From f03e3888cbdae7812d07a81615b1173089cca32b Mon Sep 17 00:00:00 2001 From: Matt Drago Date: Wed, 25 May 2022 15:07:31 +1000 Subject: [PATCH 1/2] Adds Cloud SQL Auth Proxy Support When the postgresql DB is hosted on Google Cloud SQL and hosted on a GKE Cluster, the can be a need to use the Cloud SQL Auth Proxy. Using the Auth Proxy is also the recommended approach to connect to Cloud SQL from GKE (https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine) The mechanism for controlling the upgrading of the database has also been modified. .Values.postgresql.upgradeDb takes a boolean value and is used to control whether the graphql node will run the db upgrade script or not. --- helm/prefect-server/templates/_helpers.tpl | 45 +++++++++++++++++++ .../templates/graphql/deployment.yaml | 35 +++------------ .../templates/hasura/deployment.yaml | 5 +++ helm/prefect-server/values.yaml | 45 ++++++++++++++++--- 4 files changed, 96 insertions(+), 34 deletions(-) diff --git a/helm/prefect-server/templates/_helpers.tpl b/helm/prefect-server/templates/_helpers.tpl index f32d2837..2a1ca6ab 100644 --- a/helm/prefect-server/templates/_helpers.tpl +++ b/helm/prefect-server/templates/_helpers.tpl @@ -11,6 +11,8 @@ postgresql-connstr postgresql-secret-name postgresql-secret-ref + gceProxySidecarContainer + gceProxySidecarVolumes See also: hasura/_helpers.tpl: Provides helpers to generate the hasura API path @@ -94,6 +96,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} Generate the hostname of the postgresql service If a subchart is used, evaluate using its fullname function as {subchart.fullname}-{namespace} + If a Cloud SQL Auth Proxy is used, 127.0.0.1 will be returned Otherwise, the configured external hostname will be returned */}} {{- define "prefect-server.postgres-hostname" -}} @@ -101,6 +104,8 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- $subchart_overrides := .Values.postgresql -}} {{- $name := include "postgresql.fullname" (dict "Values" $subchart_overrides "Chart" (dict "Name" "postgresql") "Release" .Release) -}} {{- printf "%s.%s" $name .Release.Namespace -}} +{{- else if .Values.postgresql.useGceProxySidecar -}} + 127.0.0.1 {{- else -}} {{- .Values.postgresql.externalHostname -}} {{- end -}} @@ -208,3 +213,43 @@ secretKeyRef: {{- include "env-unwrap" $args -}} {{- end }} +{{/* +*/}} +{{- define "prefect-server.gceProxySidecarContainer" -}} +{{- if (and .Values.postgresql.useGceProxySidecar (not .Values.postgresql.useSubChart)) -}} +- name: cloud-sql-proxy + image: gcr.io/cloudsql-docker/gce-proxy:{{ .Values.postgresql.gceProxySidecar.image_version }} + command: + - "/cloud_sql_proxy" + - "-ip_address_types={{ .Values.postgresql.gceProxySidecar.cloud_sql_proxy_args.ip_address_types }}" + - "-log_debug_stdout" + - "-instances={{ .Values.postgresql.gceProxySidecar.cloud_sql_proxy_args.instance_connection_name }}=tcp:{{ .Values.postgresql.servicePort }}" + - "-credential_file=/secrets/{{ .Values.postgresql.gceProxySidecar.service_account.filename_in_secret }}" + securityContext: + runAsNonRoot: true + volumeMounts: + - name: cloud-sql-proxy-secret-volume + mountPath: /secrets/ + readOnly: true + {{- with .Values.postgresql.gceProxySidecar.resources }} + resources: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "prefect-server.gceProxySidecarVolumes" -}} +{{- if (and .Values.postgresql.useGceProxySidecar (not .Values.postgresql.useSubChart)) -}} +- name: cloud-sql-proxy-secret-volume + secret: + secretName: {{ .Values.postgresql.gceProxySidecar.service_account.secret_name }} +{{- end }} +{{- end }} + +{{- define "prefect-server.db-cmd" -}} +{{- if .Values.postgresql.upgradeDb -}} +"/usr/local/bin/prefect-server database upgrade --yes" +{{- else -}} +"echo 'DATABASE MIGRATIONS SKIPPED'" +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/helm/prefect-server/templates/graphql/deployment.yaml b/helm/prefect-server/templates/graphql/deployment.yaml index cdc89fa8..a70c4035 100644 --- a/helm/prefect-server/templates/graphql/deployment.yaml +++ b/helm/prefect-server/templates/graphql/deployment.yaml @@ -38,32 +38,6 @@ spec: securityContext: {{- toYaml . | nindent 8 }} {{- end }} - initContainers: - - name: db-upgrade - {{- with .Values.graphql.securityContext -}} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - image: "{{ .Values.graphql.image.name }}:{{ .Values.graphql.image.tag | default .Values.serverVersionTag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.graphql.image.pullPolicy }} - command: - - "bash" - - "-c" - - "/usr/local/bin/prefect-server database upgrade --yes" - env: - - name: PREFECT_SERVER__DATABASE__CONNECTION_URL - value: {{ include "prefect-server.postgres-connstr" . | replace "%40" "@" }} - - name: PGPASSWORD - valueFrom: - {{- include "prefect-server.postgres-secret-ref" . | nindent 16 }} - {{- (include "prefect-server.envConfig" .) | nindent 12 }} - {{- with .Values.graphql.init.env }} - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.graphql.init.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} containers: - name: graphql {{- with .Values.graphql.securityContext -}} @@ -75,10 +49,10 @@ spec: command: - bash - "-c" - - "python src/prefect_server/services/graphql/server.py" + - "${PREFECT_SERVER_DB_CMD} && python src/prefect_server/services/graphql/server.py" env: - name: PREFECT_SERVER_DB_CMD - value: "echo 'DATABASE MIGRATIONS SKIPPED'" + value: {{ include "prefect-server.db-cmd" . }} - name: PREFECT_SERVER__DATABASE__CONNECTION_URL value: {{ include "prefect-server.postgres-connstr" . }} - name: PGPASSWORD @@ -104,6 +78,11 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- include "prefect-server.gceProxySidecarContainer" . | nindent 8 }} + {{- if "prefect-server.gceProxySidecarVolumes" }} + volumes: + {{- include "prefect-server.gceProxySidecarVolumes" . | nindent 8 }} + {{- end }} {{- with .Values.graphql.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm/prefect-server/templates/hasura/deployment.yaml b/helm/prefect-server/templates/hasura/deployment.yaml index 806fe60f..d5d4a9c5 100644 --- a/helm/prefect-server/templates/hasura/deployment.yaml +++ b/helm/prefect-server/templates/hasura/deployment.yaml @@ -80,6 +80,11 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- include "prefect-server.gceProxySidecarContainer" . | nindent 8 }} + {{- if "prefect-server.gceProxySidecarVolumes" }} + volumes: + {{- include "prefect-server.gceProxySidecarVolumes" . | nindent 8 }} + {{- end }} {{- with .Values.hasura.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm/prefect-server/values.yaml b/helm/prefect-server/values.yaml index 415e585a..70b909fb 100644 --- a/helm/prefect-server/values.yaml +++ b/helm/prefect-server/values.yaml @@ -86,6 +86,45 @@ postgresql: # `internalPostgres` is `true` externalHostname: "" + # upgradeDb defines if the databse should be upgraded when starting + # the server + upgradeDb: true + + # useGceProxySidecar determines if this chart should deploy the + # Cloud SQL Auth Proxy wherever a connection to the Postgres + # databse is required. + useGceProxySidecar: false + + # gceProxySidecar determines if a gce Proxy sidecar should be + # configured to connect to an external Postgresql database hosted + # on Google Cloud SQL. + gceProxySidecar: + # image_version allows for the updating of the version of the + # cloud_sql_proxy image to use. + image_version: 1.28.0 + + cloud_sql_proxy_args: + # ip_address_types specifies whether to use PUBLIC or PRIVATE + # ip types. If connecting from a VPC-native GKE cluster, set + # to private to have the proxy connect over a private IP + ip_address_types: PUBLIC,PRIVATE + + # instance_connection_name is the connection name of the Cloud SQL + # instance that the proxy is to connect to. + instance_connection_name: "" + + # service_account holds the details required to configure the proxy + # to connect as the provided service account. + # See https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine#service-account-key-file + # for details on how to create/configure the secret + service_account: + # secret_name is the name of the secret that contains the key file + # of the service account that the proxy will use for authentication + secret_name: "" + filename_in_secret: "service_account.json" + + resources: {} + # useSubChart determines if a this chart should deploy a # user-manager postgres database or use an externally managed # postgres instance. If `useSubChart` is `true`, the @@ -196,12 +235,6 @@ graphql: tolerations: [] affinity: {} - init: - # init.resources configures resources for the initContainer - # which upgrades the database - env: [] - resources: {} - # apollo configures the Prefect apollo deployment and service # which provides a unified graphql schema for users and the UI # to interact with From 63646fce0c2a966545218a6a2626d944a821acb9 Mon Sep 17 00:00:00 2001 From: Matt Drago Date: Thu, 26 May 2022 08:26:35 +1000 Subject: [PATCH 2/2] Adds Cloud SQL Auth Proxy Support to Changelog --- changes/pr372.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changes/pr372.yaml diff --git a/changes/pr372.yaml b/changes/pr372.yaml new file mode 100644 index 00000000..a5aca04a --- /dev/null +++ b/changes/pr372.yaml @@ -0,0 +1,5 @@ +enhancement: + - "Adds Google Cloud SQL Auth Proxy Support - [#372](https://github.com/PrefectHQ/server/pull/372)" + +contributor: + - "[Matt Drago](https://github.com/mattdrago)"