Skip to main content

CloudFlow Client

This example demonstrate the essence of:

  • Having a MySQL client in k8s that connects to a k8s ssh-tunnel client and communicate locally as if it was the MySQL server.

It relies on:

  • Existing tunnel server & MySQL server.
  • kubectl configured to connect to your CloudFlow Project.

Script

 # Produces TUNNEL_CLIENT_KEY, TUNNEL_SERVER_KEY
generate_tunnel_keys() {
while read -r line; do
[ "${line}" == "SERVER (PUBLIC) KEY:" ] && read -r TUNNEL_SERVER_KEY
[ "${line}" == "CLIENT (PRIVATE) KEY:" ] && read -r TUNNEL_CLIENT_KEY
done < <(docker run --rm ghcr.io/section/section-secure-tunnel:sha-05d9f6a keygen)
export TUNNEL_CLIENT_KEY
export TUNNEL_SERVER_KEY
echo "Exported TUNNEL_CLIENT_KEY, TUNNEL_SERVER_KEY"
}

# Consumes TUNNEL_ADDRESS, TUNNEL_CLIENT_KEY, REMOTE_SERVICE_ADDRESS
setup_k8s_client(){
kubectl delete secret ssh-tunnel || true
kubectl create secret generic ssh-tunnel \
--from-literal=TUNNEL_ADDRESS="${TUNNEL_ADDRESS}" \
--from-literal=TUNNEL_CLIENT_KEY="${TUNNEL_CLIENT_KEY}" \
--from-literal=REMOTE_SERVICE_ADDRESS="${REMOTE_SERVICE_ADDRESS}"

kubectl apply -f - <<'EOF'
apiVersion: apps/v1
kind: Deployment
metadata:
name: ssh-tunnel
labels:
app: ssh-tunnel
spec:
replicas: 1
selector:
matchLabels:
app: ssh-tunnel
template:
metadata:
labels:
app: ssh-tunnel
spec:
containers:
- name: ssh-tunnel
image: 'ghcr.io/section/section-secure-tunnel:sha-05d9f6a'
env:
- name: REMOTE_SERVICE_ADDRESS
valueFrom:
secretKeyRef:
name: ssh-tunnel
key: REMOTE_SERVICE_ADDRESS
optional: false
- name: TUNNEL_ADDRESS
valueFrom:
secretKeyRef:
name: ssh-tunnel
key: TUNNEL_ADDRESS
optional: false
- name: TUNNEL_CLIENT_KEY
valueFrom:
secretKeyRef:
name: ssh-tunnel
key: TUNNEL_CLIENT_KEY
optional: false
args: [
"client",
"$(TUNNEL_ADDRESS)",
"key",
"remote_user_name",
"$(TUNNEL_CLIENT_KEY)",
"3306:$(REMOTE_SERVICE_ADDRESS):3306"
]
resources:
requests:
cpu: 0.5
memory: 512Mi
limits:
cpu: 0.5
memory: 512Mi
---
apiVersion: v1
kind: Service
metadata:
labels:
app: ssh-tunnel
name: ssh-tunnel
spec:
ports:
- name: mysql
port: 3306
protocol: TCP
targetPort: 3306
selector:
app: ssh-tunnel
EOF
}

setup_workload(){
kubectl apply -f - <<'EOF'
apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql-client
labels:
app: mysql-client
spec:
replicas: 1
selector:
matchLabels:
app: mysql-client
template:
metadata:
labels:
app: mysql-client
spec:
containers:
- name: mysql-client
image: 'mysql:8.0'
imagePullPolicy: Always
env:
- name: MYSQL_PWD
value: masteruserpassword
command: ["/bin/sh"]
args: [
"-c",
"/usr/bin/mysql --silent --host=ssh-tunnel --user=masterusername --execute='SELECT VERSION()' && tail -f /dev/null"
]
resources:
requests:
cpu: 0.5
memory: 512Mi
limits:
cpu: 0.5
memory: 512Mi
EOF
}

setup_k8s_client
setup_workload

Resulting workload pods:

$ kubectl logs mysql-client-db67b59ff-ktzvz
8.0.28