Skip to content

Update Cloud SQL sample apps with SSL example #6777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 22 commits into from
Oct 12, 2021
Merged

Update Cloud SQL sample apps with SSL example #6777

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
3291117
Update Cloud SQL sample apps with SSL example
jsimonweb Sep 30, 2021
b7689f7
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Sep 30, 2021
ff0a784
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Sep 30, 2021
b6822b5
Address presubmit error.
jsimonweb Sep 30, 2021
4e66fc8
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Sep 30, 2021
c3c672c
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 1, 2021
ca9843f
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 4, 2021
9e4485b
Update Dockerfile
jsimonweb Oct 4, 2021
59d077b
Update Dockerfile
jsimonweb Oct 4, 2021
22a3a45
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 5, 2021
af0104e
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 6, 2021
98c7610
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 8, 2021
327e760
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 8, 2021
4d113a1
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 8, 2021
8a5bc15
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 11, 2021
4c1b0df
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 11, 2021
a3aa2d9
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 11, 2021
840f8f1
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 11, 2021
a027be0
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 11, 2021
8c2ae5d
Address review comments.
jsimonweb Oct 12, 2021
21752e4
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 12, 2021
93c46a7
Merge branch 'master' into update-cloud-sql-sample-ssl
jsimonweb Oct 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion cloud-sql/mysql/sqlalchemy/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@

# Use the official Python image.
# https://hub.docker.com/_/python
FROM python:3.9
FROM python:3

# Copy application dependency manifests to the container image.
# Copying this separately prevents re-running pip install on every code change.
Expand All @@ -30,6 +30,9 @@ ENV APP_HOME /app
WORKDIR $APP_HOME
COPY . ./

# Copy any certificates if present.
COPY ./certs /app/certs

# Run the web service on container startup. Here we use the gunicorn
# webserver, with one worker process and 8 threads.
# For environments with multiple CPU cores, increase the number of workers
Expand Down
Empty file added cloud-sql/mysql/sqlalchemy/certs/.gitkeep
View file
Open in desktop
Empty file.
61 changes: 57 additions & 4 deletions cloud-sql/mysql/sqlalchemy/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,9 +58,57 @@ def init_connection_engine():
}

if os.environ.get("DB_HOST"):
if os.environ.get("DB_ROOT_CERT"):
return init_tcp_sslcerts_connection_engine(db_config)
return init_tcp_connection_engine(db_config)
else:
return init_unix_connection_engine(db_config)
return init_unix_connection_engine(db_config)


def init_tcp_sslcerts_connection_engine(db_config):
# [START cloud_sql_mysql_sqlalchemy_create_tcp_sslcerts]
# Remember - storing secrets in plaintext is potentially unsafe. Consider using
# something like https://cloud.google.com/secret-manager/docs/overview to help keep
# secrets secret.
db_user = os.environ["DB_USER"]
db_pass = os.environ["DB_PASS"]
db_name = os.environ["DB_NAME"]
db_host = os.environ["DB_HOST"]
db_root_cert = os.environ["DB_ROOT_CERT"]
db_cert = os.environ["DB_CERT"]
db_key = os.environ["DB_KEY"]

# Extract port from db_host if present,
# otherwise use DB_PORT environment variable.
host_args = db_host.split(":")
if len(host_args) == 1:
db_hostname = host_args[0]
db_port = int(os.environ["DB_PORT"])
elif len(host_args) == 2:
db_hostname, db_port = host_args[0], int(host_args[1])

ssl_args = {
"ssl_ca": db_root_cert,
"ssl_cert": db_cert,
"ssl_key": db_key
}

pool = sqlalchemy.create_engine(
# Equivalent URL:
# mysql+pymysql://<db_user>:<db_pass>@<db_host>:<db_port>/<db_name>
sqlalchemy.engine.url.URL.create(
drivername="mysql+pymysql",
username=db_user, # e.g. "my-database-user"
password=db_pass, # e.g. "my-database-password"
host=db_hostname, # e.g. "127.0.0.1"
port=db_port, # e.g. 3306
database=db_name # e.g. "my-database-name"
),
connect_args=ssl_args,
**db_config
)
# [END cloud_sql_mysql_sqlalchemy_create_tcp_sslcerts]

return pool


def init_tcp_connection_engine(db_config):
Expand All @@ -73,9 +121,14 @@ def init_tcp_connection_engine(db_config):
db_name = os.environ["DB_NAME"]
db_host = os.environ["DB_HOST"]

# Extract host and port from db_host
# Extract port from db_host if present,
# otherwise use DB_PORT environment variable.
host_args = db_host.split(":")
db_hostname, db_port = host_args[0], int(host_args[1])
if len(host_args) == 1:
db_hostname = db_host
db_port = os.environ["DB_PORT"]
elif len(host_args) == 2:
db_hostname, db_port = host_args[0], int(host_args[1])

pool = sqlalchemy.create_engine(
# Equivalent URL:
Expand Down
5 changes: 4 additions & 1 deletion cloud-sql/postgres/sqlalchemy/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@

# Use the official Python image.
# https://hub.docker.com/_/python
FROM python:3.9
FROM python:3

# Copy application dependency manifests to the container image.
# Copying this separately prevents re-running pip install on every code change.
Expand All @@ -30,6 +30,9 @@ ENV APP_HOME /app
WORKDIR $APP_HOME
COPY . ./

# Copy any certificates if present.
COPY ./certs /app/certs

# Run the web service on container startup. Here we use the gunicorn
# webserver, with one worker process and 8 threads.
# For environments with multiple CPU cores, increase the number of workers
Expand Down
Empty file added cloud-sql/postgres/sqlalchemy/certs/.gitkeep
View file
Open in desktop
Empty file.
62 changes: 58 additions & 4 deletions cloud-sql/postgres/sqlalchemy/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
import datetime
import logging
import os
import ssl

from flask import Flask, render_template, request, Response
import sqlalchemy
Expand Down Expand Up @@ -57,9 +58,57 @@ def init_connection_engine():
}

if os.environ.get("DB_HOST"):
if os.environ.get("DB_ROOT_CERT"):
return init_tcp_sslcerts_connection_engine(db_config)
return init_tcp_connection_engine(db_config)
else:
return init_unix_connection_engine(db_config)
return init_unix_connection_engine(db_config)


def init_tcp_sslcerts_connection_engine(db_config):
# [START cloud_sql_postgres_sqlalchemy_create_tcp_sslcerts]
# Remember - storing secrets in plaintext is potentially unsafe. Consider using
# something like https://cloud.google.com/secret-manager/docs/overview to help keep
# secrets secret.
db_user = os.environ["DB_USER"]
db_pass = os.environ["DB_PASS"]
db_name = os.environ["DB_NAME"]
db_host = os.environ["DB_HOST"]
db_root_cert = os.environ["DB_ROOT_CERT"]
db_cert = os.environ["DB_CERT"]
db_key = os.environ["DB_KEY"]

# Extract port from db_host if present,
# otherwise use DB_PORT environment variable.
host_args = db_host.split(":")
if len(host_args) == 1:
db_hostname = host_args[0]
db_port = int(os.environ["DB_PORT"])
elif len(host_args) == 2:
db_hostname, db_port = host_args[0], int(host_args[1])

ssl_context = ssl.SSLContext()
ssl_context.verify_mode = ssl.CERT_REQUIRED
ssl_context.load_verify_locations(db_root_cert)
ssl_context.load_cert_chain(db_cert, db_key)
ssl_args = {"ssl_context" : ssl_context}

pool = sqlalchemy.create_engine(
# Equivalent URL:
# postgresql+pg8000://<db_user>:<db_pass>@<db_host>:<db_port>/<db_name>
sqlalchemy.engine.url.URL.create(
drivername="postgresql+pg8000",
username=db_user, # e.g. "my-database-user"
password=db_pass, # e.g. "my-database-password"
host=db_hostname, # e.g. "127.0.0.1"
port=db_port, # e.g. 5432
database=db_name # e.g. "my-database-name"
),
connect_args=ssl_args,
**db_config
)
# [END cloud_sql_postgres_sqlalchemy_create_tcp_sslcerts]
pool.dialect.description_encoding = None
return pool


def init_tcp_connection_engine(db_config):
Expand All @@ -72,9 +121,14 @@ def init_tcp_connection_engine(db_config):
db_name = os.environ["DB_NAME"]
db_host = os.environ["DB_HOST"]

# Extract host and port from db_host
# Extract port from db_host if present,
# otherwise use DB_PORT environment variable.
host_args = db_host.split(":")
db_hostname, db_port = host_args[0], int(host_args[1])
if len(host_args) == 1:
db_hostname = db_host
db_port = os.environ["DB_PORT"]
elif len(host_args) == 2:
db_hostname, db_port = host_args[0], int(host_args[1])

pool = sqlalchemy.create_engine(
# Equivalent URL:
Expand Down