Kubernetes:带有 gce-proxy 的 initContainer？

Question

在运行我们的应用程序之前，我需要更新我的数据库架构。为此，基于 this thread 和 this answer 我决定使用 init 容器来完成这项工作。

由于我的 SQL 实例是托管的 Google Cloud SQL 实例，因此我需要 gce-proxy 才能连接到数据库。我的 initContainers 看起来像这样:

 initContainers:
    - name: cloudsql-proxy-init
      image: gcr.io/cloudsql-docker/gce-proxy:1.09
      command: ["/cloud_sql_proxy"]
      args:
        - --dir=/cloudsql
        - -instances=xxxx:europe-west1:yyyyy=tcp:5432
        - -credential_file=/secrets/cloudsql/credentials.json
      volumeMounts:
        - name: dev-db-instance-credentials
          mountPath: /secrets/cloudsql
          readOnly: true
        - name: ssl-certs
          mountPath: /etc/ssl/certs
        - name: cloudsql
          mountPath: /cloudsql
    - name: liquibase
      image: eu.gcr.io/xxxxx/liquibase:v1
      imagePullPolicy: Always
      command: ["./liquibase.sh"]
      env:
        - name: DB_TYPE
          value: postgresql
        - name: DB_URL
          value: jdbc:postgresql://localhost/test
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: password
        - name: DB_USER
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: username

但是我的 pod 卡住了:
containers with incomplete status: [cloudsql-proxy-init liquibase]
如果我查看 pod 描述:

Init Containers:
  cloudsql-proxy-init:
    Container ID:   docker://0373fa6528ec3768d46a1c59ca45f12d9fc46d1f0d199b7eb3772545701e1b1d
    Image:      gcr.io/cloudsql-docker/gce-proxy:1.09
    Image ID:       docker://sha256:66c58ef63dbfe239ff95416d62635559498ebb395abb8a4b1edee78e48e05fe4
    Port:
    Command:
      /cloud_sql_proxy
    Args:
      --dir=/cloudsql
      -instances=xxxxx:europe-west1:yyyyyy=tcp:5432
      -credential_file=/secrets/cloudsql/credentials.json
    State:      Running
      Started:      Thu, 13 Apr 2017 17:40:02 +0300
    Ready:      False
    Restart Count:  0
    Mounts:
      /cloudsql from cloudsql (rw)
      /etc/ssl/certs from ssl-certs (rw)
      /secrets/cloudsql from dev-db-instance-credentials (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-th58c (ro)
 liquibase:
    Container ID:
    Image:      eu.gcr.io/xxxxxx/liquibase:v1
    Image ID:
    Port:
    Command:
      ./liquibase.sh
    State:      Waiting
      Reason:       PodInitializing
    Ready:      False
    Restart Count:  0
    Environment:
      DB_TYPE:      postgresql
      DB_URL:       jdbc:postgresql://localhost/test
      DB_PASSWORD:  <set to the key 'password' in secret 'db-credentials'>  Optional: false
      DB_USER:      <set to the key 'username' in secret 'db-credentials'>  Optional: false
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-th58c (ro)

而且似乎 cloud-sql-proxy-init 正在运行:

2017/04/13 14:40:02 using credential file for authentication; email=yyyyy@xxxxxx.iam.gserviceaccount.com
2017/04/13 14:40:02 Listening on 127.0.0.1:5432 for xxxxx:europe-west1:yyyyy
2017/04/13 14:40:02 Ready for new connections

这可能是问题所在，因为 init 容器应该退出以便初始化可以继续？那么如何从 liquibase 连接到 Google Cloud SQL 实例呢？

Answer 1

您期望 init 容器都像 pod 中的普通容器一样彼此相邻运行。

但不幸的是，当前一个容器完成时，init 容器一个接一个地启动。看
https://kubernetes.io/docs/concepts/workloads/pods/init-containers/#understanding-init-containers

Init Containers are exactly like regular Containers, except:

• They always run to completion.
• Each one must complete successfully before the next one is started.

因此，您将无法与应用程序容器一起运行代理容器。

一种解决方案是构建一个包含两个二进制文件的容器，然后使用 shell 脚本将代理置于后台并运行您的应用程序直至完成。