[METAL-2274] Initial opensourcing of db-auth-gateway (#1)

* [METAL-2274] Initial commit of code

Author: dpeckett

.dockerignore

@@ -0,0 +1 @@
+/target

.github/workflows/build-and-test.yaml

@@ -0,0 +1,90 @@
+name: Build and Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Check Code Style
+        uses: golangci/golangci-lint-action@v2
+        with:
+          version: v1.30.0
+
+  build:
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Build
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          tags: kloeckner-i/db-auth-gateway:${{ github.sha }}
+          outputs: type=docker,dest=/tmp/db-auth-gateway.tar
+      - name: Upload docker image artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: docker-image
+          path: /tmp/db-auth-gateway.tar
+
+  test:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Download artifact
+        uses: actions/download-artifact@v2
+        with:
+          name: docker-image
+          path: /tmp
+      - name: Load Docker image
+        run: docker load --input /tmp/db-auth-gateway.tar
+      - name: Start Google Cloud SQL Mock and Dependencies
+        run: |
+          docker network create db-auth-gateway-test
+          docker run -d --network=db-auth-gateway-test --network-alias=postgres --name=postgres -e "POSTGRES_PASSWORD=mysecretpassword" postgres:13
+          docker run -d --network=db-auth-gateway-test --name=cloudsql_mock -p 127.0.0.1:3307:3307 -p 127.0.0.1:8080:8080 kloeckner-i/db-auth-gateway:${{ github.sha }} mock --db-address=postgres:5432 --instance=my-project:my-region:my-database
+      - name: Test
+        env:
+          MOCK_ADDRESS: 127.0.0.1
+        run: |
+          make test e2e
+      - name: Upload Test Logs
+        uses: actions/upload-artifact@v2
+        if: failure()
+        with:
+          name: test-logs
+          path: target/db-auth-gateway.log
+      - name: Collect Docker Logs
+        if: failure()
+        uses: jwalton/gh-docker-logs@v1
+        with:
+          dest: './logs'
+      - name: Tar Docker Logs
+        if: failure()
+        run: tar cvzf ./logs.tgz ./logs
+      - name: Upload Docker Logs
+        uses: actions/upload-artifact@v2
+        if: failure()
+        with:
+          name: docker-logs
+          path: ./logs.tgz

.gitignore

@@ -0,0 +1,2 @@
+/.idea
+/target

.golangci.yml

@@ -0,0 +1,14 @@
+linters-settings:
+  gocognit:
+    min-complexity: 50
+  funlen:
+    lines: 150
+    statements: 50
+  nestif:
+    min-complexity: 10
+
+issues:
+  exclude-rules:
+    - path: internal/pubkey/pubkey.go
+      linters:
+        - goimports

Dockerfile

@@ -1,3 +1,20 @@
-FROM alpine:3.13
+FROM golang:1.15.0-alpine AS builder
 
-RUN echo 'hello world' > /etc/motd
+RUN apk add --update --no-cache make
+WORKDIR /build
+
+COPY . /build/
+
+RUN make
+
+FROM alpine:3.12.0
+
+COPY --from=builder /build/target/db-auth-gateway /usr/local/bin/db-auth-gateway
+COPY --from=builder /build/LICENSE /LICENSE
+
+RUN addgroup -g 65532 -S gateway \
+  && adduser -u 65532 -S gateway -G gateway
+
+USER 65532
+
+ENTRYPOINT [ "/usr/local/bin/db-auth-gateway" ]

LICENSE

@@ -199,3 +199,26 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
+
+internal/util/connection.go:
+
+   Copyright (c) 2014 Juan Batiz-Benet
+   Copyright (2) 2021 Kloeckner.I
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.

Makefile

@@ -0,0 +1,31 @@
+BIN = target/db-auth-gateway
+SRC = $(shell find . -type f -name '*.go')
+
+$(BIN): $(SRC)
+	@mkdir -p target
+	@go build -o $@ cmd/main.go
+
+test: $(SRC)
+	@go test ./...
+
+e2e: $(SRC) $(BIN)
+	@go test -tags=e2e ./test/...
+
+start_mock: $(SRC)
+	@-docker-compose down
+	@docker-compose build
+	@docker-compose up -d
+
+lint: $(SRC)
+	@go mod tidy
+	@gofumpt -s -l -w $^
+	@gci -w $^
+	@golint ./...
+	@golangci-lint run --timeout 5m0s --enable-all -D gochecknoglobals -D gomnd ./...
+
+clean:
+	@-rm -Rf target/*
+	@go clean -testcache
+	@-docker-compose down
+
+.PHONY: test e2e start_mock lint clean

README.md

@@ -1,2 +1,126 @@
+<p align="center">
+<img src="mascot/banner.png" alt="db-auth-gateway" title="db-auth-gateway" />
+</p>
+
 # db-auth-gateway
-An authentication proxy for Google Cloud managed databases
+
+An authentication proxy for Google Cloud managed databases. Based on the ideas
+of [cloudsql-proxy](https://github.com/GoogleCloudPlatform/cloudsql-proxy) but
+intended to be run as a standalone network accessible service rather than a 
+sidecar.
+
+We've been using `cloudsql-proxy` for several years now to power our 
+[db-operator](https://github.com/kloeckner-i/db-operator) project. It has been 
+for the most part reliable but key differences between how we deploy it and 
+Google's reference architecture have led to production issues. 
+
+We developed `db-auth-gateway` to address these issues and add a variety of wish 
+list features such as improved observability, and testing.
+
+## Features
+
+* Connection draining during shutdown to support zero downtime deployments and 
+load balancing.
+* Prometheus metrics support for improved observability.
+* Full testsuite including realistic Google service mocks.
+* Simplified modern code base.
+
+## Quickstart
+
+Use `docker-compose` to start a local PostgreSQL instance, and Google API mock:
+
+```shell script
+make start_mock
+```
+
+Then you can then run `db-auth-gateway` locally with:
+
+```shell script
+db-auth-gateway --api-endpoint=http://localhost:8080 --credential-file=DISABLED \
+--instance=my-project:my-region:my-database
+```
+
+`db-auth-gateway` will listen on port 5432 (by default) for SQL connections.
+
+```shell script
+PGPASSWORD=mysecretpassword psql -h localhost -p 5432 -d postgres postgres
+```
+
+### Flags
+
+`db-auth-gateway` has a variety of command line flags for configuring its behavior:
+
+| Flag | Default | Description |
+|:---|:---:|:---|
+| --credential-file | | JSON file containing the Google Cloud credentials |
+| --instance | | Fully qualified database instance to connect to (project:region:name) |
+| --listen | :5432 | Address and port to listen on |
+| --remote-port | 3307 | Port to connect to the remote server on |
+| --max-connections | 0 | The maximum number of active connections. Defaults to 0 (unlimited) |
+| --min-refresh-interval | 1m | The minimum amount of time to wait between API calls |
+| --periodic-refresh-interval | 5m | Configuration is eagerly refreshed on a schedule. This is the nominal period between API calls. |
+| --api-endpoint | | If specified the URL to use for API calls |
+
+## Development
+
+### Prerequisites
+
+* [Go 1.15+](https://golang.org/dl/)
+* GNU Make
+* [golangci-lint v1.30+](https://golangci-lint.run/usage/install/)
+* Additional Go tools:
+    * [golint](https://github.com/golang/lint)
+    * [gofumpt](https://github.com/mvdan/gofumpt)
+    * [gofumports](https://github.com/mvdan/gofumpt)
+    * [gci](https://github.com/daixiang0/gci)
+
+### Build
+
+To build `db-auth-gateway`, simply run make without any arguments.
+
+The resulting binary will be written to: `./target/db-auth-gateway`.
+
+```shell script
+make
+```
+
+### Test
+
+Before committing any code you should always lint and test your changes.
+
+#### Code Linting
+
+```shell script
+make lint
+```
+
+#### Running the Tests
+
+First start the Google API mock using `docker-compose`:
+
+```shell script
+make start_mock
+```
+
+Then run the tests:
+
+```shell script
+make test
+```
+
+### End to End Testing
+
+You run the end to end tests with:
+
+```shell script
+make e2e
+```
+
+The tests will start a local instance of `db-auth-gateway` and verify it is able
+to connect to and query the Postgres database, and Google API mock.
+
+## Acknowledgements
+
+1. [The Go Gopher](https://blog.golang.org/gopher) by [Renee French](http://reneefrench.blogspot.com/), licensed under the [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/).
+1. https://github.com/GoogleCloudPlatform/cloudsql-proxy
+1. https://github.com/jbenet/go-context