Connect to Cloud SQL for MySQL from Google Kubernetes Engine
This page shows you how to deploy a sample app on Google Kubernetes Engine (GKE) connected to a MySQL instance using the Cloud de Confiance console and a client application. The resources created in this quickstart typically cost less than one dollar (USD), assuming you complete the steps, including the clean up, in a timely manner.
Before you begin
-
In the Cloud de Confiance console, on the project selector page, select or create a Cloud de Confiance project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator
), which contains theresourcemanager.projects.create
permission. Learn how to grant roles.
-
Verify that billing is enabled for your Cloud de Confiance project.
-
Enable the Google Cloud APIs necessary to run a Cloud SQL sample app on GKE.
Console
Click Enable APIs to enable the APIs required for this quickstart.
This enables the following APIs:
- Compute Engine API
- Cloud SQL Admin API
- Google Kubernetes Engine API
- Artifact Registry API
- Cloud Build API
gcloud
Click the following button to open Cloud Shell, which provides command-line access to your Cloud de Confiance resources directly from the browser. Cloud Shell can be used to run the
gcloud
commands presented throughout this quickstart.Run the
gcloud services enable
command as follows using Cloud Shell to enable the APIs required for this quickstart.:gcloud services enable compute.googleapis.com sqladmin.googleapis.com \ container.googleapis.com artifactregistry.googleapis.com cloudbuild.googleapis.com
This command enables the following APIs:
- Compute Engine API
- Cloud SQL Admin API
- GKE API
- Artifact Registry API
- Cloud Build API
Set up Cloud SQL
Create a Cloud SQL instance
Create a database
Console
-
In the Cloud de Confiance console, go to the Cloud SQL Instances page.
- Select
quickstart-instance
. - From the SQL navigation menu, select Databases.
- Click Create database.
- In the Database name field of the Create a database dialog
box, enter
quickstart-db
. Leave the values for the character set and collation. - Click Create.
gcloud
Run the gcloud
sql databases create
command to create a database.
gcloud sql databases create quickstart-db --instance=quickstart-instance
Create a user
Console
-
In the Cloud de Confiance console, go to the Cloud SQL Instances page.
- To open the Overview page of an instance, click the instance name.
- Select Users from the SQL navigation menu.
- Click Add user account.
- In the Add a user account to instance instance_name page,
add the following information:
- Username: Set to
quickstart-user
- Password: Specify a password for your database user. Make a note of this for use in a later step of this quickstart.
- In the Host name section, the default is Allow any host,
which means that the user can connect from any IP address.
Optionally, select Restrict host by IP address or address range and enter an IP address or address range in the Host section. The user can then connect only from the IP address or addresses specified.
- Username: Set to
- Click Add.
gcloud
Before running the command as follows, replace DB_PASS with a password for your database user. Make a note of this for use in a later step of this quickstart.
Run the gcloud sql users create
command to create the user.
gcloud sql users create quickstart-user \ --instance=quickstart-instance \ --password=DB_PASS
User name length limits are the same for Cloud SQL as for on-premises MySQL; 32 characters for MySQL 8.0 and later, 16 characters for earlier versions.
Create a GKE cluster
Console
-
In the Cloud de Confiance console, go to the Google Kubernetes Engine page.
- Click Create.
- Click Configure for GKE Autopilot.
- For Name, specify the cluster name as
gke-cloud-sql-quickstart
. - Click Create.
gcloud
Run the gcloud container clusters create-auto
command to create the cluster.
gcloud container clusters create-auto gke-cloud-sql-quickstart \ --region us-central1
Clone a Cloud SQL sample app into Cloud Shell Editor
With a Cloud SQL instance, a database, and a GKE cluster,
you can now clone and configure a sample application to connect to your
Cloud SQL instance. The remaining steps in this quickstart require using the gcloud
and kubectl
command-line tools. Both tools are pre-installed in Cloud Shell.
Go
-
In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor -
In the
Open in Cloud Shell
dialog, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
Java
-
In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor -
In the
Open in Cloud Shell
dialog, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
Node.js
-
In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor -
In the
Open in Cloud Shell
dialog, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
Python
-
In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor -
In the
Open in Cloud Shell
dialog, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
Enable the GKE cluster
Enable the GKE cluster you just created as the default cluster to be used for the remaining commands in this quickstart.
gcloud container clusters get-credentials
command as follows to enable the GKE cluster.
gcloud container clusters get-credentials gke-cloud-sql-quickstart \ --region us-central1
Set up a service account
-
Run the
gcloud iam service-accounts create
command as follows to create a new service account:gcloud iam service-accounts create gke-quickstart-service-account \ --display-name="GKE Quickstart Service Account"
- Run the
gcloud projects add-iam-policy-binding
command as follows to add the Cloud SQL Client role to the Cloud de Confiance by S3NS service account you just created. Replace YOUR_PROJECT_ID with the project ID.gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \ --member="serviceAccount:gke-quickstart-service-account@YOUR_PROJECT_ID.s3ns.iam.gserviceaccount.com" \ --role="roles/cloudsql.client"
- The sample app uses logging, so run the
gcloud projects add-iam-policy-binding
command as follows to add the Log Writer role to the Cloud de Confiance by S3NS service account you just created. Replace YOUR_PROJECT_ID with the project ID.gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \ --member="serviceAccount:gke-quickstart-service-account@YOUR_PROJECT_ID.s3ns.iam.gserviceaccount.com" \ --role="roles/logging.logWriter"
- The service account must be able to pull images from the artifactory repository, so run the
gcloud projects add-iam-policy-binding
command as follows to add the Artifact Registry Reader role to the service account. Replace YOUR_PROJECT_ID with the project ID.gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \ --member="serviceAccount:gke-quickstart-service-account@YOUR_PROJECT_ID.s3ns.iam.gserviceaccount.com" \ --role="roles/artifactregistry.reader"
- Create a Kubernetes Service Account.
- Update the
service-account.yaml
file in Cloud Shell Editor. Replace<YOUR-KSA-NAME>
withksa-cloud-sql
. - Run the
kubectl apply
command as follows in Cloud Shell:kubectl apply -f service-account.yaml
- Update the
- Run the
gcloud iam service-accounts add-iam-policy-binding
command as follows to enable IAM binding of the Cloud de Confiance by S3NS Service Account and the Kubernetes Service Account. Make the following replacements:- YOUR_PROJECT_ID with the project ID.
- YOUR_K8S_NAMESPACE with
default
, which is the default namespace for clusters created in GKE. - YOUR_KSA_NAME with
ksa-cloud-sql
.
gcloud iam service-accounts add-iam-policy-binding \ --role="roles/iam.workloadIdentityUser" \ --member="serviceAccount:YOUR_PROJECT_ID.s3ns.svc.id.goog[YOUR_K8S_NAMESPACE/YOUR_KSA_NAME]" \ gke-quickstart-service-account@YOUR_PROJECT_ID.s3ns.iam.gserviceaccount.com
- Run the
kubectl annotate
command as follows to annotate the Kubernetes Service Account with IAM binding. Make the following replacements:- YOUR_KSA_NAME with
ksa-cloud-sql
. - YOUR_PROJECT_ID with the project ID.
kubectl annotate serviceaccount \ YOUR_KSA_NAME \ iam.gke.io/gcp-service-account=gke-quickstart-service-account@YOUR_PROJECT_ID.s3ns.iam.gserviceaccount.com
- YOUR_KSA_NAME with
Configure secrets
Run the kubectl create secret generic
command as follows to create Kubernetes secrets for the database, user,
and user password to be used by the sample app. The values of each secret
are based on the values specified in the previous steps of this quickstart.
Replace DB_PASS with the password of the quickstart-user
that you created in the previous Create a user quickstart step.
kubectl create secret generic gke-cloud-sql-secrets \ --from-literal=database=quickstart-db \ --from-literal=username=quickstart-user \ --from-literal=password=DB_PASS
Build the sample app
Go
-
Run the following
gcloud artifacts repositories create
command in Cloud Shell to create a repository in the Artifact Registry named gke-cloud-sql-repo in the same region as your cluster. Replace YOUR_PROJECT_ID with the project ID.gcloud artifacts repositories create gke-cloud-sql-repo \ --project=YOUR_PROJECT_ID \ --repository-format=docker \ --location=us-central1 \ --description="GKE Quickstart sample app"
-
Run the
gcloud builds submit
command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with the project ID.gcloud builds submit \ --tag us-central1-docker.pkg.dev/YOUR_PROJECT_ID/gke-cloud-sql-repo/gke-sql .
Java
-
Run the following
gcloud artifacts repositories create
command in Cloud Shell to create a repository in the Artifact Registry named gke-cloud-sql-repo in the same region as your cluster. Replace YOUR_PROJECT_ID with the project ID.gcloud artifacts repositories create gke-cloud-sql-repo \ --project=YOUR_PROJECT_ID \ --repository-format=docker \ --location=us-central1 \ --description="GKE Quickstart sample app"
-
Run the
mvn
command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with the project ID.mvn clean package com.google.cloud.tools:jib-maven-plugin:2.8.0:build \ -Dimage=us-central1-docker.pkg.dev/YOUR_PROJECT_ID/gke-cloud-sql-repo/gke-sql \ -DskipTests -Djib.to.credHelper=gcloud
Node.js
-
Run the following
gcloud artifacts repositories create
command in Cloud Shell to create a repository in the Artifact Registry named gke-cloud-sql-repo in the same region as your cluster. Replace YOUR_PROJECT_ID with the project ID.gcloud artifacts repositories create gke-cloud-sql-repo \ --project=YOUR_PROJECT_ID \ --repository-format=docker \ --location=us-central1 \ --description="GKE Quickstart sample app"
-
Run the
gcloud builds submit
command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with the project ID.gcloud builds submit \ --tag us-central1-docker.pkg.dev/YOUR_PROJECT_ID/gke-cloud-sql-repo/gke-sql .
Python
-
Run the following
gcloud artifacts repositories create
command in Cloud Shell to create a repository in the Artifact Registry named gke-cloud-sql-repo in the same region as your cluster. Replace YOUR_PROJECT_ID with the project ID.gcloud artifacts repositories create gke-cloud-sql-repo \ --project=YOUR_PROJECT_ID \ --repository-format=docker \ --location=us-central1 \ --description="GKE Quickstart sample app"
-
Run the
gcloud builds submit
command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with the project ID.gcloud builds submit \ --tag us-central1-docker.pkg.dev/YOUR_PROJECT_ID/gke-cloud-sql-repo/gke-sql .
Deploy the sample app
Clean up
To avoid incurring charges to your Cloud de Confiance account for the resources used on this page, follow these steps.
-
In the Cloud de Confiance console, go to the Cloud SQL Instances page.
- Select the
quickstart-instance
instance to open the Instance details page. - In the icon bar at the top of the page, click Delete.
- In the Delete instance dialog box, type
quickstart-instance
, and then click Delete to delete the instance. -
In the Cloud de Confiance console, go to the Google Kubernetes Engine page.
- Click the checkbox next to the
gke-cloud-sql-quickstart
service name. - Click the Delete button at the top of the Google Kubernetes Engine page.
Optional cleanup steps
If you're not using the Cloud de Confiance by S3NS service account you created for this quickstart, you can remove it.
-
In the Cloud de Confiance console, go to the Service accounts page.
- Select the checkbox for the IAM account named
gke-quickstart-service-account
. - Click Remove and confirm the removal.
If you're not using the APIs that were enabled as part of this quickstart, you can disable them.
- APIs that were enabled within this quickstart:
- Compute Engine API
- Cloud SQL Admin API
- Google Kubernetes Engine API
- Artifact Registry API
- Cloud Build API
In the Cloud de Confiance console, go to the APIs page.
Select any API that you would like to disable and then click the Disable API button.
What's next
Based on your needs, you can learn more about creating Cloud SQL instances.You also can learn about creating MySQL users and databases for your Cloud SQL instance.
Also see the Cloud SQL pricing information.
Learn more about:
- All of the connectivity options in Cloud SQL.
- Configuring your Cloud SQL instance with a public IP address.
- Configuring your Cloud SQL instance with a private IP address.
Additionally, you can learn about connecting to a Cloud SQL instance from other Google Cloud applications: