Skip to content

Add GCS storage backend with lighter dependencies#179

Open
andrew wants to merge 2 commits into
mainfrom
andrew/lightweight-gcs-backend
Open

Add GCS storage backend with lighter dependencies#179
andrew wants to merge 2 commits into
mainfrom
andrew/lightweight-gcs-backend

Conversation

@andrew

@andrew andrew commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Alternative implementation for #167.

This keeps the GCS storage feature and docs from #167, but avoids the blank import of gocloud.dev/blob/gcsblob. Instead it adds a narrow storage.GCS backend implemented against the Cloud Storage JSON API using ADC via golang.org/x/oauth2/google.

Dependency graph comparison:

go list -deps ./cmd/proxy

The gocloud.dev/blob/gcsblob implementation in #167 adds 220 linked packages over base. That includes cloud.google.com/go/storage, cloud.google.com/go/iam, cloud.google.com/go/monitoring, Google API clients, OpenTelemetry GCP instrumentation, grpc xDS packages, Envoy protobuf packages, SPIFFE, and related signing/auth packages. This PR avoids those extra storage/monitoring/xDS/Envoy paths.

Binary size comparison using:

CGO_ENABLED=0 GOOS=linux go build -trimpath -ldflags="-s -w" -o /tmp/proxy ./cmd/proxy
Build Size
base 35,324,066 bytes
#167 using gcsblob 52,822,178 bytes
this PR 35,651,746 bytes

This version is +327,680 bytes over base, about +0.93%, and saves 17,170,432 bytes versus the current #167 implementation.

The lighter backend supports:

  • gs://bucket storage URLs
  • ADC / Workload Identity for object I/O
  • upload, open, exists, delete, size, list, and used-space operations
  • signed URLs via service-account private key or IAM Credentials signBlob REST API
  • STORAGE_EMULATOR_HOST for local/fake GCS tests

Validation:

go test ./...
CGO_ENABLED=0 GOOS=linux go build -trimpath -ldflags="-s -w" -o /tmp/proxy ./cmd/proxy

aarnaud and others added 2 commits June 11, 2026 13:54
Register gocloud.dev/blob/gcsblob so gs:// URLs are accepted as a storage
backend. Authentication uses Application Default Credentials, which makes
GKE Workload Identity work out of the box; signed URLs (direct_serve)
fall back to the IAM Credentials signBlob API when no private key is
available.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants