An authentication proxy for Google Cloud managed databases. Based on the ideas of cloudsql-proxy but intended to be run as a standalone network accessible service rather than a sidecar.
We’ve been using
cloudsql-proxy for several years now to power our db-operator project. It has been for the most part reliable but key differences between how we deploy it and Google’s reference architecture have led to production issues.
db-auth-gateway to address these issues and add a variety of wish list features such as improved observability, and testing.
- Connection draining during shutdown to support zero downtime deployments and load balancing.
- Prometheus metrics support for improved observability.
- Full testsuite including realistic Google service mocks.
- Simplified modern code base.
docker-compose to start a local PostgreSQL instance, and Google API mock:
Then you can then run
db-auth-gateway locally with:
db-auth-gateway --api-endpoint=http://localhost:8080 --credential-file=DISABLED \ --instance=my-project:my-region:my-database
db-auth-gateway will listen on port 5432 (by default) for SQL connections.
PGPASSWORD=mysecretpassword psql -h localhost -p 5432 -d postgres postgres
db-auth-gateway has a variety of command line flags for configuring its behavior:
|–credential-file||JSON file containing the Google Cloud credentials|
|–instance||Fully qualified database instance to connect to (project:region:name)|
|–listen||:5432||Address and port to listen on|
|–remote-port||3307||Port to connect to the remote server on|
|–max-connections||0||The maximum number of active connections. Defaults to 0 (unlimited)|
|–min-refresh-interval||1m||The minimum amount of time to wait between API calls|
|–periodic-refresh-interval||5m||Configuration is eagerly refreshed on a schedule. This is the nominal period between API calls.|
|–api-endpoint||If specified the URL to use for API calls|
db-auth-gateway, simply run make without any arguments.
The resulting binary will be written to:
Before committing any code you should always lint and test your changes.
Running the Tests
First start the Google API mock using
Then run the tests:
End to End Testing
You run the end to end tests with:
The tests will start a local instance of
db-auth-gateway and verify it is able to connect to and query the Postgres database, and Google API mock.
- The Go Gopher by Renee French, licensed under the CC BY 3.0.