Skip to content

chore(bigquery-jdbc): dockerized proxy environment to run integration tests #13546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
logachev wants to merge 2 commits into
base: main
Choose a base branch
from
+91 −5
Open

chore(bigquery-jdbc): dockerized proxy environment to run integration tests #13546

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
84d7425
chore(bigquery-jdbc): dockerized proxy environment to run integration…
logachev Jun 23, 2026
23147b6
Format
logachev Jun 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions java-bigquery-jdbc/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM gcr.io/cloud-devrel-public-resources/java11
FROM gcr.io/cloud-devrel-public-resources/java11 AS base
ARG BRANCH=main
ENV JDBC_DOCKER_ENV=true

Expand All @@ -19,6 +19,17 @@ RUN bash -c " \

# This will ensure all deps are present
WORKDIR /src
RUN mvn install
RUN mvn install

ENTRYPOINT []

# Proxy stage: configured squid proxy and iptables to force all traffic through it
FROM base AS proxy
RUN apt-get update && apt-get install -y squid iptables iproute2 curl && rm -rf /var/lib/apt/lists/*
COPY tools/environments/proxy/start-proxy.sh /usr/local/bin/start-proxy.sh
RUN chmod +x /usr/local/bin/start-proxy.sh
ENTRYPOINT ["/usr/local/bin/start-proxy.sh"]

# Regular stage: same as base, default stage
FROM base AS regular

21 changes: 18 additions & 3 deletions java-bigquery-jdbc/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
SHELL := /bin/bash # Default 'sh' doesn't support 'source'
BUILD_BRANCH=main
CONTAINER_NAME=jdbc
PROXY_CONTAINER_NAME=$(CONTAINER_NAME)-proxy
PACKAGE_DESTINATION=$(PWD)/drivers
SRC="$(PWD)"
skipSurefire ?= true
skipShade ?= true
JDBC_DRIVER_VERSION = $(shell mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
JDBC_JAR = $(PACKAGE_DESTINATION)/google-cloud-bigquery-jdbc-$(JDBC_DRIVER_VERSION)-all.jar

Expand Down Expand Up @@ -33,13 +35,14 @@ unittest: |
-Dtest=$(test) \
test

# Important: By default, this command will skip unittests.
# Important: By default, this command will skip unittests & uberjar build.
# To include unit tests, run: make integration-test skipSurefire=false
integration-test:
mvn -B -ntp \
-Penable-integration-tests \
-DtrimStackTrace=false \
-DskipSurefire=$(skipSurefire) \
-DskipShade=$(skipShade) \
-Dclirr.skip=true \
-Denforcer.skip=true \
-Dit.failIfNoSpecifiedTests=true \
Expand Down Expand Up @@ -76,21 +79,30 @@ run-it-standalone:
# Commands for dockerized environments
.docker-run: |
docker run -it \
--cap-add=NET_ADMIN \
-v $(GOOGLE_APPLICATION_CREDENTIALS):/auth/application_creds.json \
-v "$(GOOGLE_APPLICATION_CREDENTIALS).p12":/auth/application_creds.p12 \
-e "GOOGLE_APPLICATION_CREDENTIALS=/auth/application_creds.json" \
-v $(SRC):/src \
-e "SA_EMAIL=test_email" \
-e "SA_SECRET=/auth/application_creds.json" \
-e "SA_SECRET_P12=/auth/application_creds.p12" \
-e "BIGQUERY_BASE_URL=$(BIGQUERY_BASE_URL)" \
-e "BIGQUERY_URL_FLAGS=$(BIGQUERY_URL_FLAGS)" \
$(CONTAINER_NAME) $(args)

docker-build:
docker build -t $(CONTAINER_NAME) -f Dockerfile --build-arg BRANCH=${BUILD_BRANCH} $(SRC)
docker build --target regular -t $(CONTAINER_NAME) -f Dockerfile --build-arg BRANCH=${BUILD_BRANCH} $(SRC)

docker-proxy-build:
docker build --target proxy -t $(PROXY_CONTAINER_NAME) -f Dockerfile --build-arg BRANCH=${BUILD_BRANCH} $(SRC)

docker-session:
$(MAKE) .docker-run args="bash"

docker-proxy-session:
$(MAKE) .docker-run CONTAINER_NAME=$(PROXY_CONTAINER_NAME) args="bash"

docker-package-all-dependencies: docker-build
mkdir -p $(PACKAGE_DESTINATION)
docker run \
Expand Down Expand Up @@ -134,6 +146,9 @@ docker-unittest: |
docker-integration-test: .check-env
$(MAKE) .docker-run args="make integration-test test=$(test) skipSurefire=$(skipSurefire)"

docker-proxy-integration-test: .check-env docker-proxy-build
$(MAKE) docker-integration-test CONTAINER_NAME=$(PROXY_CONTAINER_NAME) BIGQUERY_URL_FLAGS="ProxyHost=127.0.0.1;ProxyPort=3128;"

docker-coverage:
$(MAKE) .docker-run args="make unit-test-coverage"
$(MAKE) .docker-run args="make full-coverage"
$(MAKE) .docker-run args="make full-coverage"
2 changes: 2 additions & 0 deletions java-bigquery-jdbc/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<github.global.server>github</github.global.server>
<site.installationModule>google-cloud-bigquery-jdbc</site.installationModule>
<skipShade>false</skipShade>
</properties>

<build>
Expand Down Expand Up @@ -96,6 +97,7 @@
<goal>shade</goal>
</goals>
<configuration>
<skip>${skipShade}</skip>
<shadedArtifactAttached>true</shadedArtifactAttached>
<createSourcesJar>true</createSourcesJar>
<shadeSourcesContent>true</shadeSourcesContent>
Expand Down
58 changes: 58 additions & 0 deletions java-bigquery-jdbc/tools/environments/proxy/start-proxy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
#!/bin/bash
# start-proxy.sh

set -e

echo "Starting Squid proxy..."
# Run squid in background.
# On Debian, /usr/sbin/squid is the binary.
# -s sends errors to syslog. -Y during rebuild. -C do not catch fatal signals.
/usr/sbin/squid -sYC

# Wait for squid to be ready and listen on 3128
echo "Waiting for Squid to listen on port 3128..."
timeout=30
while ! curl -s -I -x http://127.0.0.1:3128 https://www.google.com >/dev/null; do
Comment thread
logachev marked this conversation as resolved.
sleep 1
timeout=$((timeout - 1))
if [ $timeout -le 0 ]; then
echo "Squid failed to start or cannot access the internet."
exit 1
fi
done
echo "Squid is ready and working."

# Configure iptables to restrict network access
echo "Configuring iptables rules..."

# 1. Allow loopback traffic
iptables -A OUTPUT -o lo -j ACCEPT

# 2. Allow squid user (proxy) to access the network
iptables -A OUTPUT -m owner --uid-owner proxy -j ACCEPT

# 3. Allow DNS (port 53) for everyone
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

# 4. Allow outgoing traffic to port 3128 (proxies) for testing external proxies
iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT

# 4.5 Allow raw access to Maven Central (repo.maven.apache.org) for dynamic dependency downloads
echo "Resolving repo.maven.apache.org and allowing raw access..."
for ip in $(getent ahosts repo.maven.apache.org | awk '{print $1}' | sort -u); do
if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Allowing outbound to $ip"
iptables -A OUTPUT -d "$ip" -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -d "$ip" -p tcp --dport 80 -j ACCEPT
fi
done

# 5. Reject all other outgoing TCP/UDP traffic
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p udp -j REJECT

echo "Raw network access is now disabled. All traffic must go through the proxy."

# Execute the main command
exec "$@"
Loading