[prometheus-mysql-exporter]: upgrade cloud-sql-proxy v2 (#3583)

* feat(prometheus-mysql-exporter)!: upgrade cloud-sql-proxy

Signed-off-by: Marcelo Clavel <[email protected]>

* Update charts/prometheus-mysql-exporter/Chart.yaml

Signed-off-by: André Bauer <[email protected]>

* feat(prometheus-mysql-exporter): support mysql_exporter v0.15.0

Signed-off-by: Marcelo Clavel <[email protected]>

---------

Signed-off-by: Marcelo Clavel <[email protected]>
Signed-off-by: André Bauer <[email protected]>
Co-authored-by: André Bauer <[email protected]>

charts/prometheus-mysql-exporter/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
 description: A Helm chart for prometheus mysql exporter with cloudsqlproxy
 name: prometheus-mysql-exporter
-version: 1.14.0
+version: 2.0.0
 home: https://github.com/prometheus/mysqld_exporter
-appVersion: v0.14.0
+appVersion: v0.15.0
 sources:
   - https://github.com/prometheus/mysqld_exporter
 maintainers:

charts/prometheus-mysql-exporter/README.md

@@ -41,6 +41,58 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen
 helm upgrade [RELEASE_NAME] [CHART] --install
 ```
 
+### From 1.x to 2.x
+
+mysqld_exporter has been updated to [v0.15.0](https://github.com/prometheus/mysqld_exporter/releases/tag/v0.15.0), removing support for `DATA_SOURCE_NAME`. Configuration for exporter use `--config.my-cnf` with a custom cnf file (secret).
+
+If you use `mysql.existingSecret` to set full `DATA_SOURCE_NAME`, please set `mysql.existingConfigSecret.name` & `mysql.existingConfigSecret.key` to reference the secret config.
+
+```yaml
+mysql:
+  existingSecret: "my-data-source"
+```
+
+to:
+
+```yaml
+mysql:
+  existingConfigSecret:
+    name: "config"
+    key: "my.cnf"
+```
+
+If you use `mysql.param` to extend `DATA_SOURCE_NAME`, please set `mysql.additionalConfig` with extra params to extend my.cnf file.
+
+```yaml
+mysql:
+  param: "debug&connect-timeout=5"
+```
+
+to:
+
+```yaml
+mysql:
+  additionalConfig:
+    - connect-timeout=5
+    - debug
+```
+
+This version uses [cloud-sql-proxy v2](https://github.com/GoogleCloudPlatform/cloud-sql-proxy/blob/main/migration-guide.md).
+
+If you use `cloudsqlproxy.ipAddressTypes` to set private connections, please set `cloudsqlproxy.privateIp`.
+
+```yaml
+cloudsqlproxy:
+  ipAddressTypes: PRIVATE,PUBLIC
+```
+
+to:
+
+```yaml
+cloudsqlproxy:
+  privateIp: true
+```
+
 ### To =< 1.0.0
 
 Version 1.0.0 is a major update.

charts/prometheus-mysql-exporter/templates/_helpers.tpl

@@ -69,13 +69,24 @@ Secret name for cloudsql credentials
 {{- end -}}
 
 {{/*
-Secret name for DATA_SOURCE_NAME
+Secret name for config
 */}}
-{{- define "prometheus-mysql-exporter.secret" -}}
-    {{- if .Values.mysql.existingSecret -}}
-        {{- printf "%s" .Values.mysql.existingSecret -}}
+{{- define "prometheus-mysql-exporter.secretName" -}}
+    {{- if .Values.mysql.existingConfigSecret.name -}}
+        {{- printf "%s" .Values.mysql.existingConfigSecret.name -}}
     {{- else -}}
-        {{ template "prometheus-mysql-exporter.fullname" . }}
+        {{ template "prometheus-mysql-exporter.fullname" . }}-config
+    {{- end -}}
+{{- end -}}
+*/}}
+
+Secret key for config
+*/}}
+{{- define "prometheus-mysql-exporter.secretKey" -}}
+    {{- if .Values.mysql.existingConfigSecret.key -}}
+        {{- printf "%s" .Values.mysql.existingConfigSecret.key -}}
+    {{- else -}}
+        my.cnf
     {{- end -}}
 {{- end -}}
 */}}

charts/prometheus-mysql-exporter/templates/deployment.yaml

@@ -17,7 +17,7 @@ spec:
 {{ toYaml .Values.podLabels | trim | indent 8 }}
 {{- end }}
       annotations:
-        checksum/credentials: {{ include (print .Template.BasePath "/secret-env.yaml") . | sha256sum }}
+        checksum/credentials: {{ include (print .Template.BasePath "/secret-config.yaml") . | sha256sum }}
       {{- if .Values.cloudsqlproxy.enabled }}
         checksum/config: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
         {{- if .Values.annotations }}
@@ -40,8 +40,9 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- if or .Values.config .Values.collectors }}
           args:
+            - "--config.my-cnf=/etc/cnf/{{ template "prometheus-mysql-exporter.secretKey" . }}"
+          {{- if or .Values.config .Values.collectors }}
           {{- if .Values.config.logLevel }}
             - "--log.level={{ .Values.config.logLevel }}"
           {{- end}}
@@ -61,27 +62,16 @@ spec:
           {{- end }}
           {{- end }}
           {{- end }}
-          {{- if not .Values.mysql.existingSecret }}
+          {{- if and (not .Values.mysql.existingConfigSecret.name) (.Values.mysql.existingPasswordSecret.name) }}
           env:
-            - name: DB_PASSWORD
+            - name: MYSQLD_EXPORTER_PASSWORD
               valueFrom:
                 secretKeyRef:
-          {{- if .Values.mysql.existingPasswordSecret.name }}
+          {{- if and .Values.mysql.existingPasswordSecret.name .Values.mysql.existingPasswordSecret.key }}
                   name: {{ .Values.mysql.existingPasswordSecret.name }}
                   key: {{ .Values.mysql.existingPasswordSecret.key }}
-          {{- else }}
-                  name: {{ template "prometheus-mysql-exporter.fullname" . }}
-                  key: password
           {{- end }}
           {{- end }}
-          {{- if .Values.mysql.existingSecret }}
-          envFrom:
-            - secretRef:
-                name: {{ template "prometheus-mysql-exporter.secret" . }}
-          {{- else }}
-            - name: DATA_SOURCE_NAME
-              value: "{{ .Values.mysql.user }}:$(DB_PASSWORD)@{{ if .Values.mysql.protocol }}{{ .Values.mysql.protocol }}{{ end }}({{ .Values.mysql.host }}:{{ .Values.mysql.port }})/{{ if .Values.mysql.db }}{{ .Values.mysql.db }}{{ end }}{{ if .Values.mysql.param }}?{{ .Values.mysql.param }}{{ end }}"
-          {{- end }}
           ports:
             - containerPort: {{ .Values.service.internalPort }}
           livenessProbe:
@@ -92,28 +82,63 @@ spec:
             httpGet:
               path: /
               port: {{ .Values.service.internalPort }}
+          volumeMounts:
+            - name: secret-config
+              mountPath: /etc/cnf/
+              readOnly: true
           {{- with .Values.extraVolumeMounts }}
-          volumeMounts: {{ toYaml . | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
           {{- end }}
         {{- if .Values.cloudsqlproxy.enabled }}
         - name: cloudsql-proxy
           image: "{{ .Values.cloudsqlproxy.image.repo }}:{{ .Values.cloudsqlproxy.image.tag }}"
           imagePullPolicy: "{{ .Values.cloudsqlproxy.image.PullPolicy  }}"
-          command: ["/cloud_sql_proxy"
-                    ,"-instances={{ .Values.cloudsqlproxy.instanceConnectionName }}=tcp:{{ .Values.cloudsqlproxy.port }}"
-                    {{- if .Values.cloudsqlproxy.ipAddressTypes }}
-                    ,"-ip_address_types={{ .Values.cloudsqlproxy.ipAddressTypes }}"
-                    {{- end }}
-                    {{- if not .Values.cloudsqlproxy.workloadIdentity.enabled }}
-                    ,"-credential_file=/secrets/cloudsql/credentials.json"
-                    {{- end }}
-                    {{- if .Values.cloudsqlproxy.extraArgs }}
-                    ,"{{ .Values.cloudsqlproxy.extraArgs }}"
-                    {{- end }}
-                    ]
+          args: ["{{ .Values.cloudsqlproxy.instanceConnectionName }}?port:{{ .Values.cloudsqlproxy.port }}"
+                  ,"--health-check"
+                  ,"--http-address=0.0.0.0"
+                  ,"--run-connection-test"
+                  {{- if .Values.cloudsqlproxy.privateIp }}
+                  ,"--private-ip"
+                  {{- end }}
+                  {{- if not .Values.cloudsqlproxy.workloadIdentity.enabled }}
+                  ,"--credentials-file=/secrets/cloudsql/credentials.json"
+                  {{- end }}
+                  {{- if .Values.cloudsqlproxy.extraArgs }}
+                  ,"{{ .Values.cloudsqlproxy.extraArgs }}"
+                  {{- end }}
+                  ]
           livenessProbe:
-            exec:
-              command: ["nc", "-z", "127.0.0.1", "3306"]
+            httpGet:
+              path: /liveness
+              port: 9090
+            initialDelaySeconds: 0
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 1
+          readinessProbe:
+            httpGet:
+              path: /readiness
+              port: 9090
+            initialDelaySeconds: 0
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 1
+          startupProbe:
+            httpGet:
+              path: /startup
+              port: 9090
+            periodSeconds: 1
+            timeoutSeconds: 5
+            failureThreshold: 20
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsUser: 10000
+            runAsNonRoot: true
           {{- if not .Values.cloudsqlproxy.workloadIdentity.enabled }}
           volumeMounts:
             - name: cloudsql-proxy-sa-credentials
@@ -136,6 +161,9 @@ spec:
 {{ toYaml . | indent 8 }}
     {{- end }}
       volumes:
+        - name: secret-config
+          secret:
+            secretName: {{ template "prometheus-mysql-exporter.secretName" . }}
     {{- if and (.Values.cloudsqlproxy.enabled) (not .Values.cloudsqlproxy.workloadIdentity.enabled) }}
         - name: cloudsql-proxy-sa-credentials
           secret:

charts/prometheus-mysql-exporter/templates/secret-config.yaml

@@ -0,0 +1,27 @@
+{{- if not .Values.mysql.existingConfigSecret.name }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "prometheus-mysql-exporter.secretName" . }}
+  labels:
+    {{- include "prometheus-mysql-exporter.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  {{ template "prometheus-mysql-exporter.secretKey" . }}: |
+      [client]
+      host={{ .Values.mysql.host }}
+      port={{ .Values.mysql.port }}
+      user={{ .Values.mysql.user }}
+      {{- if and (.Values.mysql.pass) (not .Values.mysql.existingPasswordSecret.name) }}
+      password={{ .Values.mysql.pass }}
+      {{- end }}
+      {{- if .Values.mysql.db }}
+      database={{ .Values.mysql.db }}
+      {{- end }}
+      {{- if .Values.mysql.protocol }}
+      protocol={{ .Values.mysql.protocol }}
+      {{- end }}
+      {{- range $param := .Values.mysql.additionalConfig}}
+      {{ $param }}
+      {{- end }}
+{{- end }}

charts/prometheus-mysql-exporter/templates/servicemonitor.yaml

@@ -44,4 +44,4 @@ spec:
   {{- if .Values.serviceMonitor.relabelings }}
       relabelings: {{ toYaml .Values.serviceMonitor.relabelings | nindent 8 }}
   {{- end }}
-{{- end }}
+{{- end }}

charts/prometheus-mysql-exporter/values.yaml

@@ -140,17 +140,22 @@ collectors: {}
   # heartbeat.database: heartbeat
   # heartbeat.table: heartbeat
 
-# mysql connection params which build the DATA_SOURCE_NAME env var of the docker container
+# mysql connection params which build the my.cnf config
 mysql:
   db: ""
   host: "localhost"
-  param: ""
+  # config my.cnf https://dev.mysql.com/doc/c-api/8.0/en/mysql-options.html
+  additionalConfig:
+    # - connect-timeout=5
+    # - debug
   pass: "password"
   port: 3306
   protocol: ""
   user: "exporter"
-  # secret with full DATA_SOURCE_NAME env var as stringdata
-  existingSecret: ""
+  # secret with full config my.cnf
+  existingConfigSecret:
+    name: ""
+    key: ""
   # secret only containing the password
   existingPasswordSecret:
     name: ""
@@ -160,11 +165,11 @@ mysql:
 cloudsqlproxy:
   enabled: false
   image:
-    repo: "gcr.io/cloudsql-docker/gce-proxy"
-    tag: "1.33.0-alpine"
+    repo: "gcr.io/cloud-sql-connectors/cloud-sql-proxy"
+    tag: "2.4.0"
     pullPolicy: "IfNotPresent"
   instanceConnectionName: "project:us-central1:dbname"
-  ipAddressTypes: ""
+  privateIp: false
   port: "3306"
   credentialsSecret: ""
   # service account json