I have found a solution.
Deploy the proxy using yml below and set the deployment as a service. Most importantly, the proxy should listen on 0.0.0.0 instead of the default 127.0.0.1. All secrets as per Google Cloud sql documentation
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: mysql
spec:
replicas: 1
template:
metadata:
name: mysql
labels:
name: mysql
spec:
containers:
- image: b.gcr.io/cloudsql-docker/gce-proxy:1.05
name: cloudsql-proxy
command: ["/cloud_sql_proxy", "--dir=/cloudsql",
"-instances=MYSQL:ZONE:DATABASE_INSTANCE=tcp:0.0.0.0:3306",
"-credential_file=/secrets/cloudsql/credentials.json"]
volumeMounts:
- name: cloudsql-oauth-credentials
mountPath: /secrets/cloudsql
readOnly: true
- name: ssl-certs
mountPath: /etc/ssl/certs
ports:
- containerPort: 3306
name: mysql
volumes:
- name: cloudsql-oauth-credentials
secret:
secretName: cloudsql-oauth-credentials
- name: ssl-certs
hostPath:
path: /etc/ssl/certs
The solution is a bit more expensive than having a proxy server in the same deployment as the client software, since there is an additional TCP connection.
However, there are many advantages:
- Much simpler and does not require modifying existing K8S deployment files.
- Allows you to switch the implementation to the MySQL Docker container or using the Google Cloud SQL proxy server without any changes to the client configuration.