From 1e75b8fe65cef6c4dcc436de64e05c14796ac153 Mon Sep 17 00:00:00 2001 From: Jonathan Hess Date: Thu, 16 May 2024 13:40:26 -0600 Subject: [PATCH] chore: Upgrade to Kubernetes 0.30.1 and controller-runtime. --- Makefile | 4 +- docs/api.md | 194 +++++++++++++++----------- go.mod | 21 +-- go.sum | 47 +++---- infra/resources/database.tf | 11 ++ internal/controller/pod_controller.go | 2 +- 6 files changed, 157 insertions(+), 122 deletions(-) diff --git a/Makefile b/Makefile index 3f9f3c55..5e27b6a4 100644 --- a/Makefile +++ b/Makefile @@ -435,10 +435,10 @@ CRD_REF_DOCS ?= $(LOCALBIN)/crd-ref-docs # Important note: avoid adding spaces in the macro declarations as any # additional whitespace will break the renovate regex rules. -KUBECTL_VERSION=v1.29.3# renovate datasource=github-tags depName=kubernetes/kubernetes +KUBECTL_VERSION=v1.30.1# renovate datasource=github-tags depName=kubernetes/kubernetes TERRAFORM_VERSION=v1.8.3# renovate datasource=github-tags depName=hashicorp/terraform -CONTROLLER_TOOLS_VERSION=v0.14.0# renovate datasource=go depName=sigs.k8s.io/controller-tools +CONTROLLER_TOOLS_VERSION=v0.15.0# renovate datasource=go depName=sigs.k8s.io/controller-tools CRD_REF_DOCS_VERSION=v0.0.12# renovate datasource=go depName=github.com/elastic/crd-ref-docs GOLANGCI_LINT_VERSION=v1.58.1# renovate datasource=go depName=github.com/golangci/golangci-lint/cmd/golangci-lint GO_LICENSES_VERSION=v1.6.0# renovate datasource=go depName=github.com/google/go-licenses diff --git a/docs/api.md b/docs/api.md index 500c4425..50414d05 100644 --- a/docs/api.md +++ b/docs/api.md @@ -19,55 +19,65 @@ the custom resource AuthProxyWorkload version v1. -AdminServerSpec specifies how to start the proxy's admin server: which port and whether to enable debugging or quitquitquit. It controls to the proxy's --admin-port, --debug, and --quitquitquit CLI flags. +AdminServerSpec specifies how to start the proxy's admin server: +which port and whether to enable debugging or quitquitquit. It controls +to the proxy's --admin-port, --debug, and --quitquitquit CLI flags. + + _Appears in:_ - [AuthProxyContainerSpec](#authproxycontainerspec) -| Field | Description | -| --- | --- | -| `port` _integer_ | Port the port for the proxy's localhost-only admin server. This sets the proxy container's CLI argument `--admin-port` | -| `enableAPIs` _string array_ | EnableAPIs specifies the list of admin APIs to enable. At least one API must be enabled. Possible values: - "Debug" will enable pprof debugging by setting the `--debug` cli flag. - "QuitQuitQuit" will enable pprof debugging by setting the `--quitquitquit` cli flag. | +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `port` _integer_ | Port the port for the proxy's localhost-only admin server.
This sets the proxy container's CLI argument `--admin-port` | | Minimum: 1
| +| `enableAPIs` _string array_ | EnableAPIs specifies the list of admin APIs to enable. At least one
API must be enabled. Possible values:
- "Debug" will enable pprof debugging by setting the `--debug` cli flag.
- "QuitQuitQuit" will enable pprof debugging by setting the `--quitquitquit`
cli flag. | | MinItems: 1
| #### AuthProxyContainerSpec -AuthProxyContainerSpec describes how to configure global proxy configuration and kubernetes-specific container configuration. +AuthProxyContainerSpec describes how to configure global proxy configuration and +kubernetes-specific container configuration. + + _Appears in:_ - [AuthProxyWorkloadSpec](#authproxyworkloadspec) -| Field | Description | -| --- | --- | -| `container` _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core)_ | Container is debugging parameter that when specified will override the proxy container with a completely custom Container spec. | -| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core)_ | Resources specifies the resources required for the proxy pod. | -| `telemetry` _[TelemetrySpec](#telemetryspec)_ | Telemetry specifies how the proxy should expose telemetry. Optional, by default | -| `adminServer` _[AdminServerSpec](#adminserverspec)_ | AdminServer specifies the config for the proxy's admin service which is available to other containers in the same pod. | -| `authentication` _[AuthenticationSpec](#authenticationspec)_ | Authentication specifies the config for how the proxy authenticates itself to the Google Cloud API. | -| `maxConnections` _integer_ | MaxConnections limits the number of connections. Default value is no limit. This sets the proxy container's CLI argument `--max-connections` | -| `maxSigtermDelay` _integer_ | MaxSigtermDelay is the maximum number of seconds to wait for connections to close after receiving a TERM signal. This sets the proxy container's CLI argument `--max-sigterm-delay` and configures `terminationGracePeriodSeconds` on the workload's PodSpec. | -| `sqlAdminAPIEndpoint` _string_ | SQLAdminAPIEndpoint is a debugging parameter that when specified will change the Google Cloud api endpoint used by the proxy. | -| `image` _string_ | Image is the URL to the proxy image. Optional, by default the operator will use the latest Cloud SQL Auth Proxy version as of the release of the operator.

The operator ensures that all workloads configured with the default proxy image are upgraded automatically to use to the latest released proxy image.

When the customer upgrades the operator, the operator upgrades all workloads using the default proxy image to the latest proxy image. The change to the proxy container image is applied in accordance with the RolloutStrategy. | -| `rolloutStrategy` _string_ | RolloutStrategy indicates the strategy to use when rolling out changes to the workloads affected by the results. When this is set to `Workload`, changes to this resource will be automatically applied to a running Deployment, StatefulSet, DaemonSet, or ReplicaSet in accordance with the Strategy set on that workload. When this is set to `None`, the operator will take no action to roll out changes to affected workloads. `Workload` will be used by default if no value is set. See: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | -| `quiet` _boolean_ | Quiet configures the proxy's --quiet flag to limit the amount of logging generated by the proxy container. | +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `container` _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core)_ | Container is debugging parameter that when specified will override the
proxy container with a completely custom Container spec. | | Optional: {}
| +| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core)_ | Resources specifies the resources required for the proxy pod. | | Optional: {}
| +| `telemetry` _[TelemetrySpec](#telemetryspec)_ | Telemetry specifies how the proxy should expose telemetry.
Optional, by default | | Optional: {}
| +| `adminServer` _[AdminServerSpec](#adminserverspec)_ | AdminServer specifies the config for the proxy's admin service which is
available to other containers in the same pod. | | | +| `authentication` _[AuthenticationSpec](#authenticationspec)_ | Authentication specifies the config for how the proxy authenticates itself
to the Google Cloud API. | | | +| `maxConnections` _integer_ | MaxConnections limits the number of connections. Default value is no limit.
This sets the proxy container's CLI argument `--max-connections` | | Minimum: 0
Optional: {}
| +| `maxSigtermDelay` _integer_ | MaxSigtermDelay is the maximum number of seconds to wait for connections to
close after receiving a TERM signal. This sets the proxy container's
CLI argument `--max-sigterm-delay` and
configures `terminationGracePeriodSeconds` on the workload's PodSpec. | | Minimum: 0
Optional: {}
| +| `sqlAdminAPIEndpoint` _string_ | SQLAdminAPIEndpoint is a debugging parameter that when specified will
change the Google Cloud api endpoint used by the proxy. | | Optional: {}
| +| `image` _string_ | Image is the URL to the proxy image. Optional, by default the operator
will use the latest Cloud SQL Auth Proxy version as of the release of the
operator.

The operator ensures that all workloads configured with the default proxy
image are upgraded automatically to use to the latest released proxy image.

When the customer upgrades the operator, the operator upgrades all
workloads using the default proxy image to the latest proxy image. The
change to the proxy container image is applied in accordance with
the RolloutStrategy. | | Optional: {}
| +| `rolloutStrategy` _string_ | RolloutStrategy indicates the strategy to use when rolling out changes to
the workloads affected by the results. When this is set to
`Workload`, changes to this resource will be automatically applied
to a running Deployment, StatefulSet, DaemonSet, or ReplicaSet in
accordance with the Strategy set on that workload. When this is set to
`None`, the operator will take no action to roll out changes to affected
workloads. `Workload` will be used by default if no value is set.
See: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | Workload | Enum: [Workload None]
Optional: {}
| +| `quiet` _boolean_ | Quiet configures the proxy's --quiet flag to limit the amount of
logging generated by the proxy container. | | | #### AuthProxyWorkload -AuthProxyWorkload declares how a Cloud SQL Proxy container should be applied to a matching set of workloads, and shows the status of those proxy containers. +AuthProxyWorkload declares how a Cloud SQL Proxy container should be applied +to a matching set of workloads, and shows the status of those proxy containers. -| Field | Description | -| --- | --- | -| `apiVersion` _string_ | `cloudsql.cloud.google.com/v1` -| `kind` _string_ | `AuthProxyWorkload` -| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | -| `spec` _[AuthProxyWorkloadSpec](#authproxyworkloadspec)_ | | + + +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `apiVersion` _string_ | `cloudsql.cloud.google.com/v1` | | | +| `kind` _string_ | `AuthProxyWorkload` | | | +| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | +| `spec` _[AuthProxyWorkloadSpec](#authproxyworkloadspec)_ | | | | #### AuthProxyWorkloadSpec @@ -76,54 +86,80 @@ AuthProxyWorkload declares how a Cloud SQL Proxy container should be applied to AuthProxyWorkloadSpec describes where and how to configure the proxy. + + _Appears in:_ - [AuthProxyWorkload](#authproxyworkload) -| Field | Description | -| --- | --- | -| `workloadSelector` _[WorkloadSelectorSpec](#workloadselectorspec)_ | Workload selects the workload where the proxy container will be added. | -| `instances` _[InstanceSpec](#instancespec) array_ | Instances describes the Cloud SQL instances to configure on the proxy container. | -| `authProxyContainer` _[AuthProxyContainerSpec](#authproxycontainerspec)_ | AuthProxyContainer describes the resources and config for the Auth Proxy container. | +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `workloadSelector` _[WorkloadSelectorSpec](#workloadselectorspec)_ | Workload selects the workload where the proxy container will be added. | | Required: {}
| +| `instances` _[InstanceSpec](#instancespec) array_ | Instances describes the Cloud SQL instances to configure on the proxy container. | | MinItems: 1
Required: {}
| +| `authProxyContainer` _[AuthProxyContainerSpec](#authproxycontainerspec)_ | AuthProxyContainer describes the resources and config for the Auth Proxy container. | | Optional: {}
| #### AuthenticationSpec -AuthenticationSpec specifies how the proxy is authenticated with the Google Cloud SQL Admin API. This configures proxy's --impersonate-service-account flag. +AuthenticationSpec specifies how the proxy is authenticated with the +Google Cloud SQL Admin API. This configures proxy's +--impersonate-service-account flag. + + _Appears in:_ - [AuthProxyContainerSpec](#authproxycontainerspec) -| Field | Description | -| --- | --- | -| `impersonationChain` _string array_ | ImpersonationChain is a list of one or more service accounts. The first entry in the chain is the impersonation target. Any additional service accounts after the target are delegates. The roles/iam.serviceAccountTokenCreator must be configured for each account that will be impersonated. This sets the --impersonate-service-account flag on the proxy. | +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `impersonationChain` _string array_ | ImpersonationChain is a list of one or more service
accounts. The first entry in the chain is the impersonation target. Any
additional service accounts after the target are delegates. The
roles/iam.serviceAccountTokenCreator must be configured for each account
that will be impersonated. This sets the --impersonate-service-account
flag on the proxy. | | | #### InstanceSpec -InstanceSpec describes the configuration for how the proxy should expose a Cloud SQL database instance to a workload. - In the minimum recommended configuration, the operator will choose a non-conflicting TCP port and set environment variables MY_DB_SERVER_PORT MY_DB_SERVER_HOST with the value of the TCP port and hostname. The application can read these values to connect to the database through the proxy. For example: - `{ "connectionString":"my-project:us-central1:my-db-server", "portEnvName":"MY_DB_SERVER_PORT" "hostEnvName":"MY_DB_SERVER_HOST" }` - If you want to assign a specific port number for a database, set the `port` field. For example: - `{ "connectionString":"my-project:us-central1:my-db-server", "port":5000 }` +InstanceSpec describes the configuration for how the proxy should expose +a Cloud SQL database instance to a workload. + + +In the minimum recommended configuration, the operator will choose +a non-conflicting TCP port and set environment +variables MY_DB_SERVER_PORT MY_DB_SERVER_HOST with the value of the TCP port +and hostname. The application can read these values to connect to the database +through the proxy. For example: + + + `{ + "connectionString":"my-project:us-central1:my-db-server", + "portEnvName":"MY_DB_SERVER_PORT" + "hostEnvName":"MY_DB_SERVER_HOST" + }` + + +If you want to assign a specific port number for a database, set the `port` +field. For example: + + + `{ "connectionString":"my-project:us-central1:my-db-server", "port":5000 }` + + _Appears in:_ - [AuthProxyWorkloadSpec](#authproxyworkloadspec) -| Field | Description | -| --- | --- | -| `connectionString` _string_ | ConnectionString is the connection string for the Cloud SQL Instance in the format `project_id:region:instance_name` | -| `port` _integer_ | Port (optional) sets the tcp port for this instance. If not set, a value will be automatically assigned by the operator and set as an environment variable on all containers in the workload named according to PortEnvName. The operator will choose a port so that it does not conflict with other ports on the workload. | -| `autoIAMAuthN` _boolean_ | AutoIAMAuthN (optional) Enables IAM Authentication for this instance. Default value is false. | -| `privateIP` _boolean_ | PrivateIP (optional) Enable connection to the Cloud SQL instance's private ip for this instance. Default value is false. | -| `psc` _boolean_ | PSC (optional) Enable connection to the Cloud SQL instance's private service connect endpoint. May not be used with PrivateIP. Default value is false. | -| `portEnvName` _string_ | PortEnvName is name of the environment variable containing this instance's tcp port. Optional, when set this environment variable will be added to all containers in the workload. | -| `hostEnvName` _string_ | HostEnvName The name of the environment variable containing this instances tcp hostname Optional, when set this environment variable will be added to all containers in the workload. | -| `unixSocketPath` _string_ | UnixSocketPath is the path to the unix socket where the proxy will listen for connnections. This will be mounted to all containers in the pod. | -| `unixSocketPathEnvName` _string_ | UnixSocketPathEnvName is the environment variable containing the value of UnixSocketPath. | +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `connectionString` _string_ | ConnectionString is the connection string for the Cloud SQL Instance
in the format `project_id:region:instance_name` | | Pattern: `^([^:]+(:[^:]+)?):([^:]+):([^:]+)$`
Required: {}
| +| `port` _integer_ | Port (optional) sets the tcp port for this instance. If not set, a value will
be automatically assigned by the operator and set as an environment variable
on all containers in the workload named according to PortEnvName. The operator will choose
a port so that it does not conflict with other ports on the workload. | | Minimum: 1
Optional: {}
| +| `autoIAMAuthN` _boolean_ | AutoIAMAuthN (optional) Enables IAM Authentication for this instance.
Default value is false. | | Optional: {}
| +| `privateIP` _boolean_ | PrivateIP (optional) Enable connection to the Cloud SQL instance's private ip for this instance.
Default value is false. | | Optional: {}
| +| `psc` _boolean_ | PSC (optional) Enable connection to the Cloud SQL instance's private
service connect endpoint. May not be used with PrivateIP.
Default value is false. | | Optional: {}
| +| `portEnvName` _string_ | PortEnvName is name of the environment variable containing this instance's tcp port.
Optional, when set this environment variable will be added to all containers in the workload. | | Optional: {}
| +| `hostEnvName` _string_ | HostEnvName The name of the environment variable containing this instances tcp hostname
Optional, when set this environment variable will be added to all containers in the workload. | | Optional: {}
| +| `unixSocketPath` _string_ | UnixSocketPath is the path to the unix socket where the proxy will listen
for connnections. This will be mounted to all containers in the pod. | | Optional: {}
| +| `unixSocketPathEnvName` _string_ | UnixSocketPathEnvName is the environment variable containing the value of
UnixSocketPath. | | Optional: {}
| #### TelemetrySpec @@ -132,53 +168,43 @@ _Appears in:_ TelemetrySpec specifies how the proxy container will expose telemetry. + + _Appears in:_ - [AuthProxyContainerSpec](#authproxycontainerspec) -| Field | Description | -| --- | --- | -| `quotaProject` _string_ | QuotaProject Specifies the project to use for Cloud SQL Admin API quota tracking. The IAM principal must have the "serviceusage.services.use" permission for the given project. See https://cloud.google.com/service-usage/docs/overview and https://cloud.google.com/storage/docs/requester-pays This sets the proxy container's CLI argument `--quota-project` | -| `prometheus` _boolean_ | Prometheus Enables Prometheus HTTP endpoint /metrics on localhost This sets the proxy container's CLI argument `--prometheus` | -| `prometheusNamespace` _string_ | PrometheusNamespace is used the provided Prometheus namespace for metrics This sets the proxy container's CLI argument `--prometheus-namespace` | -| `telemetryProject` _string_ | TelemetryProject enables Cloud Monitoring and Cloud Trace with the provided project ID. This sets the proxy container's CLI argument `--telemetry-project` | -| `telemetryPrefix` _string_ | TelemetryPrefix is the prefix for Cloud Monitoring metrics. This sets the proxy container's CLI argument `--telemetry-prefix` | -| `telemetrySampleRate` _[int](#int)_ | TelemetrySampleRate is the Cloud Trace sample rate. A smaller number means more traces. This sets the proxy container's CLI argument `--telemetry-sample-rate` | -| `httpPort` _integer_ | HTTPPort the port for Prometheus and health check server. This sets the proxy container's CLI argument `--http-port` | -| `disableTraces` _boolean_ | DisableTraces disables Cloud Trace testintegration (used with telemetryProject) This sets the proxy container's CLI argument `--disable-traces` | -| `disableMetrics` _boolean_ | DisableMetrics disables Cloud Monitoring testintegration (used with telemetryProject) This sets the proxy container's CLI argument `--disable-metrics` | +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `quotaProject` _string_ | QuotaProject Specifies the project to use for Cloud SQL Admin API quota tracking.
The IAM principal must have the "serviceusage.services.use" permission
for the given project. See https://cloud.google.com/service-usage/docs/overview and
https://cloud.google.com/storage/docs/requester-pays
This sets the proxy container's CLI argument `--quota-project` | | Optional: {}
| +| `prometheus` _boolean_ | Prometheus Enables Prometheus HTTP endpoint /metrics on localhost
This sets the proxy container's CLI argument `--prometheus` | | Optional: {}
| +| `prometheusNamespace` _string_ | PrometheusNamespace is used the provided Prometheus namespace for metrics
This sets the proxy container's CLI argument `--prometheus-namespace` | | Optional: {}
| +| `telemetryProject` _string_ | TelemetryProject enables Cloud Monitoring and Cloud Trace with the provided project ID.
This sets the proxy container's CLI argument `--telemetry-project` | | Optional: {}
| +| `telemetryPrefix` _string_ | TelemetryPrefix is the prefix for Cloud Monitoring metrics.
This sets the proxy container's CLI argument `--telemetry-prefix` | | Optional: {}
| +| `telemetrySampleRate` _integer_ | TelemetrySampleRate is the Cloud Trace sample rate. A smaller number means more traces.
This sets the proxy container's CLI argument `--telemetry-sample-rate` | | Optional: {}
| +| `httpPort` _integer_ | HTTPPort the port for Prometheus and health check server.
This sets the proxy container's CLI argument `--http-port` | | Optional: {}
| +| `disableTraces` _boolean_ | DisableTraces disables Cloud Trace testintegration (used with telemetryProject)
This sets the proxy container's CLI argument `--disable-traces` | | Optional: {}
| +| `disableMetrics` _boolean_ | DisableMetrics disables Cloud Monitoring testintegration (used with telemetryProject)
This sets the proxy container's CLI argument `--disable-metrics` | | Optional: {}
| #### WorkloadSelectorSpec -WorkloadSelectorSpec describes which workloads should be configured with this proxy configuration. To be valid, WorkloadSelectorSpec must specify `kind` and either `name` or `selector`. - -_Appears in:_ -- [AuthProxyWorkloadSpec](#authproxyworkloadspec) - -| Field | Description | -| --- | --- | -| `selector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta)_ | Selector (optional) selects resources using labels. See "Label selectors" in the kubernetes docs https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors | -| `kind` _string_ | Kind specifies what kind of workload Supported kinds: Deployment, StatefulSet, Pod, ReplicaSet,DaemonSet, Job, CronJob Example: "Deployment" "Deployment.v1" or "Deployment.v1.apps". | -| `name` _string_ | Name specifies the name of the resource to select. | +WorkloadSelectorSpec describes which workloads should be configured with this +proxy configuration. To be valid, WorkloadSelectorSpec must specify `kind` +and either `name` or `selector`. -#### WorkloadStatus +_Appears in:_ +- [AuthProxyWorkloadSpec](#authproxyworkloadspec) +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `selector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta)_ | Selector (optional) selects resources using labels. See "Label selectors" in the kubernetes docs
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors | | Optional: {}
| +| `kind` _string_ | Kind specifies what kind of workload
Supported kinds: Deployment, StatefulSet, Pod, ReplicaSet,DaemonSet, Job, CronJob
Example: "Deployment" "Deployment.v1" or "Deployment.v1.apps". | | Pattern: `\w+(\.\w+)*`
Required: {}
| +| `name` _string_ | Name specifies the name of the resource to select. | | Optional: {}
| -WorkloadStatus presents the status for how this AuthProxyWorkload resource was applied to a specific workload. -_Appears in:_ -- [AuthProxyWorkloadStatus](#authproxyworkloadstatus) - -| Field | Description | -| --- | --- | -| `kind` _string_ | Kind Version Namespace Name identify the specific workload. | -| `version` _string_ | | -| `namespace` _string_ | | -| `name` _string_ | | -| `conditions` _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta) array_ | Conditions show the status of the AuthProxyWorkload resource on this matching workload.

The "UpToDate" condition indicates that the proxy was successfully applied to all matching workloads. See ConditionUpToDate. | diff --git a/go.mod b/go.mod index 7d91cea8..d419e173 100644 --- a/go.mod +++ b/go.mod @@ -1,14 +1,16 @@ module github.com/GoogleCloudPlatform/cloud-sql-proxy-operator -go 1.22 +go 1.22.0 + +toolchain go1.22.3 require ( github.com/go-logr/logr v1.4.1 go.uber.org/zap v1.27.0 - k8s.io/api v0.29.3 - k8s.io/apimachinery v0.29.3 - k8s.io/client-go v0.29.3 - sigs.k8s.io/controller-runtime v0.17.2 + k8s.io/api v0.30.1 + k8s.io/apimachinery v0.30.1 + k8s.io/client-go v0.30.1 + sigs.k8s.io/controller-runtime v0.18.2 sigs.k8s.io/yaml v1.4.0 ) @@ -18,7 +20,7 @@ require ( github.com/davecgh/go-spew v1.1.1 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.8.0 // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect @@ -59,10 +61,9 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.29.0 // indirect - k8s.io/component-base v0.29.0 // indirect - k8s.io/klog/v2 v2.110.1 // indirect - k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect + k8s.io/apiextensions-apiserver v0.30.0 // indirect + k8s.io/klog/v2 v2.120.1 // indirect + k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect diff --git a/go.sum b/go.sum index 553391c6..f617d204 100644 --- a/go.sum +++ b/go.sum @@ -10,11 +10,10 @@ github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxER github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= -github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= @@ -72,10 +71,10 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= -github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= -github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= -github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8= +github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs= +github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk= +github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -146,8 +145,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= -golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= +golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ= +golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -170,24 +169,22 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw= -k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80= -k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= -k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= -k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU= -k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU= -k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg= -k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0= -k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s= -k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M= -k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= -k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= -k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= -k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY= +k8s.io/api v0.30.1/go.mod h1:ddbN2C0+0DIiPntan/bye3SW3PdwLa11/0yqwvuRrJM= +k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= +k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= +k8s.io/apimachinery v0.30.1 h1:ZQStsEfo4n65yAdlGTfP/uSHMQSoYzU/oeEbkmF7P2U= +k8s.io/apimachinery v0.30.1/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q= +k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc= +k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= +k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.17.2 h1:FwHwD1CTUemg0pW2otk7/U5/i5m2ymzvOXdbeGOUvw0= -sigs.k8s.io/controller-runtime v0.17.2/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= +sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= +sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/infra/resources/database.tf b/infra/resources/database.tf index d9f2cd9f..6167583e 100644 --- a/infra/resources/database.tf +++ b/infra/resources/database.tf @@ -31,6 +31,10 @@ resource "google_sql_database_instance" "instance" { settings { tier = "db-f1-micro" user_labels = local.standard_labels + database_flags { + name = "cloudsql.iam_authentication" + value = "on" + } } deletion_protection = "true" root_password = random_id.db_password.hex @@ -42,6 +46,13 @@ resource "google_sql_database" "db" { project = var.project_id } +resource "google_sql_user" "iam_user" { + name = "hessjc@google.com" + instance = google_sql_database_instance.instance.name + type = "CLOUD_IAM_USER" + project = var.project_id +} + # See versions at https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#database_version resource "google_sql_database_instance" "mysql" { name = "mysql${random_id.db_name.hex}${var.environment_name}" diff --git a/internal/controller/pod_controller.go b/internal/controller/pod_controller.go index ee272158..7607f96d 100644 --- a/internal/controller/pod_controller.go +++ b/internal/controller/pod_controller.go @@ -38,7 +38,7 @@ import ( // supported workload types: Deployment, ReplicaSet, StatefulSet, Pod, CronJob, Job type PodAdmissionWebhook struct { Client client.Client - decoder *admission.Decoder + decoder admission.Decoder updater *workload.Updater }