I've followed the steps at https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine to set up MySQL user accounts and service accounts. I've downloaded the JSON file containing my credentials.
My issue is that in the code I copied from the site:
- name: cloudsql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.11
command: ["/cloud_sql_proxy",
"-instances=<INSTANCE_CONNECTION_NAME>=tcp:3306",
"-credential_file=/secrets/cloudsql/credentials.json"]
securityContext:
runAsUser: 2 # non-root user
allowPrivilegeEscalation: false
volumeMounts:
- name: cloudsql-instance-credentials
mountPath: /secrets/cloudsql
readOnly: true
the path /secrets/cloudsql/credentials.json is specified and I have no idea where it's coming from.
I think I'm supposed to create the credentials as a secret via
kubectl create secret generic cloudsql-instance-credentials --from-file=k8s\secrets\my-credentials.json
But after that I have no idea what to do. How does this secret become the path /secrets/cloudsql/credentials.json
?
you have to add a volume entry under the spec like so:
Note: This belongs to the deployment spec not the container spec.
Edit: Further Information can be found here: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume thanks shalvah for pointing that out.