Containerized server application failing to connect to MySQL databases - mysql

I'm trying to connect my server code running as a Docker container in our Kubernetes cluster (hosted on Google Container Engine) to a Google Cloud SQL managed MySQL 5.7 instance. The issue I'm running into is that every connection is being rejected by the database server with Access denied for user 'USER'#'IP' (using password: YES). The database credentials (username, password, database name, and SSL certificates) are all correct and work when connecting via other MySQL clients or the same application running as a container on a local instance.
I've verified that all credentials are the same on the local and the server-hosted versions of the app and that the user I'm connecting with has the wildcard % host specified. Not really sure what to check next here, to be honest...
An edited version of the connection code is below:
let connectionCreds = {
host: Config.SQL.HOST,
user: Config.SQL.USER,
password: Config.SQL.PASSWORD,
database: Config.SQL.DATABASE,
charset: 'utf8mb4',
};
if (Config.SQL.SSL_ENABLE) {
connectionCreds['ssl'] = {
key: fs.readFileSync(Config.SQL.SSL_CLIENT_KEY_PATH),
cert: fs.readFileSync(Config.SQL.SSL_CLIENT_CERT_PATH),
ca: fs.readFileSync(Config.SQL.SSL_SERVER_CA_PATH)
}
}
this.connection = MySQL.createConnection(connectionCreds);
Additional information: the server application is built in Node using the mysql2 library to connect to the database. There are no special firewall rules in place that are causing network issues, and that's confirmed by the fact that the library IS connecting, but failing to authenticate.

After setting up Cloud SQL Proxy I managed to figure out what the actual error was: somewhere between the secret and the pod configuration an extra newline was being added to the database name, causing any connection attempt to fail. With the proxy set up this was made clear because there was an actual error message to that effect displayed.
(notably all of my logging around the credentials that I was using to validate that the credentials were accurate didn't explicitly display the newline and was disguised by the fact that the console display added line breaks to wrap the display, and it happened to line up exactly with where the database name ended)

Have you read the documentation on https://cloud.google.com/sql/docs/mysql/connect-container-engine ?
In Container Engine, you need to set up a Cloud SQL Proxy container alongside your application pod and talk to it. The Cloud SQL Proxy will then make the actual call to Cloud SQL service.
If the container worked locally, I assume you have Application Default Credentials set on your development machine. It could be failing because those credentials are not on your container as a Service Account file. Try configuring a Service Account file, or create your GKE cluster with --scopes argument that gives your instances access to Cloud SQL.

Related

How do I connect to a MySQL database server running on PlanetScale with SSL from node.js on localhost?

I'm trying to connect to the MySQL server on PlanetScale, but can't as it requires SSL.
Here's their doc for that, but it's unclear what it says.
https://planetscale.com/docs/concepts/secure-connections
Here's the connection URL: DATABASE_URL='mysql://co30rXXXXXXX:pscale_pw_XXXXXXX#hoqx01444p30.us-east-4.psdb.cloud/restaurant?ssl={"rejectUnauthorized":true}'
Here's what I see from my terminal when I run yarn run migration-run
yarn run v1.22.18 $ npx prisma migrate dev Environment variables
loaded from .env Prisma schema loaded from prisma/schema.prisma
Datasource "db": MySQL database "restaurant" at
"hoqx0XXXXX.us-east-4.psdb.cloud:3306"
Error: Migration engine error: unknown error: Code: UNAVAILABLE server
does not allow insecure connections, client must use SSL/TLS
error Command failed with exit code 1. info Visit
https://yarnpkg.com/en/docs/cli/run for documentation about this
command.
Is there anyone who has tried to connect to PlanetScale DB from Node.js on localhost? I have tried some other suggestions from Stackoverflow, but don't seem to work.
?ssl={"rejectUnauthorized":false}&sslcert=/etc/ssl/certs/ca-certificates.crt
Adding these params at the end of the connection link, the issue has been fixed. :)
SSL ISSUE ON WINDOWS
If you're working on a Windows machine and using a .env file for your connection string, here is what worked for me to run locally (windows does not have a default /etc/ssl/certs/ reference as answered here).
You get your connection string from the PlanetScale console, via "overview" > "connect"
This will look something like:
DATABASE_URL='mysql://xxxxxx:*****#aws-eu-west-1.connect.psdb.cloud/dbName?ssl={"rejectUnauthorized":true}'
When plainly using this you will most likley get the follow error message (as the question states):
Code: UNAVAILABLE server does not allow insecure connections, client must use SSL/TLS
You therefore need to provide a local cert, one can be downloaded from the following trusted location:
https://curl.se/docs/caextract.html
Next, you need to save this file to a logical location on disk that can be referenced in your connection string, for example c:/temp/cacert.pem
Once saved you can then append then following to your connection string:
&sslcert=C:\\temp\\cacert.pem
Restart your server and you should be all set! 🎉
The equivelant ssl cert update in NodeJs would look as follows:
const connection = mysql.createConnection({
host: 'hostNameHere',
user: 'userNameHere',
password: 'passwordHere',
database: 'dbHere',
ssl: {
ca: fs.readFileSync('C:\\temp\\cacert.pem')
}
});

GCP Datastream Private connection - can't connect to MySQL Server

I hope you are well.
I wan't to connect Google Datastream with MySQL database hosted into Cloud SQL by using private connection.
I have conected by the public internet using Public IP but I need to connect through VPC peering for security, documentation indicates that the following should be done: https://cloud.google.com/datastream/docs/private-connectivity
I have been tring to connect across Cloud SQL Auth Proxy follow this documentation and I have already connected the proxy to Cloud SQL: https://cloud.google.com/sql/docs/mysql/connect-admin-proxy#tcp-sockets
In every occasion I see the same error, no matter what ip configure it always changes to another ip.
For example, the follow image show the perfil configuration with Cloud SQL Auth Proxy internal IP 10.128.0.2 set up.
And, when I try to test, I've seen that the MySQL IP change for 192.168.5.236
In general, this is a MySQL client-side error code. The possible causes for this error are:
MySQL Server not running, or
Firewall configuration on the Windows server blocking access on port 3306
=> To troubleshoot the given error message, please follow the below mentioned steps:
Verify MySQL server is running and use the ping command to check the client-server connectivity. For Example: ping server_ip_address
To connect to a Cloud SQL instance using private IP, the Cloud SQL Auth proxy must be on a resource with access to the same VPC network as the instance.[1]
When you start the Cloud SQL Auth proxy, to ensure it is using the private IP, please make sure to pass the flag:
-ip_address_types=PRIVATE
Also,verify the firewall configuration and make sure the port 3306 is not blocked.
You can also view the mysql config file[2] and check if there is a bind-address relevant to it. If there is a bind-address, comment it out using the # character.
[1] https://cloud.google.com/sql/docs/mysql/connect-admin-proxy#private-ip
[2] How do I find the MySQL my.cnf location
In my case I have the Cloud SLQL Proxy mounted in compute engine and Mysql in Cloud SQL.
The solution was the following:
I needed to create a ingress firewall rule allow the ip range from the Datastream Private Connection (I needed to connect Datastream across a private connection for governance) to Cloud SQL Auth Proxy IP Range in tcp:3306.
You can test your connection throght Connectivity Tests

failure to connect to Google SQL First gen (and Second gen?)

I am receiving an error when trying to load up my webpage
Failed to connect to MySQL: (2005) Unknown MySQL server host ':/cloudsql/testsite:europe-west1:testdatabase' (2)Error:
I have a Google Compute Engine VM set up with a LAMP stack (Apache/2.4.10 (Debian)/ Database client version: libmysql - 5.5.55 / PHP extension: mysqli)
I also have set up an instance on Google SQL with user credentials for aforementioned VM (i have set up both First Gen and Second Gen)
I can access both a local MySQL database on the VM as well as the Google SQL databases via phpAdmin installed locally
HOWEVER i appear to have an issue with the DB_HOST credentials in my config.php file when i run the script
path = /var/www/html/includes/config.php
I get
usually for local MYSQL databases i use
// The MySQL credentials
$CONF['host'] = 'localhost';
$CONF['user'] = 'YOURDBUSER';
$CONF['pass'] = 'YOURDBPASS';
$CONF['name'] = 'YOURDBNAME';
Documentation (and github links) recommend path
:/cloudsql/project-id:region:sql-db-instance-name
which is what i have done (see above) - but i keep getting the error message.
Am i typing the host description incorrectly? Or have i missed a configuration step?
Thanks in advance
It seems as if i have erred and that the credentials format i stated earlier are for Google App Engine
If you are on Google Compute Engine, you have two options:
Connect to the public IP address of your Cloud SQL instance. This requires you whitelist your GCE instance on the ACL for the Cloud SQL instance.
Use the Cloud SQL proxy. This is a extra daemon you run on your GCE instance that allows you to connect via TCP on localhost or a socket.

Heroku cleardb connection default addr for network unknown

I have created a free instance of Heroku cleardb instance for my app. I set the database URL as:
heroku config:set DATABASE_URL='mysql://user:pass#us-cdbr-iron-east-03.cleardb.net/heroku_database?reconnect=true'
I'm trying to connect using a Go app. But when I try to access my application, it gives the following mysql error:
default addr for network 'us-cdbr-iron-east-03.cleardb.net' unknown
I tried to set the database url with protocol and port as well:
heroku config:set DATABASE_URL='mysql://user:pass#tcp(us-cdbr-iron-east-03.cleardb.net:3306)/heroku__database?reconnect=true'
This changes the errror to:
Access denied for user
which i'm guessing is because direct access to port is disallowed. Does anybody know what is the issue here?
This is a Go specific problem. Three changes are required:
Go's sql.Open already takes scheme as its first parameter so it needs to be stripped off of DATABASE_URL.
Connection string shouldn't have any query parameters (remove ?reconnect=true).
Protocol (tcp) and port (3306 for MySQL) number are required.
Thus final database URL would be:
DATABASE_URL='user:pass#tcp(us-cdbr-iron-east-03.cleardb.net:3306)/your_heroku_database'

Cannot connect to Azure MySQL service with MySQL Workbench

I'm using MySQL Workbench on a 64bit/Win 8.1 machine to trying to connect to an Azure MySQL service, but everytime I get the following error:
Lost connection to MySQL server at 'reading authorization packet', system error:0
I followed many tutorial found ever the internet, and I also tried to disable temporarely the firewall: most of them says that the only needed parameters are:
hostname (the one given in Azure portal/MyDB/Properties)
username (the one given in Azure portal/MyDB/Properties)
(optional) password (to store in vault)
I tried also using different connection methods (Standard TCP/IP and Local socket/pipe, as suggested here) but nothing.
Can help?
I was not able to recreate your issue. Here are the steps that I tried with a MySQL database created thru the Azure portal.
Open MySql Workbench.
Setup new connection with the following settings.
Hostname: HOSTNAME
Port: PORT
Username: USERNAME
Pasword: PASSWORD
Database: DATABASE NAME
Test Connection > Succeeded.
The settings above came from portal.azure.com > MyDatabase > All settings.
One suggestion is to contact ClearDB support. You can login to ClearDB from your database's Azure dashboard by clicking on Manage Database. From there you can go to Support and log a support incident.
I was also struggling with a similar issue, as I was not able to connect my MySQL workbench with Azure VM that's running MySQL.
I've contacted the Azure support to help me out after trying it for 3-4 hrs.
They suggested me to go into network security group of that VM, and add 3306 or whatever port that your MySQL is running on our Azure to the inbound and outbound list and add the exception as All.
It helped me to connect MySQL workbench with Azure VM with MySQL on it.