test connection

.github/actions/deploy/deploy.mjs

@@ -62,10 +62,10 @@ const createHelmCommand = ({ isDryRun }) => {
     isProduction || isBeta
       ? [
           `--set-json   web.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   graphql.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }\"`,
           `--set-json   graphql.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   sync.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }\"`,
           `--set-json   sync.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
+          `--set-json   cloud-sql-proxy.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }\"`,
+          `--set-json   cloud-sql-proxy.nodeSelector=\"{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }\"`,
         ]
       : [];
   const webReplicaCount = isProduction ? 3 : isBeta ? 2 : 2;

.github/helm/affine/charts/gcloud-sql-proxy/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: cloud-sql-proxy
+description: Google Cloud SQL Proxy
+type: application
+version: 0.0.0
+appVersion: "2.8.1"

.github/helm/affine/charts/gcloud-sql-proxy/templates/deployment.yaml

@@ -33,24 +33,80 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
           image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
+            - "--address"
+            - "0.0.0.0"
             - "--structured-logs"
             - "--auto-iam-authn"
             - "{{ .Values.global.database.gcloud.connectionName }}"
+          env:
+            # Enable HTTP healthchecks on port 9801. This enables /liveness,
+            # /readiness and /startup health check endpoints. Allow connections
+            # listen for connections on any interface (0.0.0.0) so that the
+            # k8s management components can reach these endpoints.
+            - name: CSQL_PROXY_HEALTH_CHECK
+              value: "true"
+            - name: CSQL_PROXY_HTTP_PORT
+              value: "9801"
+            - name: CSQL_PROXY_HTTP_ADDRESS
+              value: 0.0.0.0
           ports:
             - name: cloud-sql-proxy
               containerPort: {{ .Values.global.database.gcloud.proxyPort }}
               protocol: TCP
+            - containerPort: 9801
+              protocol: TCP
+          # The /startup probe returns OK when the proxy is ready to receive
+          # connections from the application. In this example, k8s will check
+          # once a second for 60 seconds.
+          startupProbe:
+            failureThreshold: 60
+            httpGet:
+              path: /startup
+              port: 9801
+              scheme: HTTP
+            periodSeconds: 1
+            successThreshold: 1
+            timeoutSeconds: 10
+          # The /liveness probe returns OK as soon as the proxy application has
+          # begun its startup process and continues to return OK until the
+          # process stops.
           livenessProbe:
-            tcpSocket:
-              port: cloud-sql-proxy
-            initialDelaySeconds: 10
+            failureThreshold: 3
+            httpGet:
+              path: /liveness
+              port: 9801
+              scheme: HTTP
+            # The probe will be checked every 10 seconds.
+            periodSeconds: 10
+            # Number of times the probe is allowed to fail before the transition
+            # from healthy to failure state.
+            #
+            # If periodSeconds = 60, 5 tries will result in five minutes of
+            # checks. The proxy starts to refresh a certificate five minutes
+            # before its expiration. If those five minutes lapse without a
+            # successful refresh, the liveness probe will fail and the pod will be
+            # restarted.
+            successThreshold: 1
+            # The probe will fail if it does not respond in 10 seconds
+            timeoutSeconds: 10
           readinessProbe:
-            tcpSocket:
-              port: cloud-sql-proxy
+            # The /readiness probe returns OK when the proxy can establish
+            # a new connections to its databases.
+            httpGet:
+              path: /readiness
+              port: 9801
             initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 10
+            # Number of times the probe must report success to transition from failure to healthy state.
+            # Defaults to 1 for readiness probe.
+            successThreshold: 1
+            failureThreshold: 6
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           {{- with .Values.volumeMounts }}

.github/helm/affine/charts/gcloud-sql-proxy/templates/service.yaml

@@ -8,10 +8,10 @@ metadata:
 spec:
   type: {{ .Values.service.type }}
   ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
+    - port: {{ .Values.global.database.port }}
+      targetPort: cloud-sql-proxy
       protocol: TCP
-      name: http
+      name: cloud-sql-proxy
   selector:
     {{- include "gcloud-sql-proxy.selectorLabels" . | nindent 4 }}
 {{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/values.yaml

@@ -18,19 +18,20 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-podSecurityContext: {}
+podSecurityContext:
+  fsGroup: 2000
 
 securityContext:
   runAsNonRoot: true
 
 service:
   type: ClusterIP
-  port: 80
+  port: 5432
 
 resources:
-  requests:
-    memory: "8Gi"
-    cpu: "4"
+  limits:
+    memory: "4Gi"
+    cpu: "2"
 
 volumes: []
 volumeMounts: []