be the cause?
Here is my container config (within a deployment):
containers:
- image: eu.gcr.io/abcxyz/wordpress:initial
name: wordpress
imagePullPolicy: "Always"
env:
- name: WORDPRESS_HOST
value: localhost
- name: WORDPRESS_DB_USERNAME
valueFrom:
secretKeyRef:
name: cloudsql-db-credentials
key: username
volumeMounts:
- name: wordpress-persistent-storage
mountPath: /var/www/html
- image: eu.gcr.io/abcxyz/nginx:initial
name: nginx
imagePullPolicy: "Always"
ports:
- containerPort: 80
name: nginx
volumeMounts:
- name: wordpress-persistent-storage
mountPath: /var/www/html
- image: gcr.io/cloudsql-docker/gce-proxy:1.09
name: cloudsql-proxy
command: ["/cloud_sql_proxy", "--dir=/cloudsql",
"-instances=abcxyz:europe-west1:wordpressdb=tcp:3306",
"-credential_file=/secrets/cloudsql/credentials.json"]
volumeMounts:
- name: cloudsql-instance-credentials
mountPath: /secrets/cloudsql
readOnly: true
- name: ssl-certs
mountPath: /etc/ssl/certs
- name: cloudsql
mountPath: /cloudsql
If get the logs from the cloudsql-proxy I see the following:
2017/08/11 12:55:03 New connection for "abcxyz:europe-west1:wordpressdb"
2017/08/11 12:55:03 couldn't connect to "abcxyz:europe-west1:wordpressdb": ensure that the account has access to "abcxyz:europe-west1:wordpressdb" (and make sure there's no typo in that name). Error during createEphemeral for abcxyz:europe-west1:wordpressdb: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
The service account in question does have the Cloud SQL Admin permission.
