From c0f2cebe1f6891d412deb356ddc8155511460747 Mon Sep 17 00:00:00 2001 From: Thanatat Tamtan Date: Thu, 25 Jun 2026 06:14:30 +0700 Subject: [PATCH 1/2] docs(deployments): document AlloyDB sidecar + cloudSqlProxy IAM/private-IP flags Rework the Sidecars section of the configuration guide for the two managed sidecars now available (api#115, api#116): - Split into cloudSqlProxy and alloyDbProxy subsections. - Document cloudSqlProxy autoIamAuthn (keyless via workloadIdentity, mutually exclusive with credentials) and privateIp. - Document the new alloyDbProxy variant (instance URI, default port 5432, workloadIdentity-preferred credentials). - State the two-sidecar limit and the must-use-different-ports rule. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_011d4bVuGLnCbcJD9ZvastPH --- content/deployments/configuration.md | 51 +++++++++++++++++++++++++--- 1 file changed, 46 insertions(+), 5 deletions(-) diff --git a/content/deployments/configuration.md b/content/deployments/configuration.md index 9ee67c7..43cc8cf 100644 --- a/content/deployments/configuration.md +++ b/content/deployments/configuration.md @@ -127,8 +127,13 @@ Optional `subPath` mounts a sub-directory of the disk only. ## Sidecars — `sidecars` A sidecar is a helper container that shares the pod with your main container and -its lifecycle. Today the only supported sidecar is the **Cloud SQL Auth Proxy**, -configured under `cloudSqlProxy` — you don't supply an arbitrary image: +its lifecycle. Sidecars are curated: you pick one from a fixed set and configure +it, you don't supply an arbitrary image. Two managed sidecars are available — the +**Cloud SQL Auth Proxy** (`cloudSqlProxy`) and the **AlloyDB Auth Proxy** +(`alloyDbProxy`). You can attach up to two sidecars per deployment, and they must +listen on different ports. + +### Cloud SQL Auth Proxy — `cloudSqlProxy` ```json "sidecars": [ @@ -136,7 +141,8 @@ configured under `cloudSqlProxy` — you don't supply an arbitrary image: "cloudSqlProxy": { "instance": "my-project:asia-southeast1:main", "port": 5432, - "credentials": "" + "autoIamAuthn": true, + "privateIp": true } } ] @@ -147,9 +153,44 @@ configured under `cloudSqlProxy` — you don't supply an arbitrary image: connects to the database at `127.0.0.1:`. - **`credentials`** — optional service-account JSON for the proxy; omit it to use the deployment's ambient credentials. +- **`autoIamAuthn`** — optional; authenticate to the database with the + deployment's IAM principal instead of a database password. Pair it with a + [`workloadIdentity`](#pull-secret-and-workload-identity) binding for fully keyless access. + Cannot be combined with `credentials`. +- **`privateIp`** — optional; connect to the instance's private IP instead of its + public IP. + +The platform runs this as a `cloudsql-proxy` container alongside yours. + +### AlloyDB Auth Proxy — `alloyDbProxy` + +The AlloyDB Auth Proxy works the same way for an AlloyDB (PostgreSQL) instance: + +```json +"sidecars": [ + { + "alloyDbProxy": { + "instance": "projects/my-project/locations/asia-southeast1/clusters/main/instances/primary", + "port": 5432 + } + } +] +``` -The platform runs this as a `cloudsql-proxy` container alongside yours. Arbitrary -sidecar containers (your own image, command, and env) aren't supported yet. +- **`instance`** — required; the full AlloyDB instance URI + (`projects//locations//clusters//instances/`). +- **`port`** — the local port the proxy listens on (default `5432`). Your app + connects to the database at `127.0.0.1:`. +- **`credentials`** — optional service-account JSON for the proxy; omit it and + bind a [`workloadIdentity`](#pull-secret-and-workload-identity) so the proxy authenticates + keyless via Application Default Credentials and nothing sensitive is stored. + +The platform runs this as an `alloydb-proxy` container alongside yours. + +{{< callout type="info" >}} +Arbitrary sidecar containers (your own image, command, and env) aren't supported — +sidecars are limited to the managed proxies above. +{{< /callout >}} ## TTL and one-shot jobs — `ttl` From d37106d5b1f075ed8a951ff1c3b1d36ec4a20f4b Mon Sep 17 00:00:00 2001 From: Thanatat Tamtan Date: Thu, 25 Jun 2026 14:18:06 +0700 Subject: [PATCH 2/2] docs(deployments): use valid callout type=note for sidecar notice The callout shortcode only maps note/tip/warning/danger to an icon; type="info" resolves to a nil icon and fails the Hugo build (index $icons ). Switch the sidecar notice to type="note" (which already renders with the info icon). Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_011d4bVuGLnCbcJD9ZvastPH --- content/deployments/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/deployments/configuration.md b/content/deployments/configuration.md index 43cc8cf..7511b7e 100644 --- a/content/deployments/configuration.md +++ b/content/deployments/configuration.md @@ -187,7 +187,7 @@ The AlloyDB Auth Proxy works the same way for an AlloyDB (PostgreSQL) instance: The platform runs this as an `alloydb-proxy` container alongside yours. -{{< callout type="info" >}} +{{< callout type="note" >}} Arbitrary sidecar containers (your own image, command, and env) aren't supported — sidecars are limited to the managed proxies above. {{< /callout >}}