Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(7.0) Add Postgres Cloud SQL support #5941

Merged
merged 1 commit into from
Mar 22, 2021
Merged

(7.0) Add Postgres Cloud SQL support #5941

merged 1 commit into from
Mar 22, 2021

Conversation

r0mant
Copy link
Collaborator

@r0mant r0mant commented Mar 11, 2021
edited
Loading

This PR extends database access to support Postgres flavored GCP Cloud SQL databases with IAM authentication:

https://cloud.google.com/sql/docs/postgres/authentication

It works in a similar fashion to RDS and Aurora:

  • Users connect to the database using service account name as a database user.
  • Teleport database service generates an IAM auth token for that service account upon each connection.
  • Generated auth token is used as a password when authenticating with the database.

Here's an example teleport.yaml configuration for a Cloud SQL instance:

db_service:
  enabled: "yes"
  databases:
  - name: "postgres-gcp"
    description: "PostgreSQL 9.6: Google Cloud SQL"
    protocol: "postgres"
    uri: "35.1.2.3:5432"
    ca_cert_file: /var/lib/teleport-root/gcp-test-root.pem
    gcp:
      project_id: "project-id"
      instance_id: "instance-id"
    static_labels:
      env: gcp

Also, IAM authentication is a relatively new Cloud SQL feature and is currently supported only by Postgres. Once it expands to MySQL, we'll be able to enable it for MySQL as well.

@r0mant r0mant added the database-access Database access related issues and PRs label Mar 11, 2021
@r0mant r0mant added this to the 6.1 milestone Mar 11, 2021
@r0mant r0mant self-assigned this Mar 11, 2021
a-palchikov
a-palchikov reviewed Mar 11, 2021
View reviewed changes
lib/service/cfg_test.go Outdated Show resolved Hide resolved
lib/srv/db/common/auth.go Outdated Show resolved Hide resolved
lib/srv/db/server.go Show resolved Hide resolved
@r0mant
Copy link
Collaborator Author

r0mant commented Mar 16, 2021

@awly Could you please be a 2nd reviewer on this when you get time? Thanks.

awly
awly reviewed Mar 18, 2021
View reviewed changes
api/types/databaseserver.go Show resolved Hide resolved
api/types/types.proto Outdated Show resolved Hide resolved
api/types/types.proto Outdated Show resolved Hide resolved
api/types/types.proto Outdated Show resolved Hide resolved
lib/service/cfg.go Outdated Show resolved Hide resolved
lib/service/cfg.go Outdated
Comment on lines 619 to 622
// TODO(r0mant): See if we can download it automatically similar to RDS
// but at a first glance it doesn't seem to be possible since in Cloud
// SQL each instance has its own CA and there doesn't appear to be an
// API for that.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a serverCaCert in https://cloud.google.com/sql/docs/postgres/instance-info#rest-v1beta4

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good find, I've updated the comment to include this link. Looking at this API, it just returns information about the certificate in a parsed form and I couldn't see if there's a "raw" pem, but maybe there's another API to call to retrieve certificate by its ID or something. Will investigate more when we work on this todo item.

lib/service/cfg_test.go Outdated Show resolved Hide resolved
lib/services/databaseserver.go Outdated Show resolved Hide resolved
lib/srv/db/common/auth.go Outdated Show resolved Hide resolved
lib/srv/db/common/auth.go Outdated Show resolved Hide resolved
@r0mant
Copy link
Collaborator Author

r0mant commented Mar 19, 2021

@a-palchikov @awly I've addressed your comments guys, please take another look.

russjones
russjones reviewed Mar 19, 2021
View reviewed changes
Copy link
Contributor

@russjones russjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bot.

@r0mant r0mant changed the title Add Postgres Cloud SQL support (7.0) Add Postgres Cloud SQL support Mar 22, 2021
@r0mant r0mant mentioned this pull request Mar 22, 2021
Merged
@r0mant r0mant enabled auto-merge (squash) March 22, 2021 16:10
@r0mant r0mant merged commit 8739417 into master Mar 22, 2021
@r0mant r0mant deleted the roman/cloudsql branch March 22, 2021 16:38
@r0mant r0mant mentioned this pull request Mar 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@russjones russjones russjones approved these changes

@awly awly awly approved these changes

@a-palchikov a-palchikov a-palchikov approved these changes

@klizhentas klizhentas Awaiting requested review from klizhentas

Assignees

@r0mant r0mant

Labels
backport-required database-access Database access related issues and PRs
Projects
None yet
Milestone
6.1
Development

Successfully merging this pull request may close these issues.
4 participants
@r0mant @a-palchikov @awly @russjones