Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-21.2: sqlproxyccl: support secure connections to SQL backends #70290

Merged
merged 2 commits into from Sep 20, 2021
Merged

release-21.2: sqlproxyccl: support secure connections to SQL backends #70290

merged 2 commits into from Sep 20, 2021

Conversation

blathers-crl[bot]
Copy link

@blathers-crl blathers-crl bot commented Sep 15, 2021
edited by chrisseto

Backport 1/1 commits from #69959 on behalf of @chrisseto.

/cc @cockroachdb/release

Previously, when establishing a TLS connection to the SQL backend,
the sqlproxy failed to set .ServerName on the tls.Config. The
result was the error `tls: either ServerName or InsecureSkipVerify
must be specified in the tls.Config` whenever .SkipVerify was false.
This behavior made it impossible to establish verified secure
connections to SQL backends. This commit properly sets .ServerName
based on the outgoingAddress returned by the tenantdir service.

Release note: None

Release justification: Having a verified TLS connection betweeen the
SQLProxy and SQL Pods in Cockroach Serverless is a requirement for the
beta release. This code change enables that secure connection without
making any changes to CockroachDB, itself.

@chrisseto
sqlproxyccl: support secure connections to SQL backends
b94d0a1 
    Previously, when establishing a TLS connection to the SQL backend,
    the sqlproxy failed to set .ServerName on the tls.Config. The
    result was the error `tls: either ServerName or InsecureSkipVerify
    must be specified in the tls.Config` whenever .SkipVerify was false.
    This behavior made it impossible to establish verified secure
    connections to SQL backends. This commit properly sets .ServerName
    based on the outgoingAddress returned by the tenantdir service.

Release note: None

Release justification: Having a verified TLS connection betweeen the
SQLProxy and SQL Pods in Cockroach Serverless is a requirement for the
beta release. This code change enables that secure connection without
making any changes to CockroachDB, itself.
@blathers-crl blathers-crl bot requested review from a team as code owners September 15, 2021 22:40
@blathers-crl blathers-crl bot force-pushed the blathers/backport-release-21.2-69959 branch from 5e806c4 to b94d0a1 Compare September 15, 2021 22:40
@blathers-crl
Copy link
Author

blathers-crl bot commented Sep 15, 2021
edited by chrisseto

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Patches should only be created for serious issues.
  • Patches should not break backwards-compatibility.
  • Patches should change as little code as possible.
  • Patches should not change on-disk formats or node communication protocols.
  • Patches should not add new functionality.
  • Patches must not add, edit, or otherwise modify cluster versions; or add version gates.
If some of the basic criteria cannot be satisfied, ensure that the exceptional criteria are satisfied within.
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters.
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.

Add a brief release justification to the body of your PR to justify this backport.

Some other things to consider:

  • What did we do to ensure that a user that doesn’t know & care about this backport, has no idea that it happened?
  • Will this work in a cluster of mixed patch versions? Did we test that?
  • If a user upgrades a patch version, uses this feature, and then downgrades, what happens?

@cockroach-teamcity
Copy link
Member

This change is Reviewable

@chrisseto chrisseto added the backport-21.2.x 21.2 is EOL label Sep 15, 2021
andy-kimball
andy-kimball approved these changes Sep 16, 2021
View reviewed changes
Copy link
Contributor

@andy-kimball andy-kimball left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on @catj-cockroach, @chrisseto, and @darinpp)

@chrisseto
sqlproxyccl: use addr.SplitHostPort for IPv6 support
ddac85d 
    Previously, the sqlproxy would parse incoming and outgoing addresses
    using golang's net.SplitHostPort function. This was inadequate
    because net.SplitHostPort does not know how to correctly parse IPv6
    addresses. This commit correctly uses addr.SplitHostPort to ensure
    that both IPv4 and IPv6 are supported.
    This commit also includes an updated release note for #69959.

Release note (bug fix, security update): cockroach mt start-proxy now
appropriately sets the .ServerName member of outgoing TLS connections.
This allows the proxy to function appropriately when the --insecure and
--skip-verify CLI flags are ommitted.

Release justification: Having a verified TLS connection betweeen the
SQLProxy and SQL Pods in Cockroach Serverless is a requirement for the
beta release. This code change enables that secure connection without
making any changes to CockroachDB, itself.
@chrisseto chrisseto merged commit e668464 into release-21.2 Sep 20, 2021
@blathers-crl
Copy link
Author

blathers-crl bot commented Sep 20, 2021

Encountered an error creating backports. Some common things that can go wrong:

  1. The backport branch might have already existed.
  2. There was a merge conflict.
  3. The backport branch contained merge commits.

You might need to create your backport manually using the backport tool.

error creating merge commit from b94d0a1 to blathers/backport-release-21.2-70290: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict []

you may need to manually resolve merge conflicts with the backport tool.

Backport to branch 21.2.x failed. See errors above.

🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan.

@chrisseto chrisseto deleted the blathers/backport-release-21.2-69959 branch September 20, 2021 21:59
@mikeCRL mikeCRL mentioned this pull request Nov 22, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andy-kimball andy-kimball andy-kimball approved these changes

@catj-cockroach catj-cockroach Awaiting requested review from catj-cockroach

@chrisseto chrisseto Awaiting requested review from chrisseto

@darinpp darinpp Awaiting requested review from darinpp

Assignees

@chrisseto chrisseto

Labels
backport-21.2.x 21.2 is EOL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cockroach-teamcity @andy-kimball @chrisseto