Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support GCP app default credentials for backups/sidecar #366

Merged
merged 4 commits into from
Jul 8, 2019
Merged

Support GCP app default credentials for backups/sidecar #366

merged 4 commits into from
Jul 8, 2019

Conversation

marratj
Copy link
Contributor

@marratj marratj commented Jul 8, 2019

This PR aims to support GCP application default credentials in addition to specifying a fixed Service Account JSON key, so the new GKE Workload Identity authentication for Pods can be used. See also #274

To support those two (GCP app default + Workload Identity), the following changes are necessary:

  • update rclone in sidecar (GCP app default credentials are only supported from rclone 1.47.0)
  • create an empty GCP service account key file for rclone in case no credentials are specified (so rclone uses app default authentication)
    • this is important for backups as well as inits of new clusters from those backups
  • add the same additional Pod Spec options that the accompanying MySQL Cluster has to make sure
    • Backup Pods can use a non-default Service Account
    • Backup Pods get scheduled on Nodes that are part of the correct GKE Identity Namespace (usually the same where the MySQL StatefulSet Pods are running)
    • use the same account as the MySQL Cluster Pods to make sure they have the same identity for backups and inits to read/write from/to GCS buckets

We use this internally now successfully and welcome any feedback on this and like to contribute on that :)

AMecea
AMecea approved these changes Jul 8, 2019
View reviewed changes
Copy link
Contributor

@AMecea AMecea left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @marratj !

@AMecea AMecea merged commit accabe5 into bitpoke:master Jul 8, 2019
@tanordheim tanordheim mentioned this pull request Oct 15, 2019
Open
chapsuk pushed a commit to chapsuk/mysql-operator that referenced this pull request Oct 16, 2023
@frouioui
Merge pull request bitpoke#366 from planetscale/remove-enable_realtim…
8332bdf 
…e_stats

Remove enable_realtime_stats flag since it is removed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AMecea AMecea AMecea approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@marratj @AMecea