Supported running cleanup job on GCP

[allouis]

ref https://linear.app/ghost/issue/PROD-685

Connecting to CloudSQL isn't done in the usual way, we need to use the cloud-sql-proxy, or a socket, or some other way of connecting. Using this proxy seemed like the easiest way to have a shared image for both local and cloud use

[coderabbitai]

Walkthrough

This change updates the cleanup-expired-key-value-records job by modifying its Dockerfile to download and install the Cloud SQL Proxy binary version 2.10.1 at /bin/cloud-sql-proxy with executable permissions. The job's script is enhanced to support connecting to MySQL either via a Unix socket if the MYSQL_SOCKET_PATH environment variable is set, or via TCP using MYSQL_HOST and MYSQL_PORT (defaulting to 3306) if not. The MySQL command invocation dynamically includes the appropriate connection parameters based on the environment.

Possibly related PRs

• Added job for cleaning up key value rows #718: Introduces the initial cleanup-expired-key-value-records job and script, which this PR extends by adding Cloud SQL Proxy support and dynamic connection handling.
• Changed migrate to use mysql private ip connection #415: Modifies scripts to conditionally connect to MySQL using either a Unix socket or a TCP/private IP connection based on environment variables, similar to the connection method changes in this PR.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ecb3387 and dfe9358.

📒 Files selected for processing (1)

• jobs/cleanup-expired-key-value-records/cleanup-expired-key-value-records (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• jobs/cleanup-expired-key-value-records/cleanup-expired-key-value-records

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

jobs/cleanup-expired-key-value-records/Dockerfile (1)

3-4: Consider verifying the cloud-sql-proxy binary integrity.

The code correctly downloads the cloud-sql-proxy binary from Google's official storage, but it doesn't verify the binary's integrity using checksums or signatures. For production environments, it's recommended to verify downloaded binaries to prevent supply chain attacks.

You could add a checksum verification step:

+RUN curl -Lo /bin/cloud-sql-proxy.sha256 https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.10.1/cloud-sql-proxy.linux.amd64.sha256
 RUN curl -Lo /bin/cloud-sql-proxy https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.10.1/cloud-sql-proxy.linux.amd64
+RUN echo "$(cat /bin/cloud-sql-proxy.sha256)  /bin/cloud-sql-proxy" | sha256sum -c
 RUN chmod +x /bin/cloud-sql-proxy
+RUN rm /bin/cloud-sql-proxy.sha256

jobs/cleanup-expired-key-value-records/cleanup-expired-key-value-records (1)

8-9: Replace static sleep with connection verification.

Using a static 2-second sleep assumes the proxy will be ready in that time. Under high load or network latency, this might not be sufficient.

Consider replacing the static sleep with a polling mechanism to verify the proxy is ready:

 cloud-sql-proxy -instances="$INSTANCE_CONNECTION_NAME"=tcp:$PORT &
 PROXY_PID=$!
-sleep 2
+# Wait for proxy to be ready with timeout
+TIMEOUT=30
+COUNTER=0
+while ! nc -z 127.0.0.1 $PORT && [ $COUNTER -lt $TIMEOUT ]; do
+  sleep 1
+  COUNTER=$((COUNTER+1))
+done
+if [ $COUNTER -eq $TIMEOUT ]; then
+  echo "Error: Timed out waiting for Cloud SQL Auth Proxy to be ready"
+  kill $PROXY_PID
+  exit 1
+fi

Note: This requires adding netcat to your Docker image:

RUN apt-get update && apt-get install -y netcat-openbsd && rm -rf /var/lib/apt/lists/*

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f300576 and ba2cdb6.

📒 Files selected for processing (2)

• jobs/cleanup-expired-key-value-records/Dockerfile (1 hunks)
• jobs/cleanup-expired-key-value-records/cleanup-expired-key-value-records (1 hunks)

🔇 Additional comments (1)

jobs/cleanup-expired-key-value-records/cleanup-expired-key-value-records (1)

16-18: LGTM: Appropriate use of dynamic HOST and PORT variables.

The script correctly uses the dynamically assigned HOST and PORT variables in the MySQL connection command, allowing seamless switching between direct connection and proxy connection modes.

[coderabbitai]

🛠️ Refactor suggestion

Improve Cloud SQL Proxy process management.

The current implementation starts the proxy as a background process but doesn't handle its termination when the script exits. Also, there's no error handling if the proxy fails to start.

Consider adding proper process management and error handling:

 if [ -n "$INSTANCE_CONNECTION_NAME" ]; then
   echo "Using Cloud SQL Auth Proxy for $INSTANCE_CONNECTION_NAME"
-  cloud-sql-proxy -instances="$INSTANCE_CONNECTION_NAME"=tcp:$PORT &
+  cloud-sql-proxy -instances="$INSTANCE_CONNECTION_NAME"=tcp:$PORT & 
+  PROXY_PID=$!
   sleep 2
+  # Check if proxy is running
+  if ! kill -0 $PROXY_PID 2>/dev/null; then
+    echo "Error: Cloud SQL Auth Proxy failed to start"
+    exit 1
+  fi
   HOST=127.0.0.1
+  # Set trap to kill proxy on script exit
+  trap 'kill $PROXY_PID' EXIT
 else
   echo "Using direct TCP host $MYSQL_HOST"
   HOST="$MYSQL_HOST"
 fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [ -n "$INSTANCE_CONNECTION_NAME" ]; then
	echo "Using Cloud SQL Auth Proxy for $INSTANCE_CONNECTION_NAME"
	cloud-sql-proxy -instances="$INSTANCE_CONNECTION_NAME"=tcp:$PORT &
	sleep 2
	HOST=127.0.0.1
	else
	echo "Using direct TCP host $MYSQL_HOST"
	HOST="$MYSQL_HOST"
	fi
	if [ -n "$INSTANCE_CONNECTION_NAME" ]; then
	echo "Using Cloud SQL Auth Proxy for $INSTANCE_CONNECTION_NAME"
	cloud-sql-proxy -instances="$INSTANCE_CONNECTION_NAME"=tcp:$PORT &
	PROXY_PID=$!
	sleep 2
	# Check if proxy is running
	if ! kill -0 $PROXY_PID 2>/dev/null; then
	echo "Error: Cloud SQL Auth Proxy failed to start"
	exit 1
	fi
	HOST=127.0.0.1
	# Set trap to kill proxy on script exit
	trap 'kill $PROXY_PID' EXIT
	else
	echo "Using direct TCP host $MYSQL_HOST"
	HOST="$MYSQL_HOST"
	fi

🤖 Prompt for AI Agents

In jobs/cleanup-expired-key-value-records/cleanup-expired-key-value-records
around lines 6 to 14, the Cloud SQL Proxy is started as a background process
without managing its lifecycle or handling startup errors. Modify the script to
capture the proxy process ID after starting it, add a trap to ensure the proxy
process is terminated when the script exits, and include checks to verify the
proxy started successfully, exiting with an error message if it fails.

[rmgpinto]

if MYSQL_SOCKET_PATH is set:

mysql \
   --socket="$MYSQL_SOCKET_PATH" \
   --user="$MYSQL_USER" \
   --password="$MYSQL_PASSWORD" \
   --database="$MYSQL_DATABASE"
...

else:

mysql \
   --host="$MYSQL_SOCKET_PATH" \
   --port="$MYSQL_PORT" \
   --user="$MYSQL_USER" \
   --password="$MYSQL_PASSWORD" \
   --database="$MYSQL_DATABASE"
...

[rmgpinto]

Not needed now 😄

[allouis]

Ooopsie, yup!