Package v1 contains the API Schema definitions for the the custom resource AuthProxyWorkload version v1.
AdminServerSpec specifies how to start the proxy's admin server: which port and whether to enable debugging or quitquitquit. It controls to the proxy's --admin-port, --debug, and --quitquitquit CLI flags.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
port integer |
Port the port for the proxy's localhost-only admin server. This sets the proxy container's CLI argument --admin-port |
Minimum: 1 |
|
enableAPIs string array |
EnableAPIs specifies the list of admin APIs to enable. At least one API must be enabled. Possible values: - "Debug" will enable pprof debugging by setting the --debug cli flag.- "QuitQuitQuit" will enable pprof debugging by setting the --quitquitquitcli flag. |
MinItems: 1 |
AuthProxyContainerSpec describes how to configure global proxy configuration and kubernetes-specific container configuration.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
container Container |
Container is debugging parameter that when specified will override the proxy container with a completely custom Container spec. |
Optional: {} |
|
resources ResourceRequirements |
Resources specifies the resources required for the proxy pod. | Optional: {} |
|
telemetry TelemetrySpec |
Telemetry specifies how the proxy should expose telemetry. Optional, by default |
Optional: {} |
|
adminServer AdminServerSpec |
AdminServer specifies the config for the proxy's admin service which is available to other containers in the same pod. |
||
authentication AuthenticationSpec |
Authentication specifies the config for how the proxy authenticates itself to the Google Cloud API. |
||
maxConnections integer |
MaxConnections limits the number of connections. Default value is no limit. This sets the proxy container's CLI argument --max-connections |
Minimum: 0 Optional: {} |
|
maxSigtermDelay integer |
MaxSigtermDelay is the maximum number of seconds to wait for connections to close after receiving a TERM signal. This sets the proxy container's CLI argument --max-sigterm-delay andconfigures terminationGracePeriodSeconds on the workload's PodSpec. |
Minimum: 0 Optional: {} |
|
minSigtermDelay integer |
MinSigtermDelay is the minimum number of seconds to wait for connections to close after receiving a TERM signal. This sets the proxy container's CLI argument --min-sigterm-delay |
Minimum: 0 Optional: {} |
|
sqlAdminAPIEndpoint string |
SQLAdminAPIEndpoint is a debugging parameter that when specified will change the Google Cloud api endpoint used by the proxy. |
Optional: {} |
|
image string |
Image is the URL to the proxy image. Optional, by default the operator will use the latest Cloud SQL Auth Proxy version as of the release of the operator. The operator ensures that all workloads configured with the default proxy image are upgraded automatically to use to the latest released proxy image. When the customer upgrades the operator, the operator upgrades all workloads using the default proxy image to the latest proxy image. The change to the proxy container image is applied in accordance with the RolloutStrategy. |
Optional: {} |
|
rolloutStrategy string |
RolloutStrategy indicates the strategy to use when rolling out changes to the workloads affected by the results. When this is set to Workload, changes to this resource will be automatically appliedto a running Deployment, StatefulSet, DaemonSet, or ReplicaSet in accordance with the Strategy set on that workload. When this is set to None, the operator will take no action to roll out changes to affectedworkloads. Workload will be used by default if no value is set.See: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
Workload | Enum: [Workload None] Optional: {} |
refreshStrategy string |
RefreshStrategy indicates which refresh strategy the proxy should use. When this is set to lazy, the proxy will use a lazy refresh strategy,and will be configured to run with the --lazy-refresh flag. When this omitted or set to background, the proxy will use the default backgroundrefresh strategy. See: https://github.com/GoogleCloudPlatform/cloud-sql-proxy/?tab=readme-ov-file#configuring-a-lazy-refresh |
background | Enum: [lazy background] Optional: {} |
quiet boolean |
Quiet configures the proxy's --quiet flag to limit the amount of logging generated by the proxy container. |
AuthProxyWorkload declares how a Cloud SQL Proxy container should be applied to a matching set of workloads, and shows the status of those proxy containers.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
cloudsql.cloud.google.com/v1 |
||
kind string |
AuthProxyWorkload |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec AuthProxyWorkloadSpec |
AuthProxyWorkloadSpec describes where and how to configure the proxy.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
workloadSelector WorkloadSelectorSpec |
Workload selects the workload where the proxy container will be added. | Required: {} |
|
instances InstanceSpec array |
Instances describes the Cloud SQL instances to configure on the proxy container. | MinItems: 1 Required: {} |
|
authProxyContainer AuthProxyContainerSpec |
AuthProxyContainer describes the resources and config for the Auth Proxy container. | Optional: {} |
AuthenticationSpec specifies how the proxy is authenticated with the Google Cloud SQL Admin API. This configures proxy's --impersonate-service-account flag.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
impersonationChain string array |
ImpersonationChain is a list of one or more service accounts. The first entry in the chain is the impersonation target. Any additional service accounts after the target are delegates. The roles/iam.serviceAccountTokenCreator must be configured for each account that will be impersonated. This sets the --impersonate-service-account flag on the proxy. |
InstanceSpec describes the configuration for how the proxy should expose a Cloud SQL database instance to a workload.
In the minimum recommended configuration, the operator will choose a non-conflicting TCP port and set environment variables MY_DB_SERVER_PORT MY_DB_SERVER_HOST with the value of the TCP port and hostname. The application can read these values to connect to the database through the proxy. For example:
`{
"connectionString":"my-project:us-central1:my-db-server",
"portEnvName":"MY_DB_SERVER_PORT"
"hostEnvName":"MY_DB_SERVER_HOST"
}`
If you want to assign a specific port number for a database, set the port
field. For example:
`{ "connectionString":"my-project:us-central1:my-db-server", "port":5000 }`
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
connectionString string |
ConnectionString is the connection string for the Cloud SQL Instance in the format project_id:region:instance_name |
Pattern: ^([^:]+(:[^:]+)?):([^:]+):([^:]+)$ Required: {} |
|
port integer |
Port (optional) sets the tcp port for this instance. If not set, a value will be automatically assigned by the operator and set as an environment variable on all containers in the workload named according to PortEnvName. The operator will choose a port so that it does not conflict with other ports on the workload. |
Minimum: 1 Optional: {} |
|
autoIAMAuthN boolean |
AutoIAMAuthN (optional) Enables IAM Authentication for this instance. Default value is false. |
Optional: {} |
|
privateIP boolean |
PrivateIP (optional) Enable connection to the Cloud SQL instance's private ip for this instance. Default value is false. |
Optional: {} |
|
psc boolean |
PSC (optional) Enable connection to the Cloud SQL instance's private service connect endpoint. May not be used with PrivateIP. Default value is false. |
Optional: {} |
|
portEnvName string |
PortEnvName is name of the environment variable containing this instance's tcp port. Optional, when set this environment variable will be added to all containers in the workload. |
Optional: {} |
|
hostEnvName string |
HostEnvName The name of the environment variable containing this instances tcp hostname Optional, when set this environment variable will be added to all containers in the workload. |
Optional: {} |
|
unixSocketPath string |
UnixSocketPath is the path to the unix socket where the proxy will listen for connnections. This will be mounted to all containers in the pod. |
Optional: {} |
|
unixSocketPathEnvName string |
UnixSocketPathEnvName is the environment variable containing the value of UnixSocketPath. |
Optional: {} |
TelemetrySpec specifies how the proxy container will expose telemetry.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
quotaProject string |
QuotaProject Specifies the project to use for Cloud SQL Admin API quota tracking. The IAM principal must have the "serviceusage.services.use" permission for the given project. See https://cloud.google.com/service-usage/docs/overview and https://cloud.google.com/storage/docs/requester-pays This sets the proxy container's CLI argument --quota-project |
Optional: {} |
|
prometheus boolean |
Prometheus Enables Prometheus HTTP endpoint /metrics on localhost This sets the proxy container's CLI argument --prometheus |
Optional: {} |
|
prometheusNamespace string |
PrometheusNamespace is used the provided Prometheus namespace for metrics This sets the proxy container's CLI argument --prometheus-namespace |
Optional: {} |
|
telemetryProject string |
TelemetryProject enables Cloud Monitoring and Cloud Trace with the provided project ID. This sets the proxy container's CLI argument --telemetry-project |
Optional: {} |
|
telemetryPrefix string |
TelemetryPrefix is the prefix for Cloud Monitoring metrics. This sets the proxy container's CLI argument --telemetry-prefix |
Optional: {} |
|
telemetrySampleRate integer |
TelemetrySampleRate is the Cloud Trace sample rate. A smaller number means more traces. This sets the proxy container's CLI argument --telemetry-sample-rate |
Optional: {} |
|
httpPort integer |
HTTPPort the port for Prometheus and health check server. This sets the proxy container's CLI argument --http-port |
Optional: {} |
|
disableTraces boolean |
DisableTraces disables Cloud Trace testintegration (used with telemetryProject) This sets the proxy container's CLI argument --disable-traces |
Optional: {} |
|
disableMetrics boolean |
DisableMetrics disables Cloud Monitoring testintegration (used with telemetryProject) This sets the proxy container's CLI argument --disable-metrics |
Optional: {} |
WorkloadSelectorSpec describes which workloads should be configured with this
proxy configuration. To be valid, WorkloadSelectorSpec must specify kind
and either name or selector.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
selector LabelSelector |
Selector (optional) selects resources using labels. See "Label selectors" in the kubernetes docs https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors |
Optional: {} |
|
kind string |
Kind specifies what kind of workload Supported kinds: Deployment, StatefulSet, Pod, ReplicaSet,DaemonSet, Job, CronJob Example: "Deployment" "Deployment.v1" or "Deployment.v1.apps". |
Pattern: \w+(\.\w+)* Required: {} |
|
name string |
Name specifies the name of the resource to select. | Optional: {} |