Enable MTLS communication with Google Cloud SQL (#2154)

* Initial commit * Add annotation for tenant fetcher jobs * Adress pr comment * Add annotation where missing * Change rolebinding * Remove sa private key configuration * Minor tweak * Tweak * Remove leftover * Adjust sa for istio e2e tests
kyma-incubator · Jan 13, 2022 · 5079625 · 5079625
1 parent 28865b7
commit 5079625
Show file tree

Hide file tree

Showing 29 changed files with 118 additions and 208 deletions.
diff --git a/chart/compass/charts/director/templates/deployment.yaml b/chart/compass/charts/director/templates/deployment.yaml
@@ -252,34 +252,20 @@ spec:
               mountPath: /pairing-adapters
             {{ end }}
 
-
         {{if eq .Values.global.database.embedded.enabled false}}
-            - name: cloudsql-instance-credentials
-              mountPath: /secrets/cloudsql-instance-credentials
-              readOnly: true
         - name: cloudsql-proxy
           image: gcr.io/cloudsql-docker/gce-proxy:1.23.0-alpine
           command: ["/cloud_sql_proxy",
                     "-instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432",
-                    "-credential_file=/secrets/cloudsql-instance-credentials/credentials.json",
                     "-term_timeout=2s"]
           resources:
           {{- toYaml .Values.deployment.resourcesCloudsqlProxy | nindent 12 }}
-          volumeMounts:
-            - name: cloudsql-instance-credentials
-              mountPath: /secrets/cloudsql-instance-credentials
-              readOnly: true
           {{- with .Values.deployment.securityContext }}
           securityContext:
 {{ toYaml . | indent 12 }}
           {{- end }}
           {{end}}
       volumes:
-        {{if eq .Values.global.database.embedded.enabled false}}
-        - name: cloudsql-instance-credentials
-          secret:
-            secretName: cloudsql-instance-credentials
-        {{end}}
         - name: director-config
           configMap:
             name: {{ template "fullname" . }}-config

diff --git a/chart/compass/charts/director/templates/oauth-clients-scopes-sync-job.yaml b/chart/compass/charts/director/templates/oauth-clients-scopes-sync-job.yaml
@@ -26,6 +26,7 @@ spec:
         app: {{ $jobName }}
         release: {{ .Release.Name }}
     spec:
+      serviceAccountName: {{ template "fullname" . }}
       restartPolicy: Never
       shareProcessNamespace: true
       containers:
@@ -88,19 +89,10 @@ spec:
             - /bin/sh
           args:
             - -c
-            - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s"
-          volumeMounts:
-            - name: cloudsql-instance-credentials
-              mountPath: /secrets/cloudsql-instance-credentials
-              readOnly: true
+            - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s"
         {{- end}}
       volumes:
       - name: director-config
         configMap:
           name: {{ template "fullname" . }}-config
-      {{- if eq .Values.global.database.embedded.enabled false }}
-      - name: cloudsql-instance-credentials
-        secret:
-          secretName: cloudsql-instance-credentials
-      {{- end }}
 {{- end }}
diff --git a/chart/compass/charts/director/templates/rbac.yaml b/chart/compass/charts/director/templates/rbac.yaml
@@ -3,6 +3,10 @@ kind: ServiceAccount
 metadata:
   name: {{ template "fullname" . }}
   namespace: {{ .Release.Namespace }}
+  {{- if eq .Values.global.database.embedded.enabled false }}
+  annotations:
+    iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }}
+  {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

diff --git a/chart/compass/charts/director/templates/tenant-loader-cronjob-external.yaml b/chart/compass/charts/director/templates/tenant-loader-cronjob-external.yaml
@@ -16,6 +16,7 @@ spec:
                         app: {{ .Chart.Name }}-tenant-loader
                         release: {{ .Release.Name }}
                 spec:
+                    serviceAccountName: {{ template "fullname" . }}
                     restartPolicy: Never
                     shareProcessNamespace: true
                     containers:
@@ -75,18 +76,9 @@ spec:
                             - /bin/sh
                           args:
                             - -c
-                            - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s"
-                          volumeMounts:
-                            - name: cloudsql-instance-credentials
-                              mountPath: /secrets/cloudsql-instance-credentials
-                              readOnly: true
+                            - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s"
                       {{end}}
                     volumes:
                       - name: external-tenant-config
                         configMap:
                           name: compass-director-external-tenant-config
-                    {{if eq .Values.global.database.embedded.enabled false}}
-                      - name: cloudsql-instance-credentials
-                        secret:
-                          secretName: cloudsql-instance-credentials
-                    {{end}}
diff --git a/chart/compass/charts/director/templates/tenant-loader-job-default.yaml b/chart/compass/charts/director/templates/tenant-loader-job-default.yaml
@@ -17,6 +17,7 @@ spec:
                 app: {{ .Chart.Name }}
                 release: {{ .Release.Name }}
         spec:
+            serviceAccountName: {{ template "fullname" . }}
             restartPolicy: Never
             shareProcessNamespace: true
             containers:
@@ -76,19 +77,10 @@ spec:
                     - /bin/sh
                   args:
                     - -c
-                    - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s"
-                  volumeMounts:
-                    - name: cloudsql-instance-credentials
-                      mountPath: /secrets/cloudsql-instance-credentials
-                      readOnly: true
+                    - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s"
               {{end}}
             volumes:
               - name: default-tenant-config
                 configMap:
                   name: {{ template "fullname" . }}-default-tenant-config
-            {{if eq .Values.global.database.embedded.enabled false}}
-              - name: cloudsql-instance-credentials
-                secret:
-                  secretName: cloudsql-instance-credentials
-            {{end}}
   {{ end }}
diff --git a/chart/compass/charts/ord-service/templates/deployment.yaml b/chart/compass/charts/ord-service/templates/deployment.yaml
@@ -33,6 +33,7 @@ spec:
         app: {{ .Chart.Name }}
         release: {{ .Release.Name }}
     spec:
+      serviceAccountName: {{ template "fullname" . }}
       nodeSelector:
         {{- toYaml .Values.deployment.nodeSelector | nindent 8 }}
       containers:
@@ -104,29 +105,15 @@ spec:
             periodSeconds: {{.Values.deployment.readinessProbe.periodSeconds }}
           volumeMounts:
         {{if eq .Values.global.database.embedded.enabled false}}
-            - name: cloudsql-instance-credentials
-              mountPath: /secrets/cloudsql-instance-credentials
-              readOnly: true
         - name: cloudsql-proxy
           image: gcr.io/cloudsql-docker/gce-proxy:1.23.0-alpine
           command: ["/cloud_sql_proxy",
                     "-instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432",
-                    "-credential_file=/secrets/cloudsql-instance-credentials/credentials.json",
                     "-term_timeout=2s"]
           resources:
           {{- toYaml .Values.deployment.resourcesCloudsqlProxy | nindent 12 }}
-          volumeMounts:
-            - name: cloudsql-instance-credentials
-              mountPath: /secrets/cloudsql-instance-credentials
-              readOnly: true
           {{- with .Values.deployment.securityContext }}
           securityContext:
 {{ toYaml . | indent 12 }}
           {{- end }}
           {{end}}
-      volumes:
-        {{if eq .Values.global.database.embedded.enabled false}}
-        - name: cloudsql-instance-credentials
-          secret:
-            secretName: cloudsql-instance-credentials
-        {{end}}
diff --git a/chart/compass/charts/ord-service/templates/rbac.yaml b/chart/compass/charts/ord-service/templates/rbac.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  {{- if eq .Values.global.database.embedded.enabled false }}
+  annotations:
+    iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }}
+  {{- end }}
diff --git a/chart/compass/charts/prometheus-postgres-exporter/templates/deployment.yaml b/chart/compass/charts/prometheus-postgres-exporter/templates/deployment.yaml
@@ -100,12 +100,7 @@ spec:
         - name: cloudsql-proxy
           image: gcr.io/cloudsql-docker/gce-proxy:1.23.0-alpine
           command: ["/cloud_sql_proxy",
-                    "-instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432",
-                    "-credential_file=/secrets/cloudsql-instance-credentials/credentials.json"]
-          volumeMounts:
-            - name: cloudsql-instance-credentials
-              mountPath: /secrets/cloudsql-instance-credentials
-              readOnly: true
+                    "-instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432"]
       {{end}}
       {{- with .Values.extraContainers }}
 {{ tpl . $ | indent 8 }}
@@ -129,11 +124,6 @@ spec:
           defaultMode: 420
           name: {{ template "prometheus-postgres-exporter.fullname" . }}
         name: queries
-      {{if eq .Values.global.database.embedded.enabled false}}
-      - name: cloudsql-instance-credentials
-        secret:
-          secretName: cloudsql-instance-credentials
-      {{end}}
 {{- with .Values.extraVolumes }}
 {{ tpl . $ | indent 6 }}
 {{- end }}
diff --git a/chart/compass/charts/prometheus-postgres-exporter/templates/serviceaccount.yaml b/chart/compass/charts/prometheus-postgres-exporter/templates/serviceaccount.yaml
@@ -3,6 +3,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "prometheus-postgres-exporter.serviceAccountName" . }}
+  {{- if eq .Values.global.database.embedded.enabled false }}
+  annotations:
+    iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }}
+  {{- end }}
   labels:
     app: {{ template "prometheus-postgres-exporter.name" . }}
     chart: {{ template "prometheus-postgres-exporter.chart" . }}    

diff --git a/chart/compass/charts/tenant-fetcher/templates/deployment.yaml b/chart/compass/charts/tenant-fetcher/templates/deployment.yaml
@@ -33,6 +33,7 @@ spec:
         app: {{ .Chart.Name }}
         release: {{ .Release.Name }}
     spec:
+      serviceAccountName: {{ template "fullname" . }}
       nodeSelector:
         {{- toYaml .Values.deployment.nodeSelector | nindent 8 }}
       containers:
@@ -142,30 +143,15 @@ spec:
             timeoutSeconds: {{ .Values.global.readinessProbe.timeoutSeconds }}
             periodSeconds: {{.Values.global.readinessProbe.periodSeconds }}
         {{if eq .Values.global.database.embedded.enabled false}}
-          volumeMounts:
-            - name: cloudsql-instance-credentials
-              mountPath: /secrets/cloudsql-instance-credentials
-              readOnly: true
         - name: cloudsql-proxy
           image: gcr.io/cloudsql-docker/gce-proxy:1.23.0-alpine
           command: ["/cloud_sql_proxy",
                     "-instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432",
-                    "-credential_file=/secrets/cloudsql-instance-credentials/credentials.json",
                     "-term_timeout=2s"]
           resources:
           {{- toYaml .Values.deployment.resourcesCloudsqlProxy | nindent 12 }}
-          volumeMounts:
-            - name: cloudsql-instance-credentials
-              mountPath: /secrets/cloudsql-instance-credentials
-              readOnly: true
           {{- with .Values.deployment.securityContext }}
           securityContext:
 {{ toYaml . | indent 12 }}
           {{- end }}
           {{end}}
-      volumes:
-        {{if eq .Values.global.database.embedded.enabled false}}
-        - name: cloudsql-instance-credentials
-          secret:
-            secretName: cloudsql-instance-credentials
-        {{end}}
diff --git a/chart/compass/charts/tenant-fetcher/templates/rbac.yaml b/chart/compass/charts/tenant-fetcher/templates/rbac.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  {{- if eq .Values.global.database.embedded.enabled false }}
+  annotations:
+    iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }}
+  {{- end }}
diff --git a/chart/compass/configure-managed-gcp-postgresql.md b/chart/compass/configure-managed-gcp-postgresql.md
@@ -16,7 +16,6 @@ To install Compass with GCP managed Postgres database, set the **database.embedd
 
 | Parameter | Description | Values | Default |
 | --- | --- | --- | --- |
-| `global.database.managedGCP.serviceAccountKey` | Specifies base64 encoded the key for GCP Service Account mentioned in prerequisites. | base64 encoded string | "" |
 | `global.database.managedGCP.instanceConnectionName` | Specifies instance connection name to GCP PostgreSQL database | string | "" |
 | `global.database.managedGCP.director.user` | Specifies the database username in the Director. | string | "" |
 | `global.database.managedGCP.director.password` | Specifies the password to the user's database in the Director. | string | "" |

diff --git a/chart/compass/templates/managed-postgresql-secret.yaml b/chart/compass/templates/managed-postgresql-secret.yaml
@@ -1,15 +1,6 @@
 {{if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.manageSecrets true) }}
 apiVersion: v1
 kind: Secret
-type: Opaque
-metadata:
-  name: cloudsql-instance-credentials
-  namespace: {{ .Release.Namespace }}
-data:
-  credentials.json: {{ .Values.global.database.managedGCP.serviceAccountKey }}
----
-apiVersion: v1
-kind: Secret
 metadata:
   name: compass-postgresql
   namespace: {{ .Release.Namespace }}
@@ -27,15 +18,6 @@ data:
 ---
 apiVersion: v1
 kind: Secret
-type: Opaque
-metadata:
-  name: cloudsql-instance-credentials
-  namespace: {{ .Values.global.tests.namespace }}
-data:
-  credentials.json: {{ .Values.global.database.managedGCP.serviceAccountKey }}
----
-apiVersion: v1
-kind: Secret
 metadata:
   name: compass-postgresql
   namespace: {{ .Values.global.tests.namespace }}

diff --git a/chart/compass/templates/migrator-down-job.yaml b/chart/compass/templates/migrator-down-job.yaml
@@ -16,6 +16,7 @@ spec:
         app: {{ .Chart.Name }}
         release: {{ .Release.Name }}
     spec:
+      serviceAccountName: {{ $.Chart.Name }}-migrator-down-job
       {{- if eq .Values.global.migratorJob.nodeSelectorEnabled true }}
       nodeSelector:
         migrationJobs: "true"
@@ -30,11 +31,7 @@ spec:
             - /bin/sh
           args:
             - -c
-            - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s"
-          volumeMounts:
-            - name: cloudsql-instance-credentials
-              mountPath: /secrets/cloudsql-instance-credentials
-              readOnly: true
+            - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s"
         {{- end }}
         - name: migrator
           image: {{ .Values.global.images.containerRegistry.path }}/{{ .Values.global.images.schema_migrator.dir }}compass-schema-migrator:{{ .Values.global.images.schema_migrator.version }}
@@ -82,8 +79,19 @@ spec:
         - name: migrations-storage
           persistentVolumeClaim:
             claimName: {{ .Values.global.migratorJob.pvc.name }}
-      {{- if eq .Values.global.database.embedded.enabled false }}
-        - name: cloudsql-instance-credentials
-          secret:
-            secretName: cloudsql-instance-credentials
-      {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Chart.Name }}-migrator-down-job
+  namespace: {{ $.Release.Namespace }}
+  {{- if eq .Values.global.database.embedded.enabled false }}
+  annotations:
+    iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }}
+  {{- end }}
+  labels:
+    app: {{ $.Chart.Name }}
+    release: {{ $.Release.Name }}
+    helm.sh/chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}