1# Copyright 2021 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# https://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14#
15# You must configure probes in your deployment to use health checks in Kubernetes.
16# This sample configuration for HTTP probes is adapted from proxy_with_workload_identity.yaml.
17apiVersion: apps/v1
18kind: Deployment
19metadata:
20 name: <YOUR-DEPLOYMENT-NAME>
21spec:
22 selector:
23 matchLabels:
24 app: <YOUR-APPLICATION-NAME>
25 template:
26 metadata:
27 labels:
28 app: <YOUR-APPLICATION-NAME>
29 spec:
30 containers:
31 - name: <YOUR-APPLICATION-NAME>
32 # ... other container configuration
33 env:
34 - name: DB_USER
35 valueFrom:
36 secretKeyRef:
37 name: <YOUR-DB-SECRET>
38 key: username
39 - name: DB_PASS
40 valueFrom:
41 secretKeyRef:
42 name: <YOUR-DB-SECRET>
43 key: password
44 - name: DB_NAME
45 valueFrom:
46 secretKeyRef:
47 name: <YOUR-DB-SECRET>
48 key: database
49 - name: cloud-sql-proxy
50 # It is recommended to use the latest version of the Cloud SQL proxy
51 # Make sure to update on a regular schedule!
52 image: gcr.io/cloudsql-docker/gce-proxy:1.27.0
53 command:
54 - "/cloud_sql_proxy"
55
56 # If connecting from a VPC-native GKE cluster, you can use the
57 # following flag to have the proxy connect over private IP
58 # - "-ip_address_types=PRIVATE"
59
60 # Replace DB_PORT with the port the proxy should listen on
61 # Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433
62 - "-instances=<INSTANCE_CONNECTION_NAME>=tcp:<DB_PORT>"
63 # Enables HTTP health checks.
64 - "-use_http_health_check"
65 # Specifies the health check server port.
66 # Defaults to 8090.
67 - "-health_check_port=<YOUR-HEALTH-CHECK-PORT>"
68 # This flag specifies where the service account key can be found
69 - "-credential_file=/secrets/service_account.json"
70 securityContext:
71 # The default Cloud SQL proxy image runs as the
72 # "nonroot" user and group (uid: 65532) by default.
73 runAsNonRoot: true
74 volumeMounts:
75 - name: <YOUR-SA-SECRET-VOLUME>
76 mountPath: /secrets/
77 readOnly: true
78 # Resource configuration depends on an application's requirements. You
79 # should adjust the following values based on what your application
80 # needs. For details, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
81 resources:
82 requests:
83 # The proxy's memory use scales linearly with the number of active
84 # connections. Fewer open connections will use less memory. Adjust
85 # this value based on your application's requirements.
86 memory: "2Gi"
87 # The proxy's CPU use scales linearly with the amount of IO between
88 # the database and the application. Adjust this value based on your
89 # application's requirements.
90 cpu: "1"
91 # Recommended configurations for health check probes.
92 # Probe parameters can be adjusted to best fit the requirements of your application.
93 # For details, see https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
94 livenessProbe:
95 httpGet:
96 path: /liveness
97 port: 8090
98 # Number of seconds after the container has started before the first probe is scheduled. Defaults to 0.
99 # Not necessary when the startup probe is in use.
100 initialDelaySeconds: 0
101 # Frequency of the probe.
102 periodSeconds: 60
103 # Number of seconds after which the probe times out.
104 timeoutSeconds: 30
105 # Number of times the probe is allowed to fail before the transition
106 # from healthy to failure state.
107 #
108 # If periodSeconds = 60, 5 tries will result in five minutes of
109 # checks. The proxy starts to refresh a certificate five minutes
110 # before its expiration. If those five minutes lapse without a
111 # successful refresh, the liveness probe will fail and the pod will be
112 # restarted.
113 failureThreshold: 5
114 readinessProbe:
115 httpGet:
116 path: /readiness
117 port: 8090
118 initialDelaySeconds: 0
119 periodSeconds: 10
120 timeoutSeconds: 5
121 # Number of times the probe must report success to transition from failure to healthy state.
122 # Defaults to 1 for readiness probe.
123 successThreshold: 1
124 failureThreshold: 1
125 startupProbe:
126 httpGet:
127 path: /startup
128 port: 8090
129 periodSeconds: 1
130 timeoutSeconds: 5
131 failureThreshold: 20
132 volumes:
133 - name: <YOUR-SA-SECRET-VOLUME>
134 secret:
135 secretName: <YOUR-SA-SECRET>
View as plain text