Added PSC Private Service Connect for GCP CloudSQL

changelog/27889.txt

@@ -0,0 +1,6 @@
+```release-note:improvement
+secrets/database: Add PSC support for GCP CloudSQL MySQL and Postgresql
+```
+```release-note:improvement
+secrets/database: Add PrivateIP support for MySQL
+```

plugins/database/mysql/connection_producer.go

@@ -123,8 +123,11 @@
 	}
 
 	// validate auth_type if provided
-	if ok := connutil.ValidateAuthType(c.AuthType); !ok {
-		return nil, fmt.Errorf("invalid auth_type: %s", c.AuthType)
+	authType := c.AuthType
+	if authType != "" {
+		if ok := connutil.ValidateAuthType(authType); !ok {
+			return nil, fmt.Errorf("invalid auth_type %s provided", authType)
+		}
 	}
 
 	if c.AuthType == connutil.AuthTypeGCPIAM {
@@ -319,7 +322,7 @@
 }
 
 func registerDriverMySQL(driverName, credentials string) (cleanup func() error, err error) {
 	opts, err := connutil.GetCloudSQLAuthOptions(credentials, false)
 	if err != nil {
 		return nil, err
 	}

sdk/database/helper/connutil/cloudsql.go

@@ -23,13 +23,13 @@ func (c *SQLConnectionProducer) getCloudSQLDriverType() (string, error) {
 	return driverType, nil
 }
 
-func (c *SQLConnectionProducer) registerDrivers(driverName string, credentials string, usePrivateIP bool) (func() error, error) {
+func (c *SQLConnectionProducer) registerDrivers(driverName string, credentials string, usePrivateIP bool, usePSC bool) (func() error, error) {
 	typ, err := c.getCloudSQLDriverType()
 	if err != nil {
 		return nil, err
 	}
 
-	opts, err := GetCloudSQLAuthOptions(credentials, usePrivateIP)
+	opts, err := GetCloudSQLAuthOptions(credentials, usePrivateIP, usePSC)
 	if err != nil {
 		return nil, err
 	}
@@ -45,7 +45,7 @@ func (c *SQLConnectionProducer) registerDrivers(driverName string, credentials s
 
 // GetCloudSQLAuthOptions takes a credentials JSON and returns
 // a set of GCP CloudSQL options - always WithIAMAUthN, and then the appropriate file/JSON option.
-func GetCloudSQLAuthOptions(credentials string, usePrivateIP bool) ([]cloudsqlconn.Option, error) {
+func GetCloudSQLAuthOptions(credentials string, usePrivateIP bool, usePSC bool) ([]cloudsqlconn.Option, error) {
 	opts := []cloudsqlconn.Option{cloudsqlconn.WithIAMAuthN()}
 
 	if credentials != "" {
@@ -56,5 +56,9 @@ func GetCloudSQLAuthOptions(credentials string, usePrivateIP bool) ([]cloudsqlco
 		opts = append(opts, cloudsqlconn.WithDefaultDialOptions(cloudsqlconn.WithPrivateIP()))
 	}
 
+	if usePSC {
+		opts = append(opts, cloudsqlconn.WithDefaultDialOptions(cloudsqlconn.WithPSC()))
+	}
+
 	return opts, nil
 }

sdk/database/helper/connutil/sql.go

@@ -45,7 +45,8 @@ type SQLConnectionProducer struct {
 	MaxIdleConnections       int         `json:"max_idle_connections" mapstructure:"max_idle_connections" structs:"max_idle_connections"`
 	MaxConnectionLifetimeRaw interface{} `json:"max_connection_lifetime" mapstructure:"max_connection_lifetime" structs:"max_connection_lifetime"`
 	DisableEscaping          bool        `json:"disable_escaping" mapstructure:"disable_escaping" structs:"disable_escaping"`
-	usePrivateIP             bool        `json:"use_private_ip" mapstructure:"use_private_ip" structs:"use_private_ip"`
+	UsePrivateIP             bool        `json:"use_private_ip" mapstructure:"use_private_ip" structs:"use_private_ip"`
+	UsePSC                   bool        `json:"use_psc" mapstructure:"use_psc" structs:"use_psc"`
 
 	// Username/Password is the default auth type when AuthType is not set
 	Username string `json:"username" mapstructure:"username" structs:"username"`
@@ -151,7 +152,7 @@ func (c *SQLConnectionProducer) Init(ctx context.Context, conf map[string]interf
 		// however, the driver might store a credentials file, in which case the state stored by the driver is in
 		// fact critical to the proper function of the connection. So it needs to be registered here inside the
 		// ConnectionProducer init.
-		dialerCleanup, err := c.registerDrivers(c.cloudDriverName, c.ServiceAccountJSON, c.usePrivateIP)
+		dialerCleanup, err := c.registerDrivers(c.cloudDriverName, c.ServiceAccountJSON, c.UsePrivateIP, c.UsePSC)
 		if err != nil {
 			return nil, err
 		}

website/content/api-docs/secret/databases/mysql-maria.mdx

@@ -53,6 +53,12 @@ has a number of parameters to further configure a connection.
 - `service_account_json` `(string: "")` - JSON encoded credentials for a GCP Service Account to use
   for IAM authentication. Requires `auth_type` to be `gcp_iam`.
 
+- `use_private_ip` `(boolean: false)` - Enables the option to connect to CloudSQL Instances with Private IP.
+   Requires `auth_type` to be `gcp_iam`.
+
+- `use_psc` `(boolean: false)` - Enables the option to connect to CloudSQL Instances with Private Service Connect.
+   Requires `auth_type` to be `gcp_iam`.
+
 - `tls_certificate_key` `(string: "")` - x509 certificate for connecting to the database.
   This must be a PEM encoded version of the private key and the certificate combined.
 

website/content/api-docs/secret/databases/postgresql.mdx

@@ -61,6 +61,9 @@ has a number of parameters to further configure a connection.
 - `use_private_ip` `(boolean: false)` - Enables the option to connect to CloudSQL Instances with Private IP.
    Requires `auth_type` to be `gcp_iam`.
 
+- `use_psc` `(boolean: false)` - Enables the option to connect to CloudSQL Instances with Private Service Connect.
+   Requires `auth_type` to be `gcp_iam`.
+
 - `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
   dynamic usernames are generated.
 

website/content/docs/secrets/databases/mysql-maria.mdx

@@ -202,6 +202,8 @@ GRANT SELECT, CREATE, CREATE USER ON <database>.<object> TO "test-user"@"%" WITH
         plugin_name="mysql-database-plugin" \
         allowed_roles="my-role" \
         connection_url="user@cloudsql-mysql(project:region:instance)/mysql" \
+        use_private_ip="false" \
+        use_psc="false" \
         auth_type="gcp_iam"
     ```
 
@@ -214,6 +216,8 @@ GRANT SELECT, CREATE, CREATE USER ON <database>.<object> TO "test-user"@"%" WITH
         allowed_roles="my-role" \
         connection_url="user@cloudsql-mysql(project:region:instance)/mysql" \
         auth_type="gcp_iam" \
+        use_private_ip="false" \
+        use_psc="false" \
         service_account_json="@my_credentials.json"
     ```
 

website/content/docs/secrets/databases/postgresql.mdx

@@ -129,6 +129,7 @@ ALTER USER "<YOUR DB USERNAME>" WITH CREATEROLE;
         allowed_roles="my-role" \
         connection_url="host=project:us-west1:mydb [email protected] dbname=postgres sslmode=disable" \
         use_private_ip="false" \
+        use_psc="false" \
         auth_type="gcp_iam"
     ```
 
@@ -141,6 +142,7 @@ ALTER USER "<YOUR DB USERNAME>" WITH CREATEROLE;
         allowed_roles="my-role" \
         connection_url="host=project:region:instance [email protected] dbname=postgres sslmode=disable" \
         use_private_ip="false" \
+        use_psc="false" \
         auth_type="gcp_iam" \
         service_account_json="@my_credentials.json"
     ```