Added PSC Private Service Connect for GCP CloudSQL #27889
Conversation
Added PrivateIP support for GCP MySQL
|
|
|
@fairclothjm Any chance something from Hashicorp can take a look ? Thanks |
heatherezell
added
the
hashicorp-contributed-pr
schavis
added
the
content-lgtm
| usePrivateIP bool `json:"use_private_ip" mapstructure:"use_private_ip" structs:"use_private_ip"` | ||
| usePSC bool `json:"use_psc" mapstructure:"use_psc" structs:"use_psc"` |
There was a problem hiding this comment.
Do we still want these fields for mysql?
There was a problem hiding this comment.
Yes, I havee tested them as well.
|
So I did a few test across 6 databases, MySQL and Postgresql with PSC or PrivateIP or default settings. For example for Postgresql with PSC when trying Prrivate Ip for the PSC enable instance you can find the repos to setup DB and related infra in GCP : https://github.com/shinji62/vault-tf-psc-test
|
| UsePrivateIP bool `json:"use_private_ip" mapstructure:"use_private_ip" structs:"use_private_ip"` | ||
| UsePSC bool `json:"use_psc" mapstructure:"use_psc" structs:"use_psc"` |
There was a problem hiding this comment.
These will be returned in the READ response for all database plugins that embed this SQLConnectionProducer struct. That is not ideal, since they are only relevant to a small subset of database plugins. It might be better to implement this per-plugin similar to mysql. Maybe there is some common code that could be reused by each plugin?
There was a problem hiding this comment.
But this is already the case for
AuthType string `json:"auth_type" mapstructure:"auth_type" structs:"auth_type"`
ServiceAccountJSON string `json:"service_account_json" mapstructure:"service_account_json" structs:"service_account_json"`
Which is only supported for Postgresql, but still field is available for hana, mssql, redshift
There was a problem hiding this comment.
Oh actually I was able to remove from the read path, when auth_type is not gcp_iam
Test (did the same test with mysql as well)
Postgresql
Write and read using auth_typegcp_iam
vault write database/config/my-postgresql-database-psc \
plugin_name="postgresql-database-plugin" \
allowed_roles="my-role" \
connection_url="host=sej-tools-hashicorp:asia-northeast1:psc-enabled-main-instance [email protected] dbname=postgres sslmode=disable" \
auth_type="gcp_iam"
use_psc=true
Success! Data written to: database/config/my-postgresql-database-psc
vault read database/config/my-postgresql-database-psc
Key Value
--- -----
allowed_roles [my-role]
connection_details map[auth_type:gcp_iam connection_url:host=sej-tools-hashicorp:asia-northeast1:psc-enabled-main-instance [email protected] dbname=postgres sslmode=disable use_psc:true]
password_policy n/a
plugin_name postgresql-database-plugin
plugin_version n/a
root_credentials_rotate_statements []
Write and read using normal plugin and normal auth
vault write database/config/my-postgresql-database-psc-ip \
plugin_name=postgresql-database-plugin \
connection_url="postgresql://{{username}}:{{password}}@127.0.0.1/postgres?sslmode=disable" \
allowed_roles=readonly \
username="admin" \
password="XXXXXx"
Success! Data written to: database/config/my-postgresql-database-psc-ip
vault read database/config/my-postgresql-database-psc-ip
Key Value
--- -----
allowed_roles [readonly]
connection_details map[connection_url:postgresql://{{username}}:{{password}}@127.0.0.1/postgres?sslmode=disable username:admin]
password_policy n/a
plugin_name postgresql-database-plugin
plugin_version n/a
root_credentials_rotate_statements []
There was a problem hiding this comment.
I was wrong about this. See my comment here https://github.com/hashicorp/vault/pull/27889/files#r1720329947
| // If the auth_type is not gcp_iam we remove the field from the read response | ||
|
|
||
| if authType, ok := config.ConnectionDetails["auth_type"]; ok { | ||
| if authType != connutil.AuthTypeGCPIAM { | ||
| delete(config.ConnectionDetails, "use_private_ip") | ||
| delete(config.ConnectionDetails, "use_psc") | ||
| } | ||
| } |
There was a problem hiding this comment.
My apologies! This isn't actually needed after all. These won't be returned in the response because connection details will only contain what was set in the write request.
There was a problem hiding this comment.
I just reverted my commit.
shinji62
force-pushed
the
feature/add_psc_google_database
branch
from
a95ca68 to
d862d0b
Compare
|
can this get some attention? we would love to get this released and supported |
Added PrivateIP support for GCP MySQL
Description
This PR add Private Service Connect for CloudSQL (MySQL and PostgresSQL), this PR also add PrivateIP support for MySQL, previous PR( #26827) just added to Postgres.
Close #27867
TODO only if you're a HashiCorp employee
getting backported to N-2, use the new style
backport/ent/x.x.x+entlabelsinstead of the old style
backport/x.x.xlabels.-[N/A] Labels: If this PR is a CE only change, it can only be backported to N, so use
the normal
backport/x.x.xlabel (there should be only 1).of a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.
description. Also, make sure the changelog is in this PR, not in your ENT PR.