# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# You must configure probes in your deployment to use health checks in Kubernetes.
# This sample configuration for HTTP probes is adapted from proxy_with_workload_identity.yaml.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: <YOUR-DEPLOYMENT-NAME>
spec:
  selector:
    matchLabels:
      app: <YOUR-APPLICATION-NAME>
  template:
    metadata:
      labels:
        app: <YOUR-APPLICATION-NAME>
    spec:
      containers:
      - name: <YOUR-APPLICATION-NAME>
        # ... other container configuration
        env:
        - name: DB_USER
          valueFrom:
            secretKeyRef:
              name: <YOUR-DB-SECRET>
              key: username
        - name: DB_PASS
          valueFrom:
            secretKeyRef:
              name: <YOUR-DB-SECRET>
              key: password
        - name: DB_NAME
          valueFrom:
            secretKeyRef:
              name: <YOUR-DB-SECRET>
              key: database
      - name: cloud-sql-proxy
        # It is recommended to use the latest version of the Cloud SQL proxy
        # Make sure to update on a regular schedule!
        image: gcr.io/cloudsql-docker/gce-proxy:1.27.0
        command:
          - "/cloud_sql_proxy"

          # If connecting from a VPC-native GKE cluster, you can use the
          # following flag to have the proxy connect over private IP
          # - "-ip_address_types=PRIVATE"

          # Replace DB_PORT with the port the proxy should listen on
          # Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433
          - "-instances=<INSTANCE_CONNECTION_NAME>=tcp:<DB_PORT>"
          # Enables HTTP health checks.
          - "-use_http_health_check"
          # Specifies the health check server port.
          # Defaults to 8090.
          - "-health_check_port=<YOUR-HEALTH-CHECK-PORT>"
          # This flag specifies where the service account key can be found
          - "-credential_file=/secrets/service_account.json"
        securityContext:
          # The default Cloud SQL proxy image runs as the
          # "nonroot" user and group (uid: 65532) by default.
          runAsNonRoot: true
        volumeMounts:
        - name: <YOUR-SA-SECRET-VOLUME>
          mountPath: /secrets/
          readOnly: true
        # Resource configuration depends on an application's requirements. You
        # should adjust the following values based on what your application
        # needs. For details, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
        resources:
          requests:
            # The proxy's memory use scales linearly with the number of active
            # connections. Fewer open connections will use less memory. Adjust
            # this value based on your application's requirements.
            memory: "2Gi"
            # The proxy's CPU use scales linearly with the amount of IO between
            # the database and the application. Adjust this value based on your
            # application's requirements.
            cpu:    "1"
        # Recommended configurations for health check probes.
        # Probe parameters can be adjusted to best fit the requirements of your application.
        # For details, see https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
        livenessProbe:
          httpGet:
            path: /liveness
            port: 8090
          # Number of seconds after the container has started before the first probe is scheduled. Defaults to 0.
          # Not necessary when the startup probe is in use.
          initialDelaySeconds: 0
          # Frequency of the probe.
          periodSeconds: 60
          # Number of seconds after which the probe times out.
          timeoutSeconds: 30
          # Number of times the probe is allowed to fail before the transition
          # from healthy to failure state.
          #
          # If periodSeconds = 60, 5 tries will result in five minutes of
          # checks. The proxy starts to refresh a certificate five minutes
          # before its expiration. If those five minutes lapse without a
          # successful refresh, the liveness probe will fail and the pod will be
          # restarted.
          failureThreshold: 5
        readinessProbe:
          httpGet:
            path: /readiness
            port: 8090
          initialDelaySeconds: 0
          periodSeconds: 10
          timeoutSeconds: 5
          # Number of times the probe must report success to transition from failure to healthy state.
          # Defaults to 1 for readiness probe.
          successThreshold: 1
          failureThreshold: 1
        startupProbe:
          httpGet:
            path: /startup
            port: 8090
          periodSeconds: 1
          timeoutSeconds: 5
          failureThreshold: 20
      volumes:
      - name: <YOUR-SA-SECRET-VOLUME>
        secret:
          secretName: <YOUR-SA-SECRET>