googlecloudplatform / cloud-sql-proxy-operator Goto Github PK
View Code? Open in Web Editor NEWA Kubernetes Operator to automatically configure secure connections to Cloud SQL
License: Apache License 2.0
A Kubernetes Operator to automatically configure secure connections to Cloud SQL
License: Apache License 2.0
implement: spec.instances.socketType=UNIX, unixSocketDirectory
implement: spec.instances.unixSocketPathEnvName
E2E A Deployment uses a tcp socket to connect to a mysql db with a public ip using db-user database credentials and workload identity gcloud credentials
Currently we are using Go 1.18 because that is the version supported by controller-runtime and kubebuilder. Soon these frameworks will support Go 1.19. When that happens we need to update our project accordingly.
E2E A Cronjob uses a tcp socket to connect to a mysql db with a public ip using db-user database credentials and workload identity gcloud credentials
E2E A StatefulSet uses a tcp socket to connect to a sql server db with a public ip using db-user database credentials and workload identity gcloud credentials
Currently we use LDFLAGS to embed the contents of version.txt and the head SHA from our git repo into the built artifact.
Instead we want to use go embed. Investigate how to do this, and make sure it works properly.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These problems occurred while renovating this repository. View logs.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
cert-manager/cert-manager
, hashicorp/terraform
)k8s.io/client-go
, kubernetes/kubernetes
, sigs.k8s.io/controller-runtime
, sigs.k8s.io/controller-tools
)These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.
k8s.io/api
, k8s.io/apimachinery
)Dockerfile
gcr.io/distroless/static nonroot@sha256:e9ac71e2b8e279a8372741b7a0293afda17650d926900233ec3a7b2b7c22a246
Dockerfile-operator
gcr.io/distroless/static nonroot@sha256:e9ac71e2b8e279a8372741b7a0293afda17650d926900233ec3a7b2b7c22a246
.github/workflows/codeql.yml
actions/checkout v3.6.0@f43a0e5ff2bd294095638e18286ca9a3d1956744
actions/setup-go v5.0.1@cdcb36043654635271a94b9a6d1392de5bb323a7
github/codeql-action v2.25.6@162eb1e32abe518e88bd229ebc8784a533ceaa51
github/codeql-action v2.25.6@162eb1e32abe518e88bd229ebc8784a533ceaa51
github/codeql-action v2.25.6@162eb1e32abe518e88bd229ebc8784a533ceaa51
.github/workflows/labels.yaml
actions/checkout v3.6.0@f43a0e5ff2bd294095638e18286ca9a3d1956744
micnncim/action-label-syncer v1.3.0@3abd5ab72fda571e69fffd97bd4e0033dd5f495c
.github/workflows/scorecard.yml
actions/checkout v3.6.0@f43a0e5ff2bd294095638e18286ca9a3d1956744
ossf/scorecard-action v2.3.3@dc50aa9510b46c811795eb24b2f1ba02a914e534
actions/upload-artifact v3.1.3@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
github/codeql-action v2.25.6@162eb1e32abe518e88bd229ebc8784a533ceaa51
.github/workflows/tests-main.yaml
actions/checkout v3.6.0@f43a0e5ff2bd294095638e18286ca9a3d1956744
google-github-actions/auth v1.3.0@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69
actions/setup-go v5.0.1@cdcb36043654635271a94b9a6d1392de5bb323a7
actions/checkout v3.6.0@f43a0e5ff2bd294095638e18286ca9a3d1956744
google-github-actions/auth v1.3.0@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69
google-github-actions/setup-gcloud v1.1.1@e30db14379863a8c79331b04a9969f4c1e225e0b
actions/setup-go v5.0.1@cdcb36043654635271a94b9a6d1392de5bb323a7
docker/setup-qemu-action v2.2.0@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7
docker/setup-buildx-action v2.10.0@885d1462b80bc1c1c7f0b00334ad271f09369c55
.github/workflows/tests.yaml
actions/github-script v6.4.1@d7906e4ad0b1822421a7e6a35d5ca353c962f410
actions/setup-go v5.0.1@cdcb36043654635271a94b9a6d1392de5bb323a7
actions/checkout v3.6.0@f43a0e5ff2bd294095638e18286ca9a3d1956744
actions/checkout v3.6.0@f43a0e5ff2bd294095638e18286ca9a3d1956744
google-github-actions/auth v1.3.0@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69
google-github-actions/setup-gcloud v1.1.1@e30db14379863a8c79331b04a9969f4c1e225e0b
actions/setup-go v5.0.1@cdcb36043654635271a94b9a6d1392de5bb323a7
docker/setup-qemu-action v2.2.0@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7
docker/setup-buildx-action v2.10.0@885d1462b80bc1c1c7f0b00334ad271f09369c55
go.mod
go 1.22
github.com/go-logr/logr v1.4.1
go.uber.org/zap v1.27.0
k8s.io/api v0.29.3
k8s.io/apimachinery v0.29.3
k8s.io/client-go v0.29.3
sigs.k8s.io/controller-runtime v0.17.2
sigs.k8s.io/yaml v1.4.0
config/manager/kustomization.yaml
Makefile
cert-manager/cert-manager v1.14.5
kubernetes/kubernetes v1.29.3
hashicorp/terraform v1.8.4
sigs.k8s.io/controller-tools v0.14.0
github.com/elastic/crd-ref-docs v0.0.12
github.com/golangci/golangci-lint/cmd/golangci-lint v1.59.0
github.com/google/go-licenses v1.6.0
internal/workload/podspec_updates.go
gcr.io/cloud-sql-connectors/cloud-sql-proxy 2.11.2
infra/permissions/main.tf
google 4.84.0
infra/resources/main.tf
google 4.84.0
google-beta 4.84.0
When you use this configuration:
apiVersion: cloudsql.cloud.google.com/v1alpha1
kind: AuthProxyWorkload
metadata:
name: authproxyworkload-sample
spec:
authProxyContainer:
image: "gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.0.0-preview.2"
workloadSelector:
kind: "Deployment"
name: "gke-cloud-sql-app"
instances:
- connectionString: "my-project:us-central1:my-instance"
unixSocketPathEnvName: "DB_SOCKET_PATH"
socketType: "unix"
unixSocketPath: "/csql/pg"
Then the value of DB_SOCKET_PATH should be /csql/pg/my-project:us-central1:my-instance/.s.PGSQL.5432
the full path to the postgres unix socket file.
For other database types, the DB_SOCKET_PATH should be the full path to the unix socket file as well.
The operator should make sure that this is true, regardless of database type or particular implementation in the proxy.
Then the value of DB_SOCKET_PATH is set to /csql/pg
Update E2E tests so that they succeed when they actually connect to the database and run a basic query.
This will be complete when:
On release:
Public Location: We will publish this to the cloud-sql-connectors registry as cloud-sql-proxy-operator
Add a new make target that creates generated API documentation for AuthProxyWorkload. This should
be run as part of make generate
When you run the installer following the instructions in Quick Start, it should work.
It doesn't work. There is a problem installing cert-manager related to permissions for
webhooks in the autopilot clusters. This causes the webhooks in the operator to fail,
thereby rendering the operator inoperable.
E2E A Deployment uses a tcp socket to connect to a mysql db with a public ip using db-user database credentials and vm identity gcloud credentials
implement: spec.telemetry.httpPort
implement: spec.telemetry.telemetryProject, telemetryPrefix, telemetrySampleRate
implement: spec.telemetry.disableTraces, disableMetrics
implement: spec.telemetry.prometheusNamespace
GIVEN A developer who can build this codebase, a Google Cloud account with an empty Google Cloud Project
WHEN the developer configures and runs end-to-end tests
THEN the end-to-end tests will provision resources in the project and run end-to-end test defined in this codebase.
This will only cover very basic CRUD tests for the AuthProxyWorkload resource.
Build the operator multiarch image and test it on an arm64 GKE cluster.
Add an environment variable CLOUD_SQL_PROXY_OPERATOR_VERSION
to the proxy container with the operator version and build information
Enhance the proxy to read CLOUD_SQL_PROXY_OPERATOR_VERSION
and add this value to its request User-Agent header when making requests to the google cloud API
E2E A Deployment uses a tcp socket to connect to a postgres db with a public ip using iam-authn database credentials and workload identity gcloud credentials
GIVEN a k8s cluster with operator installed
WHEN a user requests to create, update, or delete an AuthProxyWorkload resource
THEN the operator will respond to the change in the AuthProxyWorkload resource and update the state of the cluster workloads accordingly.
We need to land the implementation of the operator Reconcile() method.
When the HostEnvName field is set on a InstanceSpec, it should set an environment variable on the workload pods
with the value 127.0.0.1
.
Instead it sets it to localhost
which is problematic for the mysql command line tool. Mysql assumes localhost means "a local socket connection" while 127.0.0.1
is unambiguously a tcp connection.
In release v2 preview.3 the proxy will support env vars for all the configuration. Switch the operator to use this mechanism for configuring the proxy because it will be more stable.
E2E A DaemonSet uses a tcp socket to connect to a mysql db with a public ip using db-user database credentials and workload identity gcloud credentials
Hard code the current latest proxyv2 image for public preview, which is "gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.0.0-preview.2"
Behavior of the operator when choosing the default proxy image will need to be updated before GA. This is tracked in issue #49
implement: spec.instances.portEnvName, hostEnvName
implement: spec.instances.socketType=TCP, port
Roll up the status for the individual containers and report it in status.conditions for the AuthProxyWorkload resource.
E2E A Deployment uses a unix socket to connect to a mysql db with a public ip using db-user database credentials and file in k8s secret gcloud credentials
Provide these fields on the CRD: spec.proxyContainer.resources, image, container, sqlAdminApiEndpoint
GIVEN An AuthProxyWorkload resource with spec.proxyContainer.image not set
WHEN the proxy container is created
THEN it uses the latest released image for the proxy container
Always use the latest proxy image as of the release date of the operator: gcr.io/cloud-sql-connectors/cloud-sql-proxy:$version
All the go code should be in the internal/
package. We are not exporting any code for use as a library in another go project.
E2E A Deployment uses a tcp socket to connect to a mysql db with a private ip using db-user database credentials and workload identity gcloud credentials
Customize the renovatebot configuration to do the following:
Update the Makefile to hold specific versions for each tool.
Add the necessary Renovate configuration to automatically find and update the tool versions.
Eliminate latest
versions from the Makefile wherever possible.
For Example: CONTROLLER_TOOLS_VERSION and KUSTOMIZE_VERSION should be pinned to a specific version for now (one is currently on latest on one is on a version).
implement: spec.proxy.fuseDirectory
also implement: spec.instances.unixSocketPathEnvName
Release the operator image as a multi-architecture container image supporting windows. Create end-to-end test on a GKE cluster with windows nodes.
E2E A Job uses a tcp socket to connect to a mysql db with a public ip using db-user database credentials and workload identity gcloud credentials
Improve the release process script so that it pushes the operator image to all 4 regional repos used by Cloud SQL Proxy:
us.gcr.io
eu.gcr.io
asia.gcr.io
E2E A Pod uses a tcp socket to connect to a postgres db with a public ip using db-user database credentials and file in k8s secret gcloud credentials
The operator has a hardcoded url to the default proxy image. After the next release of the proxy, we need to update to the
latest proxy version.
The version is here: internal/workload/podspec_updates.go:1077
The default proxy image used by the operator will be the latest published version of the proxy when the operator is released.
GIVEN a k8s cluster with AuthProxyWorkload that uses the default operator image
WHEN the customer upgrades the operator version running in that cluster
THEN the operator will update the proxy image used by the proxy container, initiating a rolling upgrade of the workload containers.
E2E A Deployment uses a tcp socket to connect to a mysql db with a public ip using db-user database credentials and workload identity gcloud credentials
Run an E2E happy path test with both the latest released proxy image and the head of the proxy main branch to make sure that the proxy is always working with the operator.
GIVEN a kubernetes cluster with the operator installed
WHEN a user submits a requests to create or modify an AuthProxyWorkload resource
THEN the resource is validated according the documented validation rules
Restructure the AuthProxyWorkloadSpec so that the data structure enforces (or encourages) users to create a valid configuration. (For example, you can't set a unix socket path and a tcp port on the same instance, so the data structure should these settings mutually exclusive.)
Throughout the definition of the AuthProxyWorkload and its children, we describe the rules for the valid state of the object. For example from api/v1alpha1/authproxyworkload_types.go:92:
// WorkloadSelectorSpec describes which workloads should be configured with this
// proxy configuration. To be valid, WorkloadSelectorSpec must specify Kind
// and either Name or Selector.
type WorkloadSelectorSpec struct {
// Kind specifies what kind of workload
// Supported kinds: Deployment, StatefulSet, Pod, DaemonSet, Job, CronJob
// Example: "Deployment" "Deployment.v1" or "Deployment.v1.apps".
//+kubebuilder:validation:Required
//+kubebuilder:validation:Pattern=\w+(\.\w+)*
Kind string `json:"kind"`
// ...
This feature request will be complete when:
Create Validation Rules
Update Validation
The user should be able to run a command like this to install the cloud sql proxy operator into the GKE cluster:
curl https://raw.githubusercontent.com/GoogleCloudPlatform/cloud-sql-proxy-operator/v0.0.1-alpha1/install.sh | bash
This script will
This depends on hosting pre-build docker images of the operator in a well known location.
This will be complete when:
Periodically make the reconcile loop check all AuthProxyWorkload resources and update the status to reflect the current state of the workload's proxy containers.
When applying the proxy container to an existing workload, the container should be applied to the PodSpec on the Pod owned by a workload (Deployment, StatefulSet, etc.) As implemented now, the container gets applied to the PodSpec of the workload.
This feature will be complete when
As of v0.0.3 the operator will not install correctly on GKE Autopilot clusters.
GKE Autopilot reconfigures the kubernetes cluster, restricting some behavior. This includes webhooks and certificate management.
The default installation of cert-manager is broken on GKE with autopilot: see cert-manager/cert-manager#3717. Apparently there are now workarounds, but this will require some work.
Current plan:
GIVEN a customer with a Google Cloud credential JSON file stored in a ConfigMap
WHEN the customer creates an auth proxy workload configured with Credential File set
THEN the proxy will connect to the Google Cloud API using the credential file
This configures the --credential-file
flag on the proxy container and sets up a volume mount to the Secret.
Update the cert-manager version to the latest version according to
https://cert-manager.io/docs/installation/.
Make necessary changes to our configuration YAML so that it works.
Currently we use LDFLAGS to embed the contents of version.txt and the head SHA from our git repo into the built artifact.
Instead we want to use go embed. Investigate how to do this, and make sure it works properly.
E2E A Deployment uses a fuse socket to connect to a mysql db with a public ip using db-user database credentials and file in k8s secret gcloud credentials
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.