Connect to Cloud SQL for MySQL from Google Kubernetes Engine

This page shows you how to deploy a sample app on Google Kubernetes Engine (GKE) connected to a MySQL instance using the Google Cloud console and a client application. The resources created in this quickstart typically cost less than one dollar (USD), assuming you complete the steps, including the clean up, in a timely manner.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Google Cloud APIs necessary to run a Cloud SQL sample app on GKE.
Console
Click Enable APIs to enable the APIs required for this quickstart.
Enable APIs
This enables the following APIs:
- Compute Engine API
- Cloud SQL Admin API
- Google Kubernetes Engine API
- Artifact Registry API
- Cloud Build API
gcloud
Click the following button to open Cloud Shell, which provides command-line access to your Google Cloud resources directly from the browser. Cloud Shell can be used to run the gcloud commands presented throughout this quickstart.
Open Cloud Shell
Run the gcloud services enable command as follows using Cloud Shell to enable the APIs required for this quickstart.:
gcloudservicesenablecompute.googleapis.comsqladmin.googleapis.com\container.googleapis.comartifactregistry.googleapis.comcloudbuild.googleapis.com
This command enables the following APIs:
- Compute Engine API
- Cloud SQL Admin API
- GKE API
- Artifact Registry API
- Cloud Build API

Set up Cloud SQL

Create a Cloud SQL instance

Public IP

Console

Create an instance with a public IP address

In the Google Cloud console, go to the Cloud SQL Instances page.
Go to Cloud SQL Instances
Click Create Instance.
Click MySQL.
Enter quickstart-instance for Instance ID.
Enter a password for the root user. Save this password for future use.
Click the Single zone option for Choose region and zonal availability.
Click and expand the Show Configurations section.
In the Machine Type drop-down menu, select Lightweight.
Click Create Instance and wait until the instance initializes and starts.

gcloud

Create an instance with a public IP address

Before running the gcloud sql instances create command as follows, replace DB_ROOT_PASSWORD with the password of your database user.

Optionally, modify the values for the following parameters:

--database_version: The database engine type and version. If left unspecified, the API default is used. See the gcloud database versions documentation to see the currently available versions.
--cpu: The number of cores desired in the machine.
--memory: Whole number value indicating how much memory is desired in the machine. A size unit should be provided (for example, 3072MB or 9GB). If no units are specified, GB is assumed.
--region: Regional location of the instance (for example asia-east1, us-east1). If left unspecified, the default us-central is used. See the full list of regions.

Run the gcloud sql instances create command to create a Cloud SQL instance.

gcloudsqlinstancescreatequickstart-instance\ --database-version=MYSQL_8_0\ --cpu=1\ --memory=4GB\ --region=us-central1\ --root-password=DB_ROOT_PASSWORD

Private IP

Console

Create an instance with a private IP address and SSL enabled

In the Google Cloud console, go to the Cloud SQL Instances page.
Go to Cloud SQL Instances
Click Create instance.
Click MySQL.
Enter quickstart-instance for Instance ID.
Enter a password for the root user. Save this password for future use.
Click the Single zone option for Choose region and zonal availability.
Click and expand Show configuration options.
For Machine Type, select Lightweight.
In Connections, select Private IP.
Select default in the Network drop-down menu.
If you see a dialog stating Private services access connection required, click the Set Up Connection button.

In the Enable Service Networking API dialog, click the Enable API button.
In the Allocate an IP range dialog, select Use an automatically allocated IP range and click Continue.
In the Create a connection dialog, click Create Connection.

Clear the Public IP checkbox to create an instance only with a private IP.
Click Create instance and then wait for the instance to initialize and start.
Click Connections.
In the Security section, select Allow only SSL connections to enable SSL connections.
In the Enable SSL dialog, click Enable and restart and then wait for the instance to restart.

gcloud

Create an instance with a private IP address and SSL enabled

Creating an instance with a private IP address only requires configuring private services access to enable connections from other Google Cloud services, such as GKE.

Run the gcloud compute addresses create command to allocate an IP range for a private services access connection:

gcloudcomputeaddressescreategoogle-managed-services-default\ --global\ --purpose=VPC_PEERING\ --prefix-length=16\ --description="peering range for Google"\ --network=default

Run the gcloud services vpc-peerings connect command to create the private services access connection:

gcloudservicesvpc-peeringsconnect\ --service=servicenetworking.googleapis.com\ --ranges=google-managed-services-default\ --network=default

Before running the gcloud sql instances create command to create an instance as follows, replace DB_ROOT_PASSWORD with the password of your database user.

Optionally, modify the values for the following parameters:

--database_version: The database engine type and version. If left unspecified, the API default is used. See gcloud database versions for a list of currently available versions.
--cpu: The number of cores in the machine.
--memory: A whole number indicating how much memory to include in the machine. A size unit can be provided (for example, 3072MB or 9GB). If no units are specified, GB is assumed.
--region: The regional location of the instance (for example asia-east1, us-east1). If left unspecified, the default us-central1 is used. See the full list of regions.

Run the gcloud sql instances create command to create a Cloud SQL instance with a private IP address.

gcloudbetasqlinstancescreatequickstart-instance\ --database-version=MYSQL_8_0\ --cpu=1\ --memory=4GB\ --region=us-central1\ --root-password=DB_ROOT_PASSWORD\ --no-assign-ip\ --network=default

Run the gcloud sql instances patch command to allow only SSL connections for the instance.

gcloudsqlinstancespatchquickstart-instance--require-ssl

Create a database

Console

In the Google Cloud console, go to the Cloud SQL Instances page.
Go to Cloud SQL Instances
Select quickstart-instance.
From the SQL navigation menu, select Databases.
Click Create database.

In the Database name field of the Create a database dialog box, enter quickstart-db. Leave the values for the character set and collation.
Click Create.

gcloud

Run the gcloud sql databases create command to create a database.

gcloudsqldatabasescreatequickstart-db--instance=quickstart-instance

Create a user

Console

In the Google Cloud console, go to the Cloud SQL Instances page.
Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Select Users from the SQL navigation menu.
Click Add user account.

In the Add a user account to instance instance_name page, add the following information:
- Username: Set to quickstart-user
- Password: Specify a password for your database user. Make a note of this for use in a later step of this quickstart.
- In the Host name section, the default is Allow any host, which means that the user can connect from any IP address.
  Optionally, select Restrict host by IP address or address range and enter an IP address or address range in the Host section. The user can then connect only from the IP address or addresses specified.

Click Add.

gcloud

Before running the command as follows, replace DB_PASS with a password for your database user. Make a note of this for use in a later step of this quickstart.

Run the gcloud sql users create command to create the user.

gcloudsqluserscreatequickstart-user\ --instance=quickstart-instance\ --password=DB_PASS

User name length limits are the same for Cloud SQL as for on-premises MySQL; 32 characters for MySQL 8.0 and later, 16 characters for earlier versions.

Create a GKE cluster

Console

In the Google Cloud console, go to the Google Kubernetes Engine page.
Go to Google Kubernetes Engine
Click Create.
Click Configure for GKE Autopilot.
For Name, specify the cluster name as gke-cloud-sql-quickstart.
Click Create.

gcloud

Run the gcloud container clusters create-auto command to create the cluster.

gcloudcontainerclusterscreate-autogke-cloud-sql-quickstart\--regionus-central1

Clone a Cloud SQL sample app into Cloud Shell Editor

With a Cloud SQL instance, a database, and a GKE cluster, you can now clone and configure a sample application to connect to your Cloud SQL instance. The remaining steps in this quickstart require using the gcloud and kubectl command-line tools. Both tools are pre-installed in Cloud Shell.

Go

In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor
In the Open in Cloud Shell dialog, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.

Java

In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor
In the Open in Cloud Shell dialog, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.

Node.js

In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor
In the Open in Cloud Shell dialog, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.

Python

In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor
In the Open in Cloud Shell dialog, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.

Enable the GKE cluster

Enable the GKE cluster you just created as the default cluster to be used for the remaining commands in this quickstart.

Run the gcloud container clusters get-credentials command as follows to enable the GKE cluster.

gcloudcontainerclustersget-credentialsgke-cloud-sql-quickstart\--regionus-central1

Set up a service account

Create and configure a Google Cloud service account to be used by GKE so that it has the Cloud SQL Client role with permissions to connect to Cloud SQL.

Run the gcloud iam service-accounts create command as follows to create a new service account:

gcloudiamservice-accountscreategke-quickstart-service-account\--display-name="GKE Quickstart Service Account"

Run the gcloud projects add-iam-policy-binding command as follows to add the Cloud SQL Client role to the Google Cloud service account you just created. Replace YOUR_PROJECT_ID with the project ID.
```
gcloudprojectsadd-iam-policy-bindingYOUR_PROJECT_ID\--member="serviceAccount:gke-quickstart-service-account@YOUR_PROJECT_ID.iam.gserviceaccount.com"\--role="roles/cloudsql.client"
```
The sample app uses logging, so run the gcloud projects add-iam-policy-binding command as follows to add the Log Writer role to the Google Cloud service account you just created. Replace YOUR_PROJECT_ID with the project ID.
```
gcloudprojectsadd-iam-policy-bindingYOUR_PROJECT_ID\--member="serviceAccount:gke-quickstart-service-account@YOUR_PROJECT_ID.iam.gserviceaccount.com"\--role="roles/logging.logWriter"
```
The service account must be able to pull images from the artifactory repository, so run the
gcloud projects add-iam-policy-binding command as follows to add the Artifact Registry Reader role to the service account. Replace YOUR_PROJECT_ID with the project ID.
```
gcloudprojectsadd-iam-policy-bindingYOUR_PROJECT_ID\--member="serviceAccount:gke-quickstart-service-account@YOUR_PROJECT_ID.iam.gserviceaccount.com"\--role="roles/artifactregistry.reader"
```

Create a Kubernetes service account configured to have access to Cloud SQL by binding it to the Google Cloud service account using Workload Identity Federation for GKE.

Create a Kubernetes Service Account.
1. Update the service-account.yaml file in Cloud Shell Editor. Replace <YOUR-KSA-NAME> with ksa-cloud-sql.
2. Run the kubectl apply command as follows in Cloud Shell:
```
kubectlapply-fservice-account.yaml
```
Run the gcloud iam service-accounts add-iam-policy-binding command as follows to enable IAM binding of the Google Cloud Service Account and the Kubernetes Service Account. Make the following replacements:
- YOUR_PROJECT_ID with the project ID.
- YOUR_K8S_NAMESPACE with default, which is the default namespace for clusters created in GKE.
- YOUR_KSA_NAME with ksa-cloud-sql.
```
gcloudiamservice-accountsadd-iam-policy-binding\--role="roles/iam.workloadIdentityUser"\--member="serviceAccount:YOUR_PROJECT_ID.svc.id.goog[YOUR_K8S_NAMESPACE/YOUR_KSA_NAME]"\gke-quickstart-service-account@YOUR_PROJECT_ID.iam.gserviceaccount.com
```
Run the kubectl annotate command as follows to annotate the Kubernetes Service Account with IAM binding. Make the following replacements:
- YOUR_KSA_NAME with ksa-cloud-sql.
- YOUR_PROJECT_ID with the project ID.
```
kubectlannotateserviceaccount\YOUR_KSA_NAME\iam.gke.io/gcp-service-account=gke-quickstart-service-account@YOUR_PROJECT_ID.iam.gserviceaccount.com
```

Configure secrets

Run the kubectl create secret generic command as follows to create Kubernetes secrets for the database, user, and user password to be used by the sample app. The values of each secret are based on the values specified in the previous steps of this quickstart. Replace DB_PASS with the password of the quickstart-user that you created in the previous Create a user quickstart step.

kubectlcreatesecretgenericgke-cloud-sql-secrets\--from-literal=database=quickstart-db\--from-literal=username=quickstart-user\--from-literal=password=DB_PASS

Build the sample app

Go

Run the following gcloud artifacts repositories create command in Cloud Shell to create a repository in the Artifact Registry named gke-cloud-sql-repo in the same region as your cluster. Replace YOUR_PROJECT_ID with the project ID.
```
gcloudartifactsrepositoriescreategke-cloud-sql-repo\--project=YOUR_PROJECT_ID\--repository-format=docker\--location=us-central1\--description="GKE Quickstart sample app"
```
Run the gcloud builds submit command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with the project ID.
```
gcloudbuildssubmit\--tagus-central1-docker.pkg.dev/YOUR_PROJECT_ID/gke-cloud-sql-repo/gke-sql.
```

Java

Run the following gcloud artifacts repositories create command in Cloud Shell to create a repository in the Artifact Registry named gke-cloud-sql-repo in the same region as your cluster. Replace YOUR_PROJECT_ID with the project ID.
```
gcloudartifactsrepositoriescreategke-cloud-sql-repo\--project=YOUR_PROJECT_ID\--repository-format=docker\--location=us-central1\--description="GKE Quickstart sample app"
```

Run the mvn command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with the project ID.

mvncleanpackagecom.google.cloud.tools:jib-maven-plugin:2.8.0:build\-Dimage=us-central1-docker.pkg.dev/YOUR_PROJECT_ID/gke-cloud-sql-repo/gke-sql\-DskipTests-Djib.to.credHelper=gcloud

Node.js

Run the following gcloud artifacts repositories create command in Cloud Shell to create a repository in the Artifact Registry named gke-cloud-sql-repo in the same region as your cluster. Replace YOUR_PROJECT_ID with the project ID.
```
gcloudartifactsrepositoriescreategke-cloud-sql-repo\--project=YOUR_PROJECT_ID\--repository-format=docker\--location=us-central1\--description="GKE Quickstart sample app"
```
Run the gcloud builds submit command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with the project ID.
```
gcloudbuildssubmit\--tagus-central1-docker.pkg.dev/YOUR_PROJECT_ID/gke-cloud-sql-repo/gke-sql.
```

Python

Run the following gcloud artifacts repositories create command in Cloud Shell to create a repository in the Artifact Registry named gke-cloud-sql-repo in the same region as your cluster. Replace YOUR_PROJECT_ID with the project ID.
```
gcloudartifactsrepositoriescreategke-cloud-sql-repo\--project=YOUR_PROJECT_ID\--repository-format=docker\--location=us-central1\--description="GKE Quickstart sample app"
```
Run the gcloud builds submit command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with the project ID.
```
gcloudbuildssubmit\--tagus-central1-docker.pkg.dev/YOUR_PROJECT_ID/gke-cloud-sql-repo/gke-sql.
```

Deploy the sample app

Public IP

With the sample app configuration in place, you can now deploy the sample app.

Go

The deployed sample app connects to your Cloud SQL instance using the Cloud SQL proxy running in a Kubernetes sidecar pattern. The sidecar pattern is accomplished by deploying a workload with an additional container that shares the same Kubernetes pod as the sample app's container.

Get the Cloud SQL instance connection name by running the gcloud sql instances describe command:
```
gcloudsqlinstancesdescribequickstart-instance--format='value(connectionName)'
```

Update the deployment.yaml file in Cloud Shell Editor. Make the following replacements:

<YOUR_KSA_NAME> with ksa-cloud-sql.
<LOCATION> with us-central1.
<YOUR_PROJECT_ID> with the project ID.
<YOUR-DB-SECRET> with gke-cloud-sql-secrets.
<INSTANCE_CONNECTION_NAME> with the Cloud SQL instance connection name retrieved from the gcloud command on the previous step. The format is project_id:region:instance_name. The instance connection name is also visible in the Cloud SQL instance Overview page.

apiVersion:apps/v1kind:Deploymentmetadata:name:gke-cloud-sql-quickstartspec:selector:matchLabels:app:gke-cloud-sql-apptemplate:metadata:labels:app:gke-cloud-sql-appspec:serviceAccountName:<YOUR-KSA-NAME> containers:-name:gke-cloud-sql-app# Replace <LOCATION> with your Artifact Registry location (e.g., us-central1).# Replace <YOUR_PROJECT_ID> with your project ID.image:<LOCATION>-docker.pkg.dev/<YOUR_PROJECT_ID>/gke-cloud-sql-repo/gke-sql:latest# This app listens on port 8080 for web traffic by default.ports:-containerPort:8080env:-name:PORTvalue:"8080"# This project uses environment variables to determine# how you would like to run your application# To use the Go Connector (recommended) - use INSTANCE_CONNECTION_NAME (proj:region:instance)# To use TCP - Setting INSTANCE_HOST will use TCP (e.g., 127.0.0.1)# To use Unix, use INSTANCE_UNIX_SOCKET (e.g., /cloudsql/proj:region:instance)-name:INSTANCE_HOSTvalue:"127.0.0.1"-name:DB_PORTvalue:"3306"# For Automatic IAM Authentication with the Go Connector# use DB_IAM_USER instead of DB_USER (recommended)# You may also remove the DB_PASS environment variable if# you use Automatic IAM Authentication-name:DB_USERvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:username-name:DB_PASSvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:password-name:DB_NAMEvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:database# If you are using the Go Connector (recommended), you can# remove cloud-sql-proxy (everything below this line)-name:cloud-sql-proxy# This uses the latest version of the Cloud SQL Proxy# It is recommended to use a specific version for production environments.# See: https://github.com/GoogleCloudPlatform/cloudsql-proxyimage:gcr.io/cloud-sql-connectors/cloud-sql-proxy:latestargs:# If connecting from a VPC-native GKE cluster, you can use the# following flag to have the proxy connect over private IP# - "--private-ip"# If you are not connecting with Automatic IAM, you can delete# the following flag.-"--auto-iam-authn"# tcp should be set to the port the proxy should listen on# and should match the DB_PORT value set above.# Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433-"--port=3306"-"<INSTANCE_CONNECTION_NAME>"securityContext:# The default Cloud SQL proxy image runs as the# "nonroot" user and group (uid: 65532) by default.runAsNonRoot:true

Run the kubectl apply command as follows in Cloud Shell to deploy the sample app:
```
kubectlapply-fdeployment.yaml
```
Run the kubectl apply command as follows to add a load balancer in front of the deployment, so that you can access it through the internet:
```
kubectlapply-fservice.yaml
```
Run the kubectl get command as follows to get the service details:
```
kubectlgetservices
```
Copy the External IP address once it becomes available in the service details, which may take a few minutes.
View the deployed sample app. Open a browser window and go to the service's External IP address.

Java

The deployed sample app connects to your Cloud SQL instance using the Cloud SQL Java connector.

Get the Cloud SQL instance connection name by running the gcloud sql instances describe command:
```
gcloudsqlinstancesdescribequickstart-instance--format='value(connectionName)'
```

Update the deployment.yaml file in Cloud Shell Editor. Make the following replacements:

<YOUR_KSA_NAME> with ksa-cloud-sql.
<LOCATION> with us-central1.
<YOUR_PROJECT_ID> with the project ID.
<YOUR-DB-SECRET> with gke-cloud-sql-secrets.
<INSTANCE_CONNECTION_NAME> with the Cloud SQL instance connection name retrieved from the gcloud command on the previous step. The format is project_id:region:instance_name. The instance connection name is also visible in the Cloud SQL instance Overview page.

apiVersion:apps/v1kind:Deploymentmetadata:name:gke-cloud-sql-quickstartspec:selector:matchLabels:app:gke-cloud-sql-apptemplate:metadata:labels:app:gke-cloud-sql-appspec:# For more information about using Kubernetes service accounts see: # https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accountsserviceAccountName:<YOUR-KSA-NAME># TODO(developer): replace this value.containers:-name:gke-cloud-sql-app# Replace <LOCATION> with your Artifact Registry location (e.g., us-central1).# Replace <YOUR_PROJECT_ID> with your project ID.image:<LOCATION>-docker.pkg.dev/<YOUR_PROJECT_ID>/gke-cloud-sql-repo/gke-sql:latest# This app listens on port 8080 for web traffic by default.ports:-containerPort:8080env:-name:PORTvalue:"8080"-name:INSTANCE_CONNECTION_NAMEvalue:<INSTANCE_CONNECTION_NAME> -name:DB_HOSTvalue:"127.0.0.1"-name:DB_PORTvalue:"3306"-name:DB_USERvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:username-name:DB_PASSvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:password-name:DB_NAMEvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:database

Run the kubectl apply command as follows in Cloud Shell to deploy the sample app:
```
kubectlapply-fdeployment.yaml
```
Run the kubectl apply command as follows to add a load balancer in front of the deployment, so that you can access it through the internet:
```
kubectlapply-fservice.yaml
```
Run the kubectl get command as follows to get the service details:
```
kubectlgetservices
```
Copy the External IP address once it becomes available in the service details, which may take a few minutes.
View the deployed sample app. Open a browser window and go to the service's External IP address.

Node.js

Get the Cloud SQL instance connection name by running the gcloud sql instances describe command:
```
gcloudsqlinstancesdescribequickstart-instance--format='value(connectionName)'
```

Update the deployment.yaml file in Cloud Shell Editor. Make the following replacements:

<YOUR_KSA_NAME> with ksa-cloud-sql.
<LOCATION> with us-central1.
<YOUR_PROJECT_ID> with the project ID.
<YOUR-DB-SECRET> with gke-cloud-sql-secrets.
<INSTANCE_CONNECTION_NAME> with the Cloud SQL instance connection name retrieved from the gcloud command on the previous step. The format is project_id:region:instance_name. The instance connection name is also visible in the Cloud SQL instance Overview page.

apiVersion:apps/v1kind:Deploymentmetadata:name:gke-cloud-sql-quickstartspec:selector:matchLabels:app:gke-cloud-sql-apptemplate:metadata:labels:app:gke-cloud-sql-appspec:serviceAccountName:<YOUR-KSA-NAME> containers:-name:gke-cloud-sql-app# Replace <LOCATION> with your Artifact Registry location (e.g., us-central1).# Replace <YOUR_PROJECT_ID> with your project ID.image:<LOCATION>-docker.pkg.dev/<YOUR_PROJECT_ID>/gke-cloud-sql-repo/gke-sql:latest# This app listens on port 8080 for web traffic by default.ports:-containerPort:8080env:-name:PORTvalue:"8080"-name:INSTANCE_HOSTvalue:"127.0.0.1"-name:DB_PORTvalue:"3306"-name:DB_USERvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:username-name:DB_PASSvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:password-name:DB_NAMEvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:database-name:cloud-sql-proxy# This uses the latest version of the Cloud SQL proxy# It is recommended to use a specific version for production environments.# See: https://github.com/GoogleCloudPlatform/cloudsql-proxy image:gcr.io/cloud-sql-connectors/cloud-sql-proxy:latestargs:# If connecting from a VPC-native GKE cluster, you can use the# following flag to have the proxy connect over private IP# - "--private-ip"# If you are not connecting with Automatic IAM, you can delete# the following flag.-"--auto-iam-authn"# tcp should be set to the port the proxy should listen on# and should match the DB_PORT value set above.# Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433-"--port=3306"-"<INSTANCE_CONNECTION_NAME>"securityContext:# The default Cloud SQL proxy image runs as the# "nonroot" user and group (uid: 65532) by default.runAsNonRoot:true

Run the kubectl apply command as follows in Cloud Shell to deploy the sample app:
```
kubectlapply-fdeployment.yaml
```
Run the kubectl apply command as follows to add a load balancer in front of the deployment, so that you can access it through the internet:
```
kubectlapply-fservice.yaml
```
Run the kubectl get command as follows to get the service details:
```
kubectlgetservices
```
Copy the External IP address once it becomes available in the service details, which may take a few minutes.
View the deployed sample app. Open a browser window and go to the service's External IP address.

cloud-sql/mysql/mysql/deployment.yaml

Python

Get the Cloud SQL instance connection name by running the gcloud sql instances describe command:
```
gcloudsqlinstancesdescribequickstart-instance--format='value(connectionName)'
```

Update the deployment.yaml file in Cloud Shell Editor. Make the following replacements:

<YOUR_KSA_NAME> with ksa-cloud-sql.
<LOCATION> with us-central1.
<YOUR_PROJECT_ID> with the project ID.
<YOUR-DB-SECRET> with gke-cloud-sql-secrets.
<INSTANCE_CONNECTION_NAME> with the Cloud SQL instance connection name retrieved from the gcloud command on the previous step. The format is project_id:region:instance_name. The instance connection name is also visible in the Cloud SQL instance Overview page.

apiVersion:apps/v1kind:Deploymentmetadata:name:gke-cloud-sql-quickstartspec:selector:matchLabels:app:gke-cloud-sql-apptemplate:metadata:labels:app:gke-cloud-sql-appspec:serviceAccountName:<YOUR-KSA-NAME> containers:-name:gke-cloud-sql-app# Replace <LOCATION> with your Artifact Registry location (e.g., us-central1).# Replace <YOUR_PROJECT_ID> with your project ID.image:<LOCATION>-docker.pkg.dev/<YOUR_PROJECT_ID>/gke-cloud-sql-repo/gke-sql:latest# This app listens on port 8080 for web traffic by default.ports:-containerPort:8080env:-name:PORTvalue:"8080"# This project uses environment variables to determine# how you would like to run your application# To use the Python Connector (recommended) - use INSTANCE_CONNECTION_NAME (proj:region:instance)# To use TCP - Setting INSTANCE_HOST will use TCP (e.g., 127.0.0.1)# To use Unix, use INSTANCE_UNIX_SOCKET (e.g., /cloudsql/proj:region:instance)-name:INSTANCE_HOSTvalue:"127.0.0.1"-name:DB_PORTvalue:"3306"# For Automatic IAM Authentication with the Python Connector# use DB_IAM_USER instead of DB_USER (recommended)# You may also remove the DB_PASS environment variable if# you use Automatic IAM Authentication-name:DB_USERvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:username-name:DB_PASSvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:password-name:DB_NAMEvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:database# If you are using the Python Connector (recommended), you can# remove cloud-sql-proxy (everything below this line)-name:cloud-sql-proxy# This uses the latest version of the Cloud SQL Proxy# It is recommended to use a specific version for production environments.# See: https://github.com/GoogleCloudPlatform/cloudsql-proxy image:gcr.io/cloud-sql-connectors/cloud-sql-proxy:latestargs:# If connecting from a VPC-native GKE cluster, you can use the# following flag to have the proxy connect over private IP# - "--private-ip"# If you are not connecting with Automatic IAM, you can delete# the following flag.-"--auto-iam-authn"# tcp should be set to the port the proxy should listen on# and should match the DB_PORT value set above.# Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433-"--port=3306"-"<INSTANCE_CONNECTION_NAME>"securityContext:# The default Cloud SQL proxy image runs as the# "nonroot" user and group (uid: 65532) by default.runAsNonRoot:true

Run the kubectl apply command as follows in Cloud Shell to deploy the sample app:
```
kubectlapply-fdeployment.yaml
```
Run the kubectl apply command as follows to add a load balancer in front of the deployment, so that you can access it through the internet:
```
kubectlapply-fservice.yaml
```
Run the kubectl get command as follows to get the service details:
```
kubectlgetservices
```
Copy the External IP address once it becomes available in the service details, which may take a few minutes.
View the deployed sample app. Open a browser window and go to the service's External IP address.

Private IP

With the sample app configuration in place, you can now deploy the sample app.

Go

Get the Cloud SQL instance connection name by running the gcloud sql instances describe command:
```
gcloudsqlinstancesdescribequickstart-instance--format='value(connectionName)'
```

Update the deployment.yaml file in Cloud Shell Editor. Make the following replacements and edits:

Replace <YOUR_KSA_NAME> with ksa-cloud-sql.
Replace <LOCATION> with us-central1.
Replace <YOUR_PROJECT_ID> with the project ID.
Replace <YOUR-DB-SECRET> with gke-cloud-sql-secrets.
Replace <INSTANCE_CONNECTION_NAME> with the Cloud SQL instance connection name retrieved from the gcloud command on the previous step. The format is project_id:region:instance_name. The instance connection name is also visible in the Cloud SQL instance Overview page.
Enable the Cloud SQL Auth proxy to connect to your Cloud SQL instance using its private IP address. Uncomment the "-ip_address_types=PRIVATE" flag by removing the # comment symbol and its trailing white space. The uncommented flag should look like this:
```
-"-ip_address_types=PRIVATE"
```

apiVersion:apps/v1kind:Deploymentmetadata:name:gke-cloud-sql-quickstartspec:selector:matchLabels:app:gke-cloud-sql-apptemplate:metadata:labels:app:gke-cloud-sql-appspec:serviceAccountName:<YOUR-KSA-NAME> containers:-name:gke-cloud-sql-app# Replace <LOCATION> with your Artifact Registry location (e.g., us-central1).# Replace <YOUR_PROJECT_ID> with your project ID.image:<LOCATION>-docker.pkg.dev/<YOUR_PROJECT_ID>/gke-cloud-sql-repo/gke-sql:latest# This app listens on port 8080 for web traffic by default.ports:-containerPort:8080env:-name:PORTvalue:"8080"# This project uses environment variables to determine# how you would like to run your application# To use the Go Connector (recommended) - use INSTANCE_CONNECTION_NAME (proj:region:instance)# To use TCP - Setting INSTANCE_HOST will use TCP (e.g., 127.0.0.1)# To use Unix, use INSTANCE_UNIX_SOCKET (e.g., /cloudsql/proj:region:instance)-name:INSTANCE_HOSTvalue:"127.0.0.1"-name:DB_PORTvalue:"3306"# For Automatic IAM Authentication with the Go Connector# use DB_IAM_USER instead of DB_USER (recommended)# You may also remove the DB_PASS environment variable if# you use Automatic IAM Authentication-name:DB_USERvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:username-name:DB_PASSvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:password-name:DB_NAMEvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:database# If you are using the Go Connector (recommended), you can# remove cloud-sql-proxy (everything below this line)-name:cloud-sql-proxy# This uses the latest version of the Cloud SQL Proxy# It is recommended to use a specific version for production environments.# See: https://github.com/GoogleCloudPlatform/cloudsql-proxyimage:gcr.io/cloud-sql-connectors/cloud-sql-proxy:latestargs:# If connecting from a VPC-native GKE cluster, you can use the# following flag to have the proxy connect over private IP# - "--private-ip"# If you are not connecting with Automatic IAM, you can delete# the following flag.-"--auto-iam-authn"# tcp should be set to the port the proxy should listen on# and should match the DB_PORT value set above.# Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433-"--port=3306"-"<INSTANCE_CONNECTION_NAME>"securityContext:# The default Cloud SQL proxy image runs as the# "nonroot" user and group (uid: 65532) by default.runAsNonRoot:true

Run the kubectl apply command as follows in Cloud Shell to deploy the sample app:
```
kubectlapply-fdeployment.yaml
```
Run the kubectl apply command as follows to add a load balancer in front of the deployment, so that you can access it through the internet:
```
kubectlapply-fservice.yaml
```
Run the kubectl get command as follows to get the service details:
```
kubectlgetservices
```
Copy the External IP address once it becomes available in the service details, which may take a few minutes.
View the deployed sample app. Open a browser window and go to the service's External IP address.

Java

The deployed sample app connects to your Cloud SQL instance using the Cloud SQL Java connector.

Get the Cloud SQL instance connection name by running the gcloud sql instances describe command:
```
gcloudsqlinstancesdescribequickstart-instance--format='value(connectionName)'
```

Update the deployment.yaml file in Cloud Shell Editor. Make the following replacements:

<YOUR_KSA_NAME> with ksa-cloud-sql.
<LOCATION> with us-central1.
<YOUR_PROJECT_ID> with the project ID.
<YOUR-DB-SECRET> with gke-cloud-sql-secrets.
<INSTANCE_CONNECTION_NAME> with the Cloud SQL instance connection name retrieved from the gcloud command on the previous step. The format is project_id:region:instance_name. The instance connection name is also visible in the Cloud SQL instance Overview page.

apiVersion:apps/v1kind:Deploymentmetadata:name:gke-cloud-sql-quickstartspec:selector:matchLabels:app:gke-cloud-sql-apptemplate:metadata:labels:app:gke-cloud-sql-appspec:# For more information about using Kubernetes service accounts see: # https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accountsserviceAccountName:<YOUR-KSA-NAME># TODO(developer): replace this value.containers:-name:gke-cloud-sql-app# Replace <LOCATION> with your Artifact Registry location (e.g., us-central1).# Replace <YOUR_PROJECT_ID> with your project ID.image:<LOCATION>-docker.pkg.dev/<YOUR_PROJECT_ID>/gke-cloud-sql-repo/gke-sql:latest# This app listens on port 8080 for web traffic by default.ports:-containerPort:8080env:-name:PORTvalue:"8080"-name:INSTANCE_CONNECTION_NAMEvalue:<INSTANCE_CONNECTION_NAME> -name:DB_HOSTvalue:"127.0.0.1"-name:DB_PORTvalue:"3306"-name:DB_USERvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:username-name:DB_PASSvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:password-name:DB_NAMEvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:database

Run the kubectl apply command as follows in Cloud Shell to deploy the sample app:
```
kubectlapply-fdeployment.yaml
```
Run the kubectl apply command as follows to add a load balancer in front of the deployment, so that you can access it through the internet:
```
kubectlapply-fservice.yaml
```
Run the kubectl get command as follows to get the service details:
```
kubectlgetservices
```
Copy the External IP address once it becomes available in the service details, which may take a few minutes.
View the deployed sample app. Open a browser window and go to the service's External IP address.

Node.js

Get the Cloud SQL instance connection name by running the gcloud sql instances describe command:
```
gcloudsqlinstancesdescribequickstart-instance--format='value(connectionName)'
```

Update the deployment.yaml file in Cloud Shell Editor. Make the following replacements and edits:

Replace <YOUR_KSA_NAME> with ksa-cloud-sql.
Replace <LOCATION> with us-central1.
Replace <YOUR_PROJECT_ID> with the project ID.
Replace <YOUR-DB-SECRET> with gke-cloud-sql-secrets.
Replace <INSTANCE_CONNECTION_NAME> with the Cloud SQL instance connection name retrieved from the gcloud command on the previous step. The format is project_id:region:instance_name. The instance connection name is also visible in the Cloud SQL instance Overview page.
Enable the Cloud SQL Auth proxy to connect to your Cloud SQL instance using its private IP address. Uncomment the "-ip_address_types=PRIVATE" flag by removing the # comment symbol and its trailing white space. The uncommented flag should look like this:
```
-"-ip_address_types=PRIVATE"
```

apiVersion:apps/v1kind:Deploymentmetadata:name:gke-cloud-sql-quickstartspec:selector:matchLabels:app:gke-cloud-sql-apptemplate:metadata:labels:app:gke-cloud-sql-appspec:serviceAccountName:<YOUR-KSA-NAME> containers:-name:gke-cloud-sql-app# Replace <LOCATION> with your Artifact Registry location (e.g., us-central1).# Replace <YOUR_PROJECT_ID> with your project ID.image:<LOCATION>-docker.pkg.dev/<YOUR_PROJECT_ID>/gke-cloud-sql-repo/gke-sql:latest# This app listens on port 8080 for web traffic by default.ports:-containerPort:8080env:-name:PORTvalue:"8080"-name:INSTANCE_HOSTvalue:"127.0.0.1"-name:DB_PORTvalue:"3306"-name:DB_USERvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:username-name:DB_PASSvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:password-name:DB_NAMEvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:database-name:cloud-sql-proxy# This uses the latest version of the Cloud SQL proxy# It is recommended to use a specific version for production environments.# See: https://github.com/GoogleCloudPlatform/cloudsql-proxy image:gcr.io/cloud-sql-connectors/cloud-sql-proxy:latestargs:# If connecting from a VPC-native GKE cluster, you can use the# following flag to have the proxy connect over private IP# - "--private-ip"# If you are not connecting with Automatic IAM, you can delete# the following flag.-"--auto-iam-authn"# tcp should be set to the port the proxy should listen on# and should match the DB_PORT value set above.# Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433-"--port=3306"-"<INSTANCE_CONNECTION_NAME>"securityContext:# The default Cloud SQL proxy image runs as the# "nonroot" user and group (uid: 65532) by default.runAsNonRoot:true

Run the kubectl apply command as follows in Cloud Shell to deploy the sample app:
```
kubectlapply-fdeployment.yaml
```
Run the kubectl apply command as follows to add a load balancer in front of the deployment, so that you can access it through the internet:
```
kubectlapply-fservice.yaml
```
Run the kubectl get command as follows to get the service details:
```
kubectlgetservices
```
Copy the External IP address once it becomes available in the service details, which may take a few minutes.
View the deployed sample app. Open a browser window and go to the service's External IP address.

cloud-sql/mysql/mysql/deployment.yaml

Python

Get the Cloud SQL instance connection name by running the gcloud sql instances describe command:
```
gcloudsqlinstancesdescribequickstart-instance--format='value(connectionName)'
```

Update the deployment.yaml file in Cloud Shell Editor. Make the following replacements and edits:

Replace <YOUR_KSA_NAME> with ksa-cloud-sql.
Replace <LOCATION> with us-central1.
Replace <YOUR_PROJECT_ID> with the project ID.
Replace <YOUR-DB-SECRET> with gke-cloud-sql-secrets.
Replace <INSTANCE_CONNECTION_NAME> with the Cloud SQL instance connection name retrieved from the gcloud command on the previous step. The format is project_id:region:instance_name. The instance connection name is also visible in the Cloud SQL instance Overview page.
Enable the Cloud SQL Auth proxy to connect to your Cloud SQL instance using its private IP address. Uncomment the "-ip_address_types=PRIVATE" flag by removing the # comment symbol and its trailing white space. The uncommented flag should look like this:
```
-"-ip_address_types=PRIVATE"
```

apiVersion:apps/v1kind:Deploymentmetadata:name:gke-cloud-sql-quickstartspec:selector:matchLabels:app:gke-cloud-sql-apptemplate:metadata:labels:app:gke-cloud-sql-appspec:serviceAccountName:<YOUR-KSA-NAME> containers:-name:gke-cloud-sql-app# Replace <LOCATION> with your Artifact Registry location (e.g., us-central1).# Replace <YOUR_PROJECT_ID> with your project ID.image:<LOCATION>-docker.pkg.dev/<YOUR_PROJECT_ID>/gke-cloud-sql-repo/gke-sql:latest# This app listens on port 8080 for web traffic by default.ports:-containerPort:8080env:-name:PORTvalue:"8080"# This project uses environment variables to determine# how you would like to run your application# To use the Python Connector (recommended) - use INSTANCE_CONNECTION_NAME (proj:region:instance)# To use TCP - Setting INSTANCE_HOST will use TCP (e.g., 127.0.0.1)# To use Unix, use INSTANCE_UNIX_SOCKET (e.g., /cloudsql/proj:region:instance)-name:INSTANCE_HOSTvalue:"127.0.0.1"-name:DB_PORTvalue:"3306"# For Automatic IAM Authentication with the Python Connector# use DB_IAM_USER instead of DB_USER (recommended)# You may also remove the DB_PASS environment variable if# you use Automatic IAM Authentication-name:DB_USERvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:username-name:DB_PASSvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:password-name:DB_NAMEvalueFrom:secretKeyRef:name:<YOUR-DB-SECRET> key:database# If you are using the Python Connector (recommended), you can# remove cloud-sql-proxy (everything below this line)-name:cloud-sql-proxy# This uses the latest version of the Cloud SQL Proxy# It is recommended to use a specific version for production environments.# See: https://github.com/GoogleCloudPlatform/cloudsql-proxy image:gcr.io/cloud-sql-connectors/cloud-sql-proxy:latestargs:# If connecting from a VPC-native GKE cluster, you can use the# following flag to have the proxy connect over private IP# - "--private-ip"# If you are not connecting with Automatic IAM, you can delete# the following flag.-"--auto-iam-authn"# tcp should be set to the port the proxy should listen on# and should match the DB_PORT value set above.# Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433-"--port=3306"-"<INSTANCE_CONNECTION_NAME>"securityContext:# The default Cloud SQL proxy image runs as the# "nonroot" user and group (uid: 65532) by default.runAsNonRoot:true

Run the kubectl apply command as follows in Cloud Shell to deploy the sample app:
```
kubectlapply-fdeployment.yaml
```
Run the kubectl apply command as follows to add a load balancer in front of the deployment, so that you can access it through the internet:
```
kubectlapply-fservice.yaml
```
Run the kubectl get command as follows to get the service details:
```
kubectlgetservices
```
Copy the External IP address once it becomes available in the service details, which may take a few minutes.
View the deployed sample app. Open a browser window and go to the service's External IP address.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

In the Google Cloud console, go to the Cloud SQL Instances page.
Go to Cloud SQL Instances
Select the quickstart-instance instance to open the Instance details page.
In the icon bar at the top of the page, click Delete.
In the Delete instance dialog box, type quickstart-instance, and then click Delete to delete the instance.
In the Google Cloud console, go to the Google Kubernetes Engine page.
Go to Google Kubernetes Engine
Click the checkbox next to the gke-cloud-sql-quickstart service name.
Click the Delete button at the top of the Google Kubernetes Engine page.

Optional cleanup steps

If you're not using the Google Cloud service account you created for this quickstart, you can remove it.

In the Google Cloud console, go to the IAM page.
Go to IAM
Select the checkbox for the IAM account named gke-quickstart-service-account.
Click Remove and confirm the removal.

If you're not using the APIs that were enabled as part of this quickstart, you can disable them.

APIs that were enabled within this quickstart:
- Compute Engine API
- Cloud SQL Admin API
- Google Kubernetes Engine API
- Artifact Registry API
- Cloud Build API

In the Google Cloud console, go to the APIs page.
Go to APIs
Select any API that you would like to disable and then click the Disable API button.

What's next

Based on your needs, you can learn more about creating Cloud SQL instances.

You also can learn about creating MySQL users and databases for your Cloud SQL instance.

Also see the Cloud SQL pricing information.

Learn more about:

All of the connectivity options in Cloud SQL.
Configuring your Cloud SQL instance with a public IP address.
Configuring your Cloud SQL instance with a private IP address.

Additionally, you can learn about connecting to a Cloud SQL instance from other Google Cloud applications: