diff --git a/.build/release.yaml b/.build/release.yaml index e0980132..a800e960 100644 --- a/.build/release.yaml +++ b/.build/release.yaml @@ -16,6 +16,12 @@ # Run this from your dev environment: # gcloud builds submit --project=cloud-sql-connectors --config=.build/release.yaml --substitutions=_TEST_BUILD_ID=0000-dirty-$(date "+%s") steps: + - name: 'golang:1.20' + entrypoint: bash + args: + - '-c' + - 'go run github.com/google/go-licenses@v1.6.0 save --save_path ThirdPartyLicenses .' + id: 'download-licenses' - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk' entrypoint: bash args: diff --git a/.github/labels.yml b/.github/labels.yml new file mode 100644 index 00000000..a690a92a --- /dev/null +++ b/.github/labels.yml @@ -0,0 +1,71 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: duplicate + color: ededed + description: "" +- name: 'type: bug' + color: db4437 + description: Error or flaw in code with unintended results or allowing sub-optimal usage patterns. +- name: 'type: cleanup' + color: c5def5 + description: An internal cleanup or hygiene concern. +- name: 'type: docs' + color: 0000A0 + description: Improvement to the documentation for an API. +- name: 'type: feature request' + color: c5def5 + description: ‘Nice-to-have’ improvement, new feature or different behavior or design. +- name: 'type: process' + color: c5def5 + description: A process-related concern. May include testing, release, or the like. +- name: 'type: question' + color: c5def5 + description: Request for information or clarification. +- name: 'priority: p0' + color: b60205 + description: Highest priority. Critical issue. P0 implies highest priority. +- name: 'priority: p1' + color: ffa03e + description: Important issue which blocks shipping the next release. Will be fixed prior to next release. +- name: 'priority: p2' + color: fef2c0 + description: Moderately-important priority. Fix may not be included in next release. +- name: 'priority: p3' + color: ffffc7 + description: Desirable enhancement or fix. May not be included in next release. +- name: do not merge + color: d93f0b + description: Indicates a pull request not ready for merge, due to either quality or timing. +- name: 'autorelease: pending' + color: ededed + description: Release please needs to do its work on this. +- name: 'autorelease: triggered' + color: ededed + description: Release please has triggered a release for this. +- name: 'autorelease: tagged' + color: ededed + description: Release please has completed a release for this. +- name: 'tests: run' + color: 3DED97 + description: Label to trigger Github Action tests. +- name: 'flakybot: flaky' + color: 86d9d7 + description: Tells the Flaky Bot not to close or comment on this issue. +- name: 'flakybot: quiet' + color: 86d9d7 + description: Tells the Flaky Bot to comment less. +- name: 'flakybot: issue' + color: a9f9f7 + description: An issue filed by the Flaky Bot. Should not be added manually. diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..c7fedfb1 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,76 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + paths-ignore: + - '**/*.md' + - '**/*.txt' + pull_request_target: + types: [labeled] + paths-ignore: + - '**/*.md' + - '**/*.txt' + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analyze: + if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}" + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'go' ] + + steps: + - name: Checkout repository + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Setup Go + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + with: + go-version: "1.20" + if: ${{ matrix.language == 'go' }} + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 + with: + languages: ${{ matrix.language }} + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # If this step fails, then you should remove it and run the build manually + - name: Autobuild + uses: github/codeql-action/autobuild@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/labels.yaml b/.github/workflows/labels.yaml new file mode 100644 index 00000000..8b5c74bb --- /dev/null +++ b/.github/workflows/labels.yaml @@ -0,0 +1,31 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Sync labels +on: + push: + branches: + - main + +# Declare default permissions as read only. +permissions: read-all + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-please-updates.yaml b/.github/workflows/release-please-updates.yaml index ca78add3..bc0e2499 100644 --- a/.github/workflows/release-please-updates.yaml +++ b/.github/workflows/release-please-updates.yaml @@ -16,18 +16,23 @@ name: Release PR on: pull_request: types: [opened, synchronize, reopened, labeled] +# Declare default permissions as read only. +permissions: read-all jobs: build: name: "Code Generation" runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write if: "${{ github.actor == 'release-please[bot]' }}" steps: - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.20' - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..d8e7e426 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,70 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: OSSF Scorecard +on: + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + schedule: + # weekly on Sunday + - cron: '0 20 * * 0' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + + steps: + - name: "Checkout code" + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3 + with: + results_file: results.sarif + results_format: sarif + + - name: Filter SARIF to skip false positives + # filter out DangerousWorkflow alerts as they do not account for safe use of labels to trigger actions + env: + SCORECARD_SKIPPED_RULE_IDS: "DangerousWorkflowID" + run: | + SCORECARD_SKIPPED_RULE_IDS_JSON=$(echo $SCORECARD_SKIPPED_RULE_IDS | jq -cR 'split(",")') + # Trim the SARIF file to remove false positive detections + cat results.sarif | jq '.runs[].results |= map(select(.ruleId as $id | '$SCORECARD_SKIPPED_RULE_IDS_JSON' | all($id != .)))' > resultsFiltered.sarif + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 + with: + sarif_file: resultsFiltered.sarif diff --git a/.github/workflows/tests-main.yaml b/.github/workflows/tests-main.yaml new file mode 100644 index 00000000..d10a8625 --- /dev/null +++ b/.github/workflows/tests-main.yaml @@ -0,0 +1,76 @@ +# Copyright 2023 Google LLC + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: tests-main +on: # at 5:10 UTC every day and on each push to main + schedule: + - cron: "10 5 * * *" + push: + branches: + - 'main' +permissions: read-all +jobs: + unit: + name: unit tests + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - name: Setup Go + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + with: + go-version: '1.20' + - name: Set up build.env with phony secrets. + run: cp build.sample.env build.env + - name: Verify no changes from code generation. + run: "make generate \nif ! git diff --exit-code --quiet ; then \n echo\n echo\n git diff --stat \"HEAD\"\n echo\n echo\n echo 'ERROR: Lint tools caused changes to the working dir. '\n exit 1\nfi\n" + - name: make test + run: make test + e2e: + name: e2e tests + runs-on: ubuntu-latest + permissions: + contents: 'read' + id-token: 'write' + steps: + - name: Checkout code + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: google-github-actions/auth@e8df18b60c5dd38ba618c121b779307266153fbf # v1.1.0 + with: + workload_identity_provider: ${{ secrets.PROVIDER_NAME }} + service_account: ${{ secrets.SERVICE_ACCOUNT }} + access_token_lifetime: 600s + project_id: ${{ secrets.GOOGLE_CLOUD_PROJECT }} + create_credentials_file: true + - name: 'Set up Cloud SDK' + uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 # v1.1.0 + - name: 'Setup Go' + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + with: + go-version: '1.20' + - name: Set up QEMU + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 + - id: 'e2e' + name: 'Run E2E Tests' + run: "./tools/e2e_test_job.sh" + env: + ENVIRONMENT_NAME: "ci-branch-main" + NODEPOOL_SERVICEACCOUNT_EMAIL: "${{secrets.NODEPOOL_SERVICEACCOUNT_EMAIL}}" + WORKLOAD_ID_SERVICEACCOUNT_EMAIL: "${{secrets.WORKLOAD_ID_SERVICEACCOUNT_EMAIL}}" + TFSTATE_STORAGE_BUCKET: "${{secrets.TFSTATE_STORAGE_BUCKET}}" + E2E_PROJECT_ID: "${{secrets.GOOGLE_CLOUD_PROJECT}}" diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index b60e7df8..134d4881 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -17,15 +17,20 @@ on: pull_request: pull_request_target: types: [labeled] +# Declare default permissions as read only. +permissions: read-all jobs: unit: if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}" name: unit tests runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - name: Remove PR Label if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -40,11 +45,11 @@ jobs: console.log('Failed to remove label. Another job may have already removed it!'); } - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.20' - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} @@ -62,31 +67,33 @@ jobs: permissions: contents: 'read' id-token: 'write' + issues: write + pull-requests: write steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} - id: 'auth' - name: 'Authenticate to Google Cloud' - uses: 'google-github-actions/auth@v1.0.0' + name: Authenticate to Google Cloud + uses: google-github-actions/auth@e8df18b60c5dd38ba618c121b779307266153fbf # v1.1.0 with: workload_identity_provider: ${{ secrets.PROVIDER_NAME }} service_account: ${{ secrets.SERVICE_ACCOUNT }} access_token_lifetime: 600s project_id: ${{ secrets.GOOGLE_CLOUD_PROJECT }} create_credentials_file: true - - name: 'Set up Cloud SDK' - uses: 'google-github-actions/setup-gcloud@v1' + - name: Set up Cloud SDK + uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 # v1.1.0 - name: 'Setup Go' - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.20' - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 - id: 'e2e' name: 'Run E2E Tests' run: "./tools/e2e_test_job.sh" diff --git a/CHANGELOG.md b/CHANGELOG.md index a1c2cd13..c17a7df6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,23 @@ # Changelog +## [0.5.0](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/compare/v0.4.0...v0.5.0) (2023-04-26) + + +### Features + +* Improve security posture of proxy containers. ([#322](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/issues/322)) ([dc8911e](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/commit/dc8911e3a0db5e32bc4c611ddbdcb875dbcc51e3)) +* Make proxy container healthchecks more resilient. ([#321](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/issues/321)) ([548a922](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/commit/548a9222d54b6c85dd45dc5983beebac5e7f08ef)) + + +### Bug Fixes + +* The e2e k8s node pool version should match the master version ([#319](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/issues/319)) ([fbfa004](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/commit/fbfa00444da0f310f52c61ed4665a5153bebe2c4)) + + +### Miscellaneous Chores + +* Prepare release 0.5.0 ([#327](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/issues/327)) ([5aeb27b](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/commit/5aeb27b100ca186bf74c4952a9252718cd43b60b)) + ## [0.4.0](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/compare/v0.3.0...v0.4.0) (2023-03-28) diff --git a/Dockerfile b/Dockerfile index 04c44926..cc66a890 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot +FROM gcr.io/distroless/static:nonroot@sha256:149531e38c7e4554d4a6725d7d70593ef9f9881358809463800669ac89f3b0ec # For multi-arch builds, use automatic platform build arguments # see https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope diff --git a/Dockerfile-operator b/Dockerfile-operator index c98c6bed..6f17b87f 100644 --- a/Dockerfile-operator +++ b/Dockerfile-operator @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Use the latest stable golang 1.x to compile to a binary +# Use the latest stable golang 1.20 to compile to a binary FROM --platform=$BUILDPLATFORM golang:1.20 as build WORKDIR /work @@ -29,7 +29,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \ # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot +FROM gcr.io/distroless/static:nonroot@sha256:149531e38c7e4554d4a6725d7d70593ef9f9881358809463800669ac89f3b0ec # For multi-arch builds, use automatic platform build arguments # see https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope diff --git a/Makefile b/Makefile index d668d39e..949043e8 100644 --- a/Makefile +++ b/Makefile @@ -54,7 +54,7 @@ SHELL = /usr/bin/env bash -o pipefail .SHELLFLAGS = -ec ## The version to use for the cert-manager operator -CERT_MANAGER_VERSION=v1.11.0# renovate datasource=github-tags depName=cert-manager/cert-manager +CERT_MANAGER_VERSION=v1.11.1# renovate datasource=github-tags depName=cert-manager/cert-manager ##@ General @@ -125,7 +125,7 @@ go_fmt: # Automatically formats go files go run golang.org/x/tools/cmd/goimports@latest -w . yaml_fmt: # Automatically formats all yaml files - go run github.com/UltiRequiem/yamlfmt@latest -w $(shell find . -iname '*.yaml' -or -iname '*.yml' | grep -v -e '^./bin/') + go run github.com/UltiRequiem/yamlfmt@latest -w $(shell find . -iname '*.yaml' -or -iname '*.yml' | grep -v -e '^./bin/' | grep -v -e '^./.github/workflows/') .PHONY: add_copyright_header add_copyright_header: # Add the copyright header @@ -436,8 +436,8 @@ CRD_REF_DOCS ?= $(LOCALBIN)/crd-ref-docs # Important note: avoid adding spaces in the macro declarations as any # additional whitespace will break the renovate regex rules. -KUBECTL_VERSION=v1.26.3# renovate datasource=github-tags depName=kubernetes/kubernetes -TERRAFORM_VERSION=v1.4.2# renovate datasource=github-tags depName=hashicorp/terraform +KUBECTL_VERSION=v1.27.1# renovate datasource=github-tags depName=kubernetes/kubernetes +TERRAFORM_VERSION=v1.4.5# renovate datasource=github-tags depName=hashicorp/terraform CONTROLLER_TOOLS_VERSION=v0.11.3# renovate datasource=go depName=sigs.k8s.io/controller-tools CRD_REF_DOCS_VERSION=v0.0.8# renovate datasource=go depName=github.com/elastic/crd-ref-docs diff --git a/README.md b/README.md index 2ae702f6..53118638 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ Run the following command to install the cloud sql proxy operator into your kubernetes cluster: ```shell -kubectl apply -f https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v0.3.0/cloud-sql-proxy-operator.yaml +kubectl apply -f https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v0.5.0/cloud-sql-proxy-operator.yaml ``` Confirm that the operator is installed and running by listing its pods: diff --git a/docs/quick-start.md b/docs/quick-start.md index dfe28539..fdc629ca 100644 --- a/docs/quick-start.md +++ b/docs/quick-start.md @@ -20,7 +20,7 @@ Run the following command to install the cloud sql proxy operator into your kubernetes cluster: ```shell -curl https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v0.3.0/install.sh | bash +curl https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v0.5.0/install.sh | bash ``` This will use `helm` to install the `cert-manager` operator, a prerequisite. Then diff --git a/go.mod b/go.mod index 59c069f7..8c523b09 100644 --- a/go.mod +++ b/go.mod @@ -3,12 +3,12 @@ module github.com/GoogleCloudPlatform/cloud-sql-proxy-operator go 1.20 require ( - github.com/go-logr/logr v1.2.3 + github.com/go-logr/logr v1.2.4 go.uber.org/zap v1.24.0 k8s.io/api v0.26.3 k8s.io/apimachinery v0.26.3 k8s.io/client-go v0.26.3 - sigs.k8s.io/controller-runtime v0.14.4 + sigs.k8s.io/controller-runtime v0.14.6 sigs.k8s.io/yaml v1.3.0 ) diff --git a/go.sum b/go.sum index 56262714..007b1a12 100644 --- a/go.sum +++ b/go.sum @@ -84,8 +84,8 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= -github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= @@ -604,8 +604,8 @@ k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.14.4 h1:Kd/Qgx5pd2XUL08eOV2vwIq3L9GhIbJ5Nxengbd4/0M= -sigs.k8s.io/controller-runtime v0.14.4/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= +sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA= +sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= diff --git a/infra/permissions/main.tf b/infra/permissions/main.tf index b250c5e5..158caba2 100644 --- a/infra/permissions/main.tf +++ b/infra/permissions/main.tf @@ -18,7 +18,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "4.58.0" + version = "4.63.0" } } } @@ -27,16 +27,21 @@ terraform { provider "google" { user_project_override = true billing_project = var.project_id + project = var.project_id + region = var.gcloud_region + zone = var.gcloud_zone } # Enable gcloud project APIs locals { project_services = toset([ + "artifactregistry.googleapis.com", + "cloudresourcemanager.googleapis.com", "compute.googleapis.com", "container.googleapis.com", - "artifactregistry.googleapis.com", "deploymentmanager.googleapis.com", "dns.googleapis.com", + "iam.googleapis.com", "logging.googleapis.com", "monitoring.googleapis.com", "oslogin.googleapis.com", @@ -48,7 +53,8 @@ locals { "servicenetworking.googleapis.com", "sql-component.googleapis.com", "sqladmin.googleapis.com", - "storage-api.googleapis.com"]) + "storage-api.googleapis.com" + ]) } resource "google_project_service" "project" { diff --git a/infra/resources/gke_cluster.tf b/infra/resources/gke_cluster.tf index f20e218d..f70fb2e8 100644 --- a/infra/resources/gke_cluster.tf +++ b/infra/resources/gke_cluster.tf @@ -49,7 +49,7 @@ resource "google_container_node_pool" "primary_preemptible_nodes" { name = "operator-test-nodes-${var.environment_name}" cluster = google_container_cluster.primary.id initial_node_count = var.workers_count - version = data.google_container_engine_versions.supported.latest_node_version + version = data.google_container_engine_versions.supported.latest_master_version location = var.gcloud_zone autoscaling { diff --git a/infra/resources/main.tf b/infra/resources/main.tf index 1a642b04..85411f84 100644 --- a/infra/resources/main.tf +++ b/infra/resources/main.tf @@ -18,11 +18,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "4.58.0" + version = "4.63.0" } google-beta = { source = "hashicorp/google-beta" - version = "4.58.0" + version = "4.63.0" } } } diff --git a/infra/resources/private_gke_cluster.tf b/infra/resources/private_gke_cluster.tf index ff1c8617..b61e4f10 100644 --- a/infra/resources/private_gke_cluster.tf +++ b/infra/resources/private_gke_cluster.tf @@ -47,7 +47,7 @@ resource "google_container_node_pool" "private_preemptible_nodes" { name = "operator-private-nodes-${var.environment_name}" cluster = google_container_cluster.private.id initial_node_count = var.workers_count - version = data.google_container_engine_versions.supported.latest_node_version + version = data.google_container_engine_versions.supported.latest_master_version location = var.gcloud_zone autoscaling { diff --git a/installer/cloud-sql-proxy-operator.yaml b/installer/cloud-sql-proxy-operator.yaml index 0124c7a0..b527e8d9 100644 --- a/installer/cloud-sql-proxy-operator.yaml +++ b/installer/cloud-sql-proxy-operator.yaml @@ -1465,7 +1465,7 @@ spec: - --leader-elect command: - /manager - image: gcr.io/cloud-sql-connectors/cloud-sql-operator/cloud-sql-proxy-operator:0.4.0 + image: gcr.io/cloud-sql-connectors/cloud-sql-operator/cloud-sql-proxy-operator:0.5.0 livenessProbe: httpGet: path: /healthz diff --git a/installer/install.sh b/installer/install.sh index 549376e1..ed1865c9 100644 --- a/installer/install.sh +++ b/installer/install.sh @@ -16,11 +16,11 @@ set -euxo # exit 1 from the script when command fails -# If CSQL_OPERATOR_VERSION is not set, use the release version: v0.4.0. -CSQL_OPERATOR_VERSION="${CSQL_OPERATOR_VERSION:-v0.4.0}" +# If CSQL_OPERATOR_VERSION is not set, use the release version: v0.5.0. +CSQL_OPERATOR_VERSION="${CSQL_OPERATOR_VERSION:-v0.5.0}" -# If CSQL_CERT_MANAGER_VERSION is not set, use the default: v1.11.0. -CSQL_CERT_MANAGER_VERSION="${CSQL_CERT_MANAGER_VERSION:-v1.11.0}" +# If CSQL_CERT_MANAGER_VERSION is not set, use the default: v1.11.1. +CSQL_CERT_MANAGER_VERSION="${CSQL_CERT_MANAGER_VERSION:-v1.11.1}" # If CSQL_OPERATOR_URL is not set, use the default value from the CSQL_OPERATOR_VERSION CSQL_OPERATOR_URL="${CSQL_OPERATOR_URL:-https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/$CSQL_OPERATOR_VERSION/cloud-sql-proxy-operator.yaml}" diff --git a/internal/workload/podspec_updates.go b/internal/workload/podspec_updates.go index b49ec8ff..6532970b 100644 --- a/internal/workload/podspec_updates.go +++ b/internal/workload/podspec_updates.go @@ -39,7 +39,7 @@ const ( // DefaultProxyImage is the latest version of the proxy as of the release // of this operator. This is managed as a dependency. We update this constant // when the Cloud SQL Auth Proxy releases a new version. - DefaultProxyImage = "gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.1.2" + DefaultProxyImage = "gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.2.0" // DefaultFirstPort is the first port number chose for an instance listener by the // proxy. @@ -169,7 +169,9 @@ var defaultContainerResources = corev1.ResourceRequirements{ // updates the workload's containers. This does not save the updated workload. func (u *Updater) FindMatchingAuthProxyWorkloads(pl *cloudsqlapi.AuthProxyWorkloadList, wl *PodWorkload, owners []Workload) []*cloudsqlapi.AuthProxyWorkload { - // if a wl has an owner, then ignore it. + // starting with this pod, traverse the pod and its owners, and + // fill wls with a list of workload resources that match an AuthProxyWorkload + // in the pl. wls := u.filterMatchingInstances(pl, wl.Object()) for _, owner := range owners { wls = append(wls, u.filterMatchingInstances(pl, owner.Object())...) @@ -480,7 +482,7 @@ func (s *updateState) update(wl *PodWorkload, matches []*cloudsqlapi.AuthProxyWo inst := matches[i] newContainer := corev1.Container{} - s.updateContainer(inst, wl, &newContainer) + s.updateContainer(inst, &newContainer) containers = append(containers, newContainer) // Add pod annotation for each instance @@ -513,9 +515,7 @@ func (s *updateState) update(wl *PodWorkload, matches []*cloudsqlapi.AuthProxyWo } // updateContainer Creates or updates the proxy container in the workload's PodSpec -func (s *updateState) updateContainer(p *cloudsqlapi.AuthProxyWorkload, wl Workload, c *corev1.Container) { - l.Info("Updating wl {{wl}}, no update needed.", "name", client.ObjectKeyFromObject(wl.Object())) - +func (s *updateState) updateContainer(p *cloudsqlapi.AuthProxyWorkload, c *corev1.Container) { // if the c was fully overridden, just use that c. if p.Spec.AuthProxyContainer != nil && p.Spec.AuthProxyContainer.Container != nil { p.Spec.AuthProxyContainer.Container.DeepCopyInto(c) @@ -627,8 +627,19 @@ func (s *updateState) updateContainer(p *cloudsqlapi.AuthProxyWorkload, wl Workl // applyContainerSpec applies settings from cloudsqlapi.AuthProxyContainerSpec // to the container func (s *updateState) applyContainerSpec(p *cloudsqlapi.AuthProxyWorkload, c *corev1.Container) { + t := true + var f bool c.Image = s.defaultProxyImage() c.Resources = defaultContainerResources + c.SecurityContext = &corev1.SecurityContext{ + // The default Cloud SQL Auth Proxy image runs as the + // "nonroot" user and group (uid: 65532) by default. + RunAsNonRoot: &t, + // Use a read-only filesystem + ReadOnlyRootFilesystem: &t, + // Do not allow privilege escalation + AllowPrivilegeEscalation: &f, + } if p.Spec.AuthProxyContainer == nil { return @@ -739,21 +750,18 @@ func (s *updateState) addHealthCheck(p *cloudsqlapi.AuthProxyWorkload, c *corev1 Port: intstr.IntOrString{IntVal: port}, Path: "/startup", }}, - PeriodSeconds: 30, - } - c.ReadinessProbe = &corev1.Probe{ - ProbeHandler: corev1.ProbeHandler{HTTPGet: &corev1.HTTPGetAction{ - Port: intstr.IntOrString{IntVal: port}, - Path: "/readiness", - }}, - PeriodSeconds: 30, + PeriodSeconds: 1, + FailureThreshold: 60, + TimeoutSeconds: 10, } c.LivenessProbe = &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{HTTPGet: &corev1.HTTPGetAction{ Port: intstr.IntOrString{IntVal: port}, Path: "/liveness", }}, - PeriodSeconds: 30, + PeriodSeconds: 10, + FailureThreshold: 3, + TimeoutSeconds: 10, } // Add a port that is associated with the proxy, but not a specific db instance s.addProxyPort(port, p) diff --git a/version.txt b/version.txt index 1d0ba9ea..8f0916f7 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.4.0 +0.5.0