Connecting to a database
Getting the connection details
For each active database, Tonic Ephemeral provides access to the connection details for the database.
On the Databases page, to display the connection details panel for the database, click the database icon for the database.
Each field includes a copy icon to allow you to copy the value to the clipboard.
Creating an SSH tunnel to a database
To create an SSH tunnel to a database from a local machine:
ssh -N -L <localport>:<database-hostname>:<database-port> <bastion-username>@<bastion-host> -p <bastion-port>
For example:
ssh -N -L 9999:svc-bd391f5270d64defb63100cc1bdaa32b:5432 jumper@db.ephemeral.tonic.ai -p 9000
In the command:
-N
tells SSH to not open a shell. Ephemeral does not allow shell access.<localport>
is the port the database will be accessible at on your local machine.The other values (
<database-hostname>
,<database-port>
,<bastion-username>
,<bastion-host>
,<bastion-port>
) are available from the Connection Info panel.
If the private key file is not configured in your SSH agent, then you can optionally add -i
to specify the private key file.
ssh -N -L <localport>:<database-hostname>:<database-port> <bastion-username>@<bastion-host> -p <bastion-port> -i <private-key-file>
For example:
ssh -N -L 9999:svc-bd391f5270d64defb63100cc1bdaa32b:5432 jumper@db.ephemeral.tonic.ai -p 9000 -i ephemeral-key.pem
Using an SSH sidecar to connect to a database
To interact with an Ephemeral database programmatically, instead of issuing individual commands to create the SSH tunnel, you can use an SSH sidecar.
In Ephemeral, an SSH sidecar is a Kubernetes sidecar container that creates an SSH tunnel to a remote host through a bastion. It runs alongside other containers in a single pod.
The other containers use the sidecar to connect to an Ephemeral database without having to create the SSH tunnel themselves.
You deploy an SSH sidecar for each database connection.
Obtaining the sidecar image
The image is published at quay.io/tonicai/ephemeral_ssh_sidecar. We recommend that you use the latest
tag.
Mounting the SSH private key
The private key that is used to authenticate with the SSH host should be mounted to the container as a secret.
To ensure that the SSH client does not reject the key, mount the secret with 0600 file permissions.
Configuring the connection details for the sidecar
Use the following environment variables to configure the sidecar for an Ephemeral database connection.
The SSH host and remote host information for the database is included in the database connection information that is returned by the Ephemeral API. For more information, go to Getting information about Ephemeral databases.
SSH host connection information
The following variables are used to configure the authentication to the SSH host.
| The user that is used to connect to the SSH host. |
| The SSH host for the SSH tunnel. |
| The port on the SSH host. |
| The path to the private key file that is used to authenticate with the SSH host. |
Ephemeral database host and port
The following settings identify the host and port where the Ephemeral database is located:
| The remote host to create the SSH tunnel to. This is the host for the Ephemeral database. |
| The port on the remote host. |
Local port to use from which to create the SSH tunnel
The following setting identifies the local port from which to make the connection:
| The port on the local host from which the SSH tunnel is created. |
Other configuration
Thee following setting configures the retry behavior for the tunnel creation:
| Whether the sidecar attempts to recreate a collapsed tunnel.
The default is |
Example deployment with a sidecar
Here is an example of a Kubernetes deployment that uses an SSH sidecar to connect to an Ephemeral database through an SSH tunnel:
Configuring your application to connect with the sidecar
When you configure your application to use the sidecar to connect to an Ephemeral database, the connection information is:
Host
- The IP address or hostname of the pod that runs the SSH tunnel image. If it is on the same pod, thenHost
islocalhost
.Port
- The value that you configured forLOCAL_PORT
.Username
andPassword
- The values of the Username and Password fields in the Ephemeral database connection information.
Last updated