Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-23.2: sqlproxyccl: add proxy protocol listener #117865

Merged
merged 1 commit into from
Jan 25, 2024
Merged

release-23.2: sqlproxyccl: add proxy protocol listener #117865

merged 1 commit into from
Jan 25, 2024

Conversation

DuskEagle
Copy link
Member

Backport 1/1 commits from #117241.

/cc @cockroachdb/release

Release justification: high-priority business need for the functionality; the new functionality is only accessed by a startup flag; the new functionality only affects SQLProxy, not CRDB itself.

To support GCP Private Service Connect, we need to have a listener in
SQLProxy which expects packets to contain proxy protocol headers. This
listener will be used for all traffic inbound from PSC. At the same
time, SQLProxy must continue to accept connections through the public
Internet which will not contain proxy protocol headers, and for which
any proxy protocol headers we receive cannot be trusted.

This commit introduces an optional second listener in SQLProxy,
controlled by --proxy-protocol-listen-addr, which requires
proxy protocol even as the primary listener doesn't. Private Service
Connect will direct traffic to this second listener.

Resolves #117240

Release note: None

@DuskEagle DuskEagle requested review from a team as code owners January 17, 2024 15:55
@blathers-crl blathers[crl]
Copy link

blathers-crl bot commented Jan 17, 2024

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Backports should only be created for serious
    issues     or test-only changes.
  • Backports should not break backwards-compatibility.
  • Backports should change as little code as possible.
  • Backports should not change on-disk formats or node communication protocols.
  • Backports should not add new functionality (except as defined
    here).
  • Backports must not add, edit, or otherwise modify cluster versions; or add version gates.
  • All backports must be reviewed by the owning areas TL and one additional
    TL. For more information as to how that review should be conducted, please consult the backport
    policy    .
If your backport adds new functionality, please ensure that the following additional criteria are satisfied:
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters. State changes must be further protected such that nodes running old binaries will not be negatively impacted by the new state (with a mixed version test added).
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.
  • Your backport must be accompanied by a post to the appropriate Slack
    channel (#db-backports-point-releases or #db-backports-XX-X-release) for awareness and discussion.

Also, please add a brief release justification to the body of your PR to justify this
backport.

@blathers-crl blathers-crl bot added the backport Label PR's that are backports to older release branches label Jan 17, 2024
@cockroach-teamcity
Copy link
Member

This change is Reviewable

rafiss
rafiss approved these changes Jan 17, 2024
View reviewed changes
Copy link
Collaborator

@rafiss rafiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm not familiar with the code being changes, but confirming that the backport is low risk to the main CRDB process

jeffswenson
jeffswenson approved these changes Jan 17, 2024
View reviewed changes
Copy link
Collaborator

@jeffswenson jeffswenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

The code changed impacts the sqlproxy, which is only used in serverless deployments.

@DuskEagle DuskEagle mentioned this pull request Jan 18, 2024
Closed
@DuskEagle
sqlproxyccl: add proxy protocol listener
39368ae 
To support GCP Private Service Connect, we need to have a listener in
SQLProxy which expects packets to contain proxy protocol headers. This
listener will be used for all traffic inbound from PSC. At the same
time, SQLProxy must continue to accept connections through the public
Internet which will not contain proxy protocol headers, and for which
any proxy protocol headers we receive cannot be trusted.

This commit introduces an optional second listener in SQLProxy,
controlled by `--proxy-protocol-listen-addr`, which requires
proxy protocol even as the primary listener doesn't. Private Service
Connect will direct traffic to this second listener.

Resolves cockroachdb#117240

Release note: None
@DuskEagle DuskEagle force-pushed the backport23.2-117241 branch from 1b115d7 to 39368ae Compare January 25, 2024 03:23
@DuskEagle DuskEagle merged commit 6085a47 into cockroachdb:release-23.2 Jan 25, 2024
5 of 6 checks passed
@DuskEagle DuskEagle deleted the backport23.2-117241 branch January 25, 2024 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeffswenson jeffswenson jeffswenson approved these changes

@rafiss rafiss rafiss approved these changes

Assignees
No one assigned
Labels
backport Label PR's that are backports to older release branches
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@DuskEagle @cockroach-teamcity @rafiss @jeffswenson