Skip to content

feat(connections): native Cloud SQL Auth Proxy integration#1844

Open
datlechin wants to merge 1 commit into
mainfrom
feat/cloud-sql-auth-proxy
Open

feat(connections): native Cloud SQL Auth Proxy integration#1844
datlechin wants to merge 1 commit into
mainfrom
feat/cloud-sql-auth-proxy

Conversation

@datlechin

Copy link
Copy Markdown
Member

Closes #1728.

Adds native Google Cloud SQL Auth Proxy support so Cloud SQL users no longer run cloud-sql-proxy in a terminal and hand-point a connection at its port. TablePro starts the proxy when you connect and stops it when you disconnect, the same way it manages SSH and Cloudflare tunnels.

Design

The proxy is a per-connection transport attribute (cloudSQLProxyMode on DatabaseConnection), not a DatabaseType: a Cloud SQL instance is still MySQL, PostgreSQL, or SQL Server, and only the network path differs. It mirrors the existing Cloudflare tunnel end to end. CloudSQLProxyManager (an actor) supervises the cloud-sql-proxy process, allocates a free loopback port, waits for readiness with a TCP probe plus an stderr scan, then reuses the shared tunneledConnection(from:localPort:) rewrite unchanged. On disconnect, quit, or process death it is torn down, with the same PID-persist and stale-PID sweep the Cloudflare path uses.

Binary provisioning: resolves cloud-sql-proxy from PATH, Homebrew, or the gcloud SDK first; otherwise a "Download" button in the pane fetches Google's binary, verifies a hardcoded SHA-256 pin (v2.23.0), and strips quarantine. Google's macOS binaries are not Apple-notarized, so a locally installed one is preferred.

Authentication: Application Default Credentials, a service account key (stored in the Keychain, written to a 0600 temp file only while the proxy runs and never passed on the command line), and IAM database authentication (--auto-iam-authn).

Shared tunnel dispatch (and two bug fixes)

Eight DatabaseManager sites used to hand-enumerate "SSH or Cloudflare?" by name. They now share one TunnelManaging protocol (both tunnel actors already satisfy it) plus DatabaseConnection.activeTunnelKind / enabledTunnelKinds and activeTunnelManager(for:). Two of those sites only ever closed the SSH tunnel, so a failed test connection or a cancelled connect leaked the cloudflared process; the shared dispatch fixes both. Mutual exclusivity is now an N-way check.

Shared subprocess plumbing was extracted so it isn't written twice: CloudflaredProcess became the generic SupervisedProcessRunner, and the loopback port helpers became LoopbackPort.

Tests

  • Model Codable round-trips and instance-connection-name validation.
  • ConnectionTunnelKind across every SSH/Cloudflare/proxy combination.
  • CloudSQLProxyManager against a fake runner: readiness, startup failure, invalid instance, missing binary, service-account-key file lifecycle (written 0600, removed on close), terminate, and stale-PID sweep.
  • CloudSQLProxyBinaryManager: checksum match installs, mismatch is rejected, and an installed binary short-circuits without fetching.
  • Pane validation.

Docs and changelog

New docs/databases/cloud-sql-proxy.mdx, plus CHANGELOG Added (feature) and Fixed (the Cloudflare process leak) entries.

Notes

  • swiftlint lint --strict is clean on the changed files.
  • I have not built this locally; please confirm it compiles before merge.

@mintlify

mintlify Bot commented Jul 9, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
TablePro 🟢 Ready View Preview Jul 9, 2026, 7:48 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Native Cloud SQL Auth Proxy Integration

1 participant