ccl/sqlproxyccl: CC code migration to DB

Previsouly the sql proxy code was in the CC repo. This was making the
testing of the proxy against a live SQL server hard and was also
requiring a frequent cockroach repo bumps in case of changes.
This moves all the code from the CC report to the DB repo so now the
proxy is part of the cockroach executable.

More detailed list of changed:
* The old, sample star-proxy code has been retired in favor of the code
  moving over from the CC repo.
* The code that handles individual connections to the backend has been
  separated into a new ProxyHandler. Added tests for the proxy handler.
* BackendConfig has been retired.
* Using stop.Stopper to control the shutdown of the proxy.
* Added a command under mt that can be used to run the test directory
  server.
* Added proxy options to control idle timeout, rate limits, config
  options, use of directory server etc.
* Added code to monitor and handle os signals (HUP, TERM, INT).
* Intergated the cert manager so the certificates can be reloaded on
  external signal.
* Fixed the SQL tenant process so now the idle timeout causes the
  stopper to quiesce and the process to terminate successfuly.
* Set up the logging for the new proxy.
* Added a self-signed cert type to the cert manager to be used when
  testing secure connections witout generating explicit key/cert files.
* Moved the HookGlobal code from CC that can be used for temporary hooks
  during testing.

Here is how to test end to end the proxy, SQL tenant and host server,
using the test directory:
```
  # Start a host server in insecure mode. Tenants should already have been configured.
  ./cockroach start-single-node --insecure --log="{sinks: {stderr: {filter: info}}}"

  # Start a test directory server
  ./cockroach mt test-directory --port 36257 --log="{sinks: {stderr: {filter: info}}}"

  # Start a proxy server that uses the directory server
  ./cockroach mt start-proxy --directory=:36257 --listen-metrics=:8081 --log="{sinks: {stderr: {filter: info}}}" --insecure

  # Start a SQL client for one of the tenants.
  ./cockroach sql  --url="postgresql://[email protected]:46257/dim-dog-2.defaultdb" --insecure
```

Release note: None

.github/CODEOWNERS

@@ -45,6 +45,9 @@
 /pkg/cli/import_test.go      @cockroachdb/cli-prs @cockroachdb/bulk-prs
 /pkg/cli/sql*.go             @cockroachdb/cli-prs @cockroachdb/sql-experience
 /pkg/cli/start*.go           @cockroachdb/cli-prs @cockroachdb/server-prs
+/pkg/cli/mt_proxy.go         @cockroachdb/sqlproxy-prs @cockroachdb/server-prs
+/pkg/cli/mt_start_sql.go     @cockroachdb/sqlproxy-prs @cockroachdb/server-prs
+/pkg/cli/mt_test_directory.go @cockroachdb/sqlproxy-prs @cockroachdb/server-prs
 /pkg/cli/connect*.go         @cockroachdb/cli-prs @cockroachdb/server-prs
 /pkg/cli/init.go             @cockroachdb/cli-prs @cockroachdb/server-prs
 

pkg/BUILD.bazel

@@ -23,10 +23,10 @@ ALL_TESTS = [
     "//pkg/ccl/oidcccl:oidcccl_test",
     "//pkg/ccl/partitionccl:partitionccl_test",
     "//pkg/ccl/serverccl:serverccl_test",
-    "//pkg/ccl/sqlproxyccl/admitter:admitter_test",
     "//pkg/ccl/sqlproxyccl/cache:cache_test",
     "//pkg/ccl/sqlproxyccl/denylist:denylist_test",
-    "//pkg/ccl/sqlproxyccl/tenant:tenant_test",
+    "//pkg/ccl/sqlproxyccl/tenantdirsvr:tenantdirsvr_test",
+    "//pkg/ccl/sqlproxyccl/throttler:admitter_test",
     "//pkg/ccl/sqlproxyccl:sqlproxyccl_test",
     "//pkg/ccl/storageccl/engineccl:engineccl_test",
     "//pkg/ccl/storageccl:storageccl_test",

pkg/ccl/cliccl/BUILD.bazel

@@ -7,7 +7,6 @@ go_library(
         "debug.go",
         "debug_backup.go",
         "demo.go",
-        "mtproxy.go",
         "start.go",
     ],
     importpath = "github.com/cockroachdb/cockroach/pkg/ccl/cliccl",
@@ -19,7 +18,6 @@ go_library(
         "//pkg/ccl/backupccl",
         "//pkg/ccl/baseccl",
         "//pkg/ccl/cliccl/cliflagsccl",
-        "//pkg/ccl/sqlproxyccl",
         "//pkg/ccl/storageccl",
         "//pkg/ccl/storageccl/engineccl/enginepbccl:enginepbccl_go_proto",
         "//pkg/ccl/workloadccl/cliccl",
@@ -53,12 +51,9 @@ go_library(
         "//pkg/util/timeutil/pgdate",
         "//pkg/util/uuid",
         "@com_github_cockroachdb_apd_v2//:apd",
-        "@com_github_cockroachdb_cmux//:cmux",
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_cockroachdb_errors//oserror",
-        "@com_github_jackc_pgproto3_v2//:pgproto3",
         "@com_github_spf13_cobra//:cobra",
-        "@org_golang_x_sync//errgroup",
     ],
 )
 

pkg/ccl/sqlproxyccl/BUILD.bazel

@@ -11,20 +11,32 @@ go_library(
         "idle_disconnect_connection.go",
         "metrics.go",
         "proxy.go",
+        "proxy_handler.go",
         "server.go",
         ":gen-errorcode-stringer",  # keep
     ],
     importpath = "github.com/cockroachdb/cockroach/pkg/ccl/sqlproxyccl",
     visibility = ["//visibility:public"],
     deps = [
+        "//pkg/ccl/sqlproxyccl/cache",
+        "//pkg/ccl/sqlproxyccl/denylist",
+        "//pkg/ccl/sqlproxyccl/tenant",
+        "//pkg/ccl/sqlproxyccl/throttler",
+        "//pkg/roachpb",
+        "//pkg/security/certmgr",
+        "//pkg/util",
         "//pkg/util/contextutil",
         "//pkg/util/httputil",
         "//pkg/util/log",
         "//pkg/util/metric",
+        "//pkg/util/retry",
+        "//pkg/util/stop",
         "//pkg/util/syncutil",
         "//pkg/util/timeutil",
         "@com_github_cockroachdb_errors//:errors",
+        "@com_github_cockroachdb_logtags//:logtags",
         "@com_github_jackc_pgproto3_v2//:pgproto3",
+        "@org_golang_google_grpc//:go_default_library",
     ],
 )
 
@@ -36,7 +48,7 @@ go_test(
         "frontend_admitter_test.go",
         "idle_disconnect_connection_test.go",
         "main_test.go",
-        "proxy_test.go",
+        "proxy_handler_test.go",
         "server_test.go",
     ],
     data = [
@@ -48,16 +60,24 @@ go_test(
     tags = ["broken_in_bazel"],
     deps = [
         "//pkg/base",
+        "//pkg/ccl/kvccl/kvtenantccl",
+        "//pkg/ccl/sqlproxyccl/tenant",
         "//pkg/ccl/utilccl",
+        "//pkg/roachpb",
         "//pkg/security",
         "//pkg/security/securitytest",
         "//pkg/server",
+        "//pkg/sql",
+        "//pkg/sql/pgwire",
         "//pkg/testutils",
         "//pkg/testutils/serverutils",
         "//pkg/testutils/sqlutils",
         "//pkg/testutils/testcluster",
         "//pkg/util/leaktest",
+        "//pkg/util/log",
         "//pkg/util/randutil",
+        "//pkg/util/stop",
+        "//pkg/util/syncutil",
         "//pkg/util/timeutil",
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_jackc_pgconn//:pgconn",

pkg/ccl/sqlproxyccl/authentication.go

@@ -14,7 +14,10 @@ import (
 	"github.com/jackc/pgproto3/v2"
 )
 
-func authenticate(clientConn, crdbConn net.Conn) error {
+// authenticate handles the startup of the pgwire protocol to the point where
+// the connections is considered authenticated. If that doesn't happen, it
+// returns an error.
+var authenticate = func(clientConn, crdbConn net.Conn) error {
 	fe := pgproto3.NewBackend(pgproto3.NewChunkReader(clientConn), clientConn)
 	be := pgproto3.NewFrontend(pgproto3.NewChunkReader(crdbConn), crdbConn)
 
@@ -26,26 +29,26 @@ func authenticate(clientConn, crdbConn net.Conn) error {
 		// TODO(spaskob): in verbose mode, log these messages.
 		backendMsg, err := be.Receive()
 		if err != nil {
-			return NewErrorf(CodeBackendReadFailed, "unable to receive message from backend: %v", err)
+			return newErrorf(codeBackendReadFailed, "unable to receive message from backend: %v", err)
 		}
 
 		err = fe.Send(backendMsg)
 		if err != nil {
-			return NewErrorf(
-				CodeClientWriteFailed, "unable to send message %v to client: %v", backendMsg, err,
+			return newErrorf(
+				codeClientWriteFailed, "unable to send message %v to client: %v", backendMsg, err,
 			)
 		}
 
 		// Decide what to do based on the type of the server response.
 		switch tp := backendMsg.(type) {
 		case *pgproto3.ReadyForQuery:
 			// Server has authenticated the connection successfully and is ready to
-			// serve queries.
+			// Serve queries.
 			return nil
 		case *pgproto3.AuthenticationOk:
 			// Server has authenticated the connection; keep reading messages until
 			// `pgproto3.ReadyForQuery` is encountered which signifies that server
-			// is ready to serve queries.
+			// is ready to Serve queries.
 		case *pgproto3.ParameterStatus:
 			// Server sent status message; keep reading messages until
 			// `pgproto3.ReadyForQuery` is encountered.
@@ -55,7 +58,7 @@ func authenticate(clientConn, crdbConn net.Conn) error {
 		case *pgproto3.ErrorResponse:
 			// Server has rejected the authentication response from the client and
 			// has closed the connection.
-			return NewErrorf(CodeAuthFailed, "authentication failed: %v", backendMsg)
+			return newErrorf(codeAuthFailed, "authentication failed: %v", backendMsg)
 		case
 			*pgproto3.AuthenticationCleartextPassword,
 			*pgproto3.AuthenticationMD5Password,
@@ -64,17 +67,17 @@ func authenticate(clientConn, crdbConn net.Conn) error {
 			// Read the client response and forward it to server.
 			fntMsg, err := fe.Receive()
 			if err != nil {
-				return NewErrorf(CodeClientReadFailed, "unable to receive message from client: %v", err)
+				return newErrorf(codeClientReadFailed, "unable to receive message from client: %v", err)
 			}
 			err = be.Send(fntMsg)
 			if err != nil {
-				return NewErrorf(
-					CodeBackendWriteFailed, "unable to send message %v to backend: %v", fntMsg, err,
+				return newErrorf(
+					codeBackendWriteFailed, "unable to send message %v to backend: %v", fntMsg, err,
 				)
 			}
 		default:
-			return NewErrorf(CodeBackendDisconnected, "received unexpected backend message type: %v", tp)
+			return newErrorf(codeBackendDisconnected, "received unexpected backend message type: %v", tp)
 		}
 	}
-	return NewErrorf(CodeBackendDisconnected, "authentication took more than %d iterations", i)
+	return newErrorf(codeBackendDisconnected, "authentication took more than %d iterations", i)
 }