feat: Add support for Service Account Impersonation. (#445)

Now users can configure the proxy's --service-account-impersonation parameter. Fixes #392
GoogleCloudPlatform · Oct 24, 2023 · 4d8e277 · 4d8e277
1 parent 1eaf019
commit 4d8e277
Show file tree

Hide file tree

Showing 8 changed files with 120 additions and 18 deletions.
diff --git a/config/crd/bases/cloudsql.cloud.google.com_authproxyworkloads.yaml b/config/crd/bases/cloudsql.cloud.google.com_authproxyworkloads.yaml
@@ -60,6 +60,15 @@ spec:
                           minimum: 1
                           type: integer
                       type: object
+                    authentication:
+                      description: Authentication specifies the config for how the proxy authenticates itself to the Google Cloud API.
+                      properties:
+                        impersonationChain:
+                          description: ImpersonationChain is a list of one or more service accounts. The first entry in the chain is the impersonation target. Any additional service accounts after the target are delegates. The roles/iam.serviceAccountTokenCreator must be configured for each account that will be impersonated. This sets the --impersonate-service-account flag on the proxy.
+                          items:
+                            type: string
+                          type: array
+                      type: object
                     container:
                       description: Container is debugging parameter that when specified will override the proxy container with a completely custom Container spec.
                       properties:

diff --git a/docs/api.md b/docs/api.md
@@ -45,6 +45,7 @@ _Appears in:_
 | `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core)_ | Resources specifies the resources required for the proxy pod. |
 | `telemetry` _[TelemetrySpec](#telemetryspec)_ | Telemetry specifies how the proxy should expose telemetry. Optional, by default |
 | `adminServer` _[AdminServerSpec](#adminserverspec)_ | AdminServer specifies the config for the proxy's admin service which is available to other containers in the same pod. |
+| `authentication` _[AuthenticationSpec](#authenticationspec)_ | Authentication specifies the config for how the proxy authenticates itself to the Google Cloud API. |
 | `maxConnections` _integer_ | MaxConnections limits the number of connections. Default value is no limit. This sets the proxy container's CLI argument `--max-connections` |
 | `maxSigtermDelay` _integer_ | MaxSigtermDelay is the maximum number of seconds to wait for connections to close after receiving a TERM signal. This sets the proxy container's CLI argument `--max-sigterm-delay` and configures `terminationGracePeriodSeconds` on the workload's PodSpec. |
 | `sqlAdminAPIEndpoint` _string_ | SQLAdminAPIEndpoint is a debugging parameter that when specified will change the Google Cloud api endpoint used by the proxy. |
@@ -87,6 +88,20 @@ _Appears in:_
 | `authProxyContainer` _[AuthProxyContainerSpec](#authproxycontainerspec)_ | AuthProxyContainer describes the resources and config for the Auth Proxy container. |
 
 
+#### AuthenticationSpec
+
+
+
+AuthenticationSpec specifies how the proxy is authenticated with the Google Cloud SQL Admin API. This configures proxy's --impersonate-service-account flag.
+
+_Appears in:_
+- [AuthProxyContainerSpec](#authproxycontainerspec)
+
+| Field | Description |
+| --- | --- |
+| `impersonationChain` _string array_ | ImpersonationChain is a list of one or more service accounts. The first entry in the chain is the impersonation target. Any additional service accounts after the target are delegates. The roles/iam.serviceAccountTokenCreator must be configured for each account that will be impersonated. This sets the --impersonate-service-account flag on the proxy. |
+
+
 #### InstanceSpec
 
 

diff --git a/installer/cloud-sql-proxy-operator.yaml b/installer/cloud-sql-proxy-operator.yaml
@@ -79,6 +79,15 @@ spec:
                           minimum: 1
                           type: integer
                       type: object
+                    authentication:
+                      description: Authentication specifies the config for how the proxy authenticates itself to the Google Cloud API.
+                      properties:
+                        impersonationChain:
+                          description: ImpersonationChain is a list of one or more service accounts. The first entry in the chain is the impersonation target. Any additional service accounts after the target are delegates. The roles/iam.serviceAccountTokenCreator must be configured for each account that will be impersonated. This sets the --impersonate-service-account flag on the proxy.
+                          items:
+                            type: string
+                          type: array
+                      type: object
                     container:
                       description: Container is debugging parameter that when specified will override the proxy container with a completely custom Container spec.
                       properties:

diff --git a/internal/api/v1/authproxyworkload_test.go b/internal/api/v1/authproxyworkload_test.go
@@ -237,6 +237,15 @@ func TestAuthProxyWorkload_ValidateCreate_AuthProxyContainerSpec(t *testing.T) {
 			},
 			wantValid: true,
 		},
+		{
+			desc: "Valid, ImpersonationChain set",
+			spec: cloudsqlapi.AuthProxyContainerSpec{
+				Authentication: &cloudsqlapi.AuthenticationSpec{
+					ImpersonationChain: []string{"[email protected]", "[email protected]"},
+				},
+			},
+			wantValid: true,
+		},
 		{
 			desc: "Invalid, Debug set without AdminPort",
 			spec: cloudsqlapi.AuthProxyContainerSpec{

diff --git a/internal/api/v1/authproxyworkload_types.go b/internal/api/v1/authproxyworkload_types.go
@@ -159,6 +159,10 @@ type AuthProxyContainerSpec struct {
 	// available to other containers in the same pod.
 	AdminServer *AdminServerSpec `json:"adminServer,omitempty"`
 
+	// Authentication specifies the config for how the proxy authenticates itself
+	// to the Google Cloud API.
+	Authentication *AuthenticationSpec `json:"authentication,omitempty"`
+
 	// MaxConnections limits the number of connections. Default value is no limit.
 	// This sets the proxy container's CLI argument `--max-connections`
 	//+kubebuilder:validation:Optional
@@ -231,6 +235,19 @@ type AdminServerSpec struct {
 	EnableAPIs []string `json:"enableAPIs,omitempty"`
 }
 
+// AuthenticationSpec specifies how the proxy is authenticated with the
+// Google Cloud SQL Admin API. This configures proxy's
+// --impersonate-service-account flag.
+type AuthenticationSpec struct {
+	// ImpersonationChain is a list of one or more service
+	// accounts. The first entry in the chain is the impersonation target. Any
+	// additional service accounts after the target are delegates. The
+	// roles/iam.serviceAccountTokenCreator must be configured for each account
+	// that will be impersonated. This sets the --impersonate-service-account
+	// flag on the proxy.
+	ImpersonationChain []string `json:"impersonationChain,omitempty"`
+}
+
 // TelemetrySpec specifies how the proxy container will expose telemetry.
 type TelemetrySpec struct {
 	// QuotaProject Specifies the project to use for Cloud SQL Admin API quota tracking.

diff --git a/internal/api/v1/zz_generated.deepcopy.go b/internal/api/v1/zz_generated.deepcopy.go
diff --git a/internal/workload/podspec_updates.go b/internal/workload/podspec_updates.go
@@ -590,6 +590,9 @@ func (s *updateState) updateContainer(p *cloudsqlapi.AuthProxyWorkload, c *corev
 	// enable the proxy's admin service
 	s.addAdminServer(p)
 
+	// configure container authentication
+	s.addAuthentication(p)
+
 	// add the user agent
 	s.addProxyContainerEnvVar(p, "CSQL_PROXY_USER_AGENT", s.updater.userAgent)
 
@@ -892,6 +895,17 @@ func (s *updateState) addAdminServer(p *cloudsqlapi.AuthProxyWorkload) {
 
 }
 
+func (s *updateState) addAuthentication(p *cloudsqlapi.AuthProxyWorkload) {
+	if p.Spec.AuthProxyContainer == nil || p.Spec.AuthProxyContainer.Authentication == nil {
+		return
+	}
+	as := p.Spec.AuthProxyContainer.Authentication
+	if len(as.ImpersonationChain) > 0 {
+		s.addProxyContainerEnvVar(p, "CSQL_PROXY_IMPERSONATE_SERVICE_ACCOUNT", strings.Join(as.ImpersonationChain, ","))
+	}
+
+}
+
 func (s *updateState) addVolumeMount(p *cloudsqlapi.AuthProxyWorkload, is *cloudsqlapi.InstanceSpec, m corev1.VolumeMount, v corev1.Volume) {
 	key := proxyInstanceID{
 		AuthProxyWorkload: types.NamespacedName{

diff --git a/internal/workload/podspec_updates_test.go b/internal/workload/podspec_updates_test.go
@@ -664,6 +664,9 @@ func TestProxyCLIArgs(t *testing.T) {
 						EnableAPIs: []string{"Debug", "QuitQuitQuit"},
 						Port:       int32(9091),
 					},
+					Authentication: &cloudsqlapi.AuthenticationSpec{
+						ImpersonationChain: []string{"[email protected]", "[email protected]"},
+					},
 					MaxConnections:  ptr(int64(10)),
 					MaxSigtermDelay: ptr(int64(20)),
 					Quiet:           true,
@@ -677,24 +680,25 @@ func TestProxyCLIArgs(t *testing.T) {
 				fmt.Sprintf("hello:world:one?port=%d", workload.DefaultFirstPort),
 			},
 			wantWorkloadEnv: map[string]string{
-				"CSQL_PROXY_SQLADMIN_API_ENDPOINT": "https://example.com",
-				"CSQL_PROXY_TELEMETRY_SAMPLE_RATE": "200",
-				"CSQL_PROXY_PROMETHEUS_NAMESPACE":  "hello",
-				"CSQL_PROXY_TELEMETRY_PROJECT":     "telproject",
-				"CSQL_PROXY_TELEMETRY_PREFIX":      "telprefix",
-				"CSQL_PROXY_HTTP_PORT":             "9092",
-				"CSQL_PROXY_ADMIN_PORT":            "9091",
-				"CSQL_PROXY_DEBUG":                 "true",
-				"CSQL_PROXY_QUITQUITQUIT":          "true",
-				"CSQL_PROXY_HEALTH_CHECK":          "true",
-				"CSQL_PROXY_DISABLE_TRACES":        "true",
-				"CSQL_PROXY_DISABLE_METRICS":       "true",
-				"CSQL_PROXY_PROMETHEUS":            "true",
-				"CSQL_PROXY_QUOTA_PROJECT":         "qp",
-				"CSQL_PROXY_MAX_CONNECTIONS":       "10",
-				"CSQL_PROXY_MAX_SIGTERM_DELAY":     "20",
-				"CSQL_PROXY_QUIET":                 "true",
-				"CSQL_PROXY_STRUCTURED_LOGS":       "true",
+				"CSQL_PROXY_SQLADMIN_API_ENDPOINT":       "https://example.com",
+				"CSQL_PROXY_TELEMETRY_SAMPLE_RATE":       "200",
+				"CSQL_PROXY_PROMETHEUS_NAMESPACE":        "hello",
+				"CSQL_PROXY_TELEMETRY_PROJECT":           "telproject",
+				"CSQL_PROXY_TELEMETRY_PREFIX":            "telprefix",
+				"CSQL_PROXY_HTTP_PORT":                   "9092",
+				"CSQL_PROXY_ADMIN_PORT":                  "9091",
+				"CSQL_PROXY_DEBUG":                       "true",
+				"CSQL_PROXY_QUITQUITQUIT":                "true",
+				"CSQL_PROXY_HEALTH_CHECK":                "true",
+				"CSQL_PROXY_DISABLE_TRACES":              "true",
+				"CSQL_PROXY_DISABLE_METRICS":             "true",
+				"CSQL_PROXY_PROMETHEUS":                  "true",
+				"CSQL_PROXY_QUOTA_PROJECT":               "qp",
+				"CSQL_PROXY_MAX_CONNECTIONS":             "10",
+				"CSQL_PROXY_MAX_SIGTERM_DELAY":           "20",
+				"CSQL_PROXY_IMPERSONATE_SERVICE_ACCOUNT": "[email protected],[email protected]",
+				"CSQL_PROXY_QUIET":                       "true",
+				"CSQL_PROXY_STRUCTURED_LOGS":             "true",
 			},
 		},
 		{