Keycloak docker connect to GCP cloudsql via socket

Hi. I can’t find a way to connect to gcp cloudsql using socket. I was trying to provide it in DB_ADDR but all the time I’m getting below error. How to provide socket path to make it working?
I tried multiple variations with jdbc, without, completly different stuff but nope.

DB_ADDR: "jdbc:mysql://<instancename>

Caused by: java.sql.SQLNonTransientConnectionException: Cannot load connection class because of underlying exception: com.mysql.cj.exceptions.WrongArgumentException: Malformed database URL, failed to parse the main URL sections.

It looks like you are using docker (becaue you mentioned docker env variable DB_ADDR). See:

You need to specify another DB env variables to create valid JDBC connection string to connect to - cloud-sql-jdbc-socket-factory/ at main · GoogleCloudPlatform/cloud-sql-jdbc-socket-factory · GitHub , but I would say you can create valid socket connection string. So I would overwrite that change-database.cli with custom script, which will create valid jdbc socket connection string.

Of course that socket must be mounted with proper permissions in the Keycloak container.

Omg. I thought that it will be easy as it is with other software, just provide path and done. So from my understanding I need to rebuild docker image with custom script and cloud sql jdbc factory? Why it’s so complicated.

Why image rebuild? Ovewrite, e.g. -v /<path>/custom-mysql-script.cli:/opt/jboss/tools/cli/databases/mysql/change-database.cli

You can also use Docker Hub

To run custom scripts on container startup place a file in the /opt/jboss/startup-scripts directory.

And you can run own additional custom script, which will create proper JDBC DB config.

I would say OMG for DB connection via socket in the container world - that’s really old school approach for the containers. Good luck with socket file permissions, especially if your host has custom user namespaces for the containers or security profiles (apparmor, selinux, …) OMG^2.

Using serverless solution I can’t overwrite as there is no server with host :slight_smile: So I need to create custom docker with this script.
Using socket in cloud is more secure than IP I’d say (additional security via service accounts) and we never had any issue with cloudsql socket untill today when trying to use it with keycloak. So I don’t need to worry about host as you see :slight_smile:

Anyway, thank you for answer. We’ll consinder if go with keycloak.

I’m curious, which serverless soluyion are you using? It can be a feature request to have some native config option for socket db connections.

Hi, sorry for my last response as it might be a bit too harsh.
We are using GCP Cloud Run where with few clicks or one yaml line you can have socket to connect to cloud sql database.

In gen 1 it’s using gvisor which is sandbox for syscalls and we had not trouble with permissions to socket file in any of apps. In gen 2(beta) it’s full linux but for now we don’t see any troubles with socket.

You can use direct private or public IP with Cloud Run. Using private IP within VPC require creating serverless vpc connector which becomes a bit pricy compared to almost free cloud run when there is low traffic. That’s why we use socket everywhere as we don’t have any performance issues too.

1 Like