1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: <YOUR-DEPLOYMENT-NAME>
spec:
selector:
matchLabels:
app: <YOUR-APPLICATION-NAME>
template:
metadata:
labels:
app: <YOUR-APPLICATION-NAME>
spec:
containers:
- name: <YOUR-APPLICATION-NAME>
# ... other container configuration
env:
- name: DB_USER
valueFrom:
secretKeyRef:
name: <YOUR-DB-SECRET>
key: username
- name: DB_PASS
valueFrom:
secretKeyRef:
name: <YOUR-DB-SECRET>
key: password
- name: DB_NAME
valueFrom:
secretKeyRef:
name: <YOUR-DB-SECRET>
key: database
- name: cloud-sql-proxy
# It is recommended to use the latest version of the Cloud SQL proxy
# Make sure to update on a regular schedule!
image: gcr.io/cloudsql-docker/gce-proxy:1.28.0 # make sure the use the latest version
command:
- "/cloud_sql_proxy"
# If connecting from a VPC-native GKE cluster, you can use the
# following flag to have the proxy connect over private IP
# - "-ip_address_types=PRIVATE"
# By default, the proxy will write all logs to stderr. In some
# environments, anything printed to stderr is considered an error. To
# disable this behavior and write all logs to stdout (except errors
# which will still go to stderr), use:
- "-log_debug_stdout"
# Replace DB_PORT with the port the proxy should listen on
# Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433
- "-instances=<INSTANCE_CONNECTION_NAME>=tcp:<DB_PORT>"
# [START cloud_sql_proxy_k8s_volume_mount]
# This flag specifies where the service account key can be found
- "-credential_file=/secrets/service_account.json"
securityContext:
# The default Cloud SQL proxy image runs as the
# "nonroot" user and group (uid: 65532) by default.
runAsNonRoot: true
volumeMounts:
- name: <YOUR-SA-SECRET-VOLUME>
mountPath: /secrets/
readOnly: true
# [END cloud_sql_proxy_k8s_volume_mount]
# Resource configuration depends on an application's requirements. You
# should adjust the following values based on what your application
# needs. For details, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
requests:
# The proxy's memory use scales linearly with the number of active
# connections. Fewer open connections will use less memory. Adjust
# this value based on your application's requirements.
memory: "2Gi"
# The proxy's CPU use scales linearly with the amount of IO between
# the database and the application. Adjust this value based on your
# application's requirements.
cpu: "1"
# [START cloud_sql_proxy_k8s_volume_secret]
volumes:
- name: <YOUR-SA-SECRET-VOLUME>
secret:
secretName: <YOUR-SA-SECRET>
# [END cloud_sql_proxy_k8s_volume_secret]
|
