forked from cockroachdb/cockroach
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sqlproxyccl: fix the run proxy sample script
The pkg/ccl/sqlproxyccl/run_proxy.sh sets a multi-instance environment with a host server, proxy server and a test directory server that can start tenant processes on demand. Some recent changes prevent the script from running due to the issues described in cockroachdb#71385. This PR does the following: - changes the script so it uses secure connections between all processes - uses separate CAs when possible - adds a cert directory option to the test directory server so tenant processes can be started with the correct set of certs - adds a KV addrs flag to the test directory so the tenant processes can target the correct host server - changes the capturing of the tenant processes output to continiously flow into test directory server log. Previously that was happening when the tenant process terminates. - adds a store argument to the tenant process - removes the --logtostderr proxy option - changes the proxy http listen port to not interfere with default cockroach db port - minor fix for the "tenant client cert not found" message to show the directory that is being searched for the cert Fixes cockroachdb#71385 Release note: None
- Loading branch information
Showing
10 changed files
with
142 additions
and
65 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,51 +1,83 @@ | ||
#!/bin/bash | ||
set -euo pipefail | ||
|
||
# Sample script to run a minimal cockroachdb deployment using sqlproxy | ||
# listening on its default port at localhost:46257. | ||
# This consists of a single-node db cluster, a sql tenant server, and a proxy. | ||
# The proxy listens on :46257, forwarding to tenant SQL server at :36257. | ||
# Finally a sql shell is opened for tenant id 123 and user `bob`. | ||
# The password for `bob` is `builder`. | ||
# | ||
# WARNING: directory `~/.cockroach-certs` will be DELETED. | ||
# WARNING: all cockroach and sqlproxy processes will be killed. | ||
|
||
COCKROACH=${1:-'./cockroach'} | ||
SQLPROXY=${2:-$COCKROACH mt start-proxy --target-addr 127.0.0.1:36257} | ||
|
||
set -euxo pipefail | ||
|
||
# Prep work. | ||
rm -rf ~/.cockroach-certs cockroach-data | ||
killall -9 cockroach || true | ||
killall -9 sqlproxy || true | ||
|
||
# Create certificates. | ||
export CERTSDIR=$HOME/.cockroach-certs | ||
export COCKROACH_CA_KEY=$CERTSDIR/ca.key | ||
$COCKROACH cert create-ca | ||
$COCKROACH cert create-client root | ||
$COCKROACH cert create-node 127.0.0.1 localhost | ||
$COCKROACH mt cert create-tenant-client 123 --certs-dir=${HOME}/.cockroach-certs | ||
|
||
# Start KV layer. (:26257) | ||
$COCKROACH start-single-node --host 127.0.0.1 --background | ||
# Create tenant | ||
$COCKROACH sql --host 127.0.0.1 -e 'select crdb_internal.create_tenant(123);' | ||
|
||
# Spawn tenant SQL server (:36257) pointing at KV layer (:26257) | ||
COCKROACH_TRUST_CLIENT_PROVIDED_SQL_REMOTE_ADDR=true $COCKROACH mt start-sql --tenant-id 123 --kv-addrs 127.0.0.1:26257 --sql-addr 127.0.0.1:36257 --logtostderr=NONE & | ||
COCKROACH=${1:-'cockroach'} | ||
BASE=${2:-$(mktemp -d -t 'tenant-test-XXXX')} | ||
|
||
# Setup host | ||
HOST=$BASE/host | ||
CLIENT=$BASE/client | ||
TENANT=$BASE/tenant | ||
DIR=$BASE/dir | ||
PROXY=$BASE/proxy | ||
|
||
mkdir -p $HOST | ||
mkdir -p $CLIENT | ||
mkdir -p $TENANT | ||
mkdir -p $DIR | ||
mkdir -p $PROXY | ||
|
||
#Ports | ||
HOST_P=55501 | ||
HOST_HTTP_P=55502 | ||
TENANT_P=55503 | ||
TENANT_HTTP_P=55504 | ||
DIR_P=55505 | ||
PROXY_P=55506 | ||
PROXY_HTTP_P=55507 | ||
|
||
echo Create node CA and node cert | ||
COCKROACH_CA_KEY=$HOST/ca.key COCKROACH_CERTS_DIR=$HOST $COCKROACH cert create-ca | ||
COCKROACH_CA_KEY=$HOST/ca.key COCKROACH_CERTS_DIR=$HOST $COCKROACH cert create-node 127.0.0.1 localhost | ||
|
||
echo Create client CA | ||
COCKROACH_CA_KEY=$CLIENT/ca.key COCKROACH_CERTS_DIR=$CLIENT $COCKROACH cert create-client-ca | ||
mv $CLIENT/ca-client.crt $CLIENT/ca.crt | ||
# SQL connections may have client CA or host CA issued certs on either side. | ||
cat $HOST/ca.crt >> $CLIENT/ca.crt | ||
cp $CLIENT/ca.crt $HOST/ca-client.crt | ||
|
||
echo Create tenant CA | ||
COCKROACH_CA_KEY=$TENANT/ca.key COCKROACH_CERTS_DIR=$TENANT $COCKROACH cert create-tenant-client-ca | ||
mv $TENANT/ca-client-tenant.crt $TENANT/ca.crt | ||
cp $TENANT/ca.crt $HOST/ca-client-tenant.crt | ||
cat $HOST/ca.crt >> $TENANT/ca.crt | ||
|
||
echo Start KV layer | ||
$COCKROACH start-single-node --listen-addr=localhost:$HOST_P --http-addr=:$HOST_HTTP_P --background --certs-dir=$HOST --store=$HOST/store | ||
|
||
echo Create client host root cert | ||
COCKROACH_CA_KEY=$CLIENT/ca.key COCKROACH_CERTS_DIR=$CLIENT $COCKROACH cert create-client root | ||
echo Connect as root to the host cluster and create tenant | ||
COCKROACH_CA_KEY=$CLIENT/ca.key COCKROACH_CERTS_DIR=$CLIENT $COCKROACH sql --port=$HOST_P -e " | ||
SELECT CASE WHEN NOT EXISTS(SELECT * FROM system.tenants WHERE id = 123) | ||
THEN crdb_internal.create_tenant(123) | ||
END" > /dev/null | ||
|
||
echo Create cert for tenant 123 | ||
COCKROACH_CA_KEY=$TENANT/ca.key COCKROACH_CERTS_DIR=$TENANT $COCKROACH cert create-tenant-client 123 127.0.0.1 ::1 localhost *.local | ||
echo Start the tenant to set a root password | ||
$COCKROACH mt start-sql --certs-dir=$TENANT --kv-addrs=:$HOST_P --sql-addr=:$TENANT_P --http-addr=:$TENANT_HTTP_P --tenant-id=123 --log="{sinks: {stderr: {}}}" 2>$TENANT/tenant.stderr.log & | ||
TENANT_PID=$! | ||
echo Tenant PID is $TENANT_PID | ||
sleep 1 | ||
|
||
echo Create client tenant root cert | ||
COCKROACH_CA_KEY=$TENANT/ca.key COCKROACH_CERTS_DIR=$TENANT $COCKROACH cert create-client root | ||
echo Set the password | ||
COCKROACH_CA_KEY=$TENANT/ca.key COCKROACH_CERTS_DIR=$TENANT $COCKROACH sql --port=$TENANT_P -e "alter user root with password 'secret'" > $TENANT/alter_root.log | ||
|
||
echo Shutdown the tenant | ||
kill $TENANT_PID | ||
sleep 1 | ||
|
||
# Create user on tenant (proxy does not forward client certs) | ||
$COCKROACH sql --port 36257 -e "create user bob with password 'builder';" | ||
echo Start test directory server | ||
$COCKROACH mt test-directory --port=$DIR_P --kv-addrs=localhost:$HOST_P --certs-dir=$TENANT --base-dir=$TENANT --log="{sinks: {file-groups: {default: {dir: $DIR, channels: ALL}}}}" 2>$DIR/stderr.log & | ||
|
||
# Spawn the proxy on :46257, forwarding to tenant SQL server (:36257) | ||
$SQLPROXY --listen-addr 127.0.0.1:46257 --listen-cert $CERTSDIR/node.crt --listen-key $CERTSDIR/node.key & | ||
echo "Start the sql proxy server (with self signed client facing cert)" | ||
$COCKROACH mt start-proxy --listen-addr=localhost:$PROXY_P --listen-cert=* --listen-key=* --directory=:$DIR_P --listen-metrics=:$PROXY_HTTP_P --skip-verify --log="{sinks: {file-groups: {default: {dir: $PROXY, channels: ALL}}}}" 2>$PROXY/stderr.log & | ||
|
||
sleep 2 | ||
echo "All files are in $BASE" | ||
echo "To connect:" | ||
echo " $COCKROACH sql --url=\"postgresql://root:secret@127.0.0.1:$PROXY_P?sslmode=require&sslrootcert=a&options=--cluster%3Dtenant-cluster-123\"" | ||
|
||
# Connect to proxy to `defaultdb`. Note the need to prefix the db name with the | ||
# magic phrase 'prancing-pony'. | ||
# Password for user `bob` is `builder`. | ||
$COCKROACH sql --url "postgresql://bob:builder@127.0.0.1:46257/prancing-pony.defaultdb" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters