Connect to AlloyDB with Auth Proxy from GKE
1 min readFeb 20, 2023
Recently, I worked on deploying applications in GCP and I explored AlloyDB. You can find more details about AlloyDB in this blog post.
When working with GCP’s Cloud SQL, I used Cloud SQL Auth Proxy. The proxy allows your application to connect to a database securely and leverages IAM. AlloyDB similarly provides AlloyDB Auth Proxy.
The application I was working with is deployed in GKE. I could not find an example of the the AlloyDB Auth Proxy deployed in k8s so I wanted to share what I did.
# config-map.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: alloydb-instance
data:
INSTANCE_NAME: db-custom-4-32000
INSTANCE_REGION: us-central1
PROJECT_ID: proj-id# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: alloydb-proxy
name: alloydb-proxy
spec:
selector:
matchLabels:
app: alloydb-proxy
strategy: {}
replicas: 3
template:
metadata:
labels:
app: alloydb-proxy
spec:
serviceAccountName: alloydb-access
containers:
- name: alloydb-proxy
image: us.gcr.io/alloydb-connectors/alloydb-auth-proxy:1.1.0
ports:
- containerPort: 5432
protocol: TCP
envFrom:
- configMapRef:
name: alloydb-instance
command:
- "/alloydb-auth-proxy"
- "projects/proj-id/locations/us-central1/clusters/alloydb-clstr/instances/db-custom-4-32000"
securityContext:
runAsNonRoot: true
resources:
requests:
memory: 2Gi
cpu: 1# service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
iam.gke.io/gcp-service-account: alloydb-access@proj-id.iam.gserviceaccount.com
name: alloydb-access# service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: alloydb-proxy
name: alloydb-proxy
spec:
ports:
- port: 5432
protocol: TCP
name: alloydb-proxy
targetPort: 5432
selector:
app: alloydb-proxy