ccl/sqlproxyccl: CC code migration to DB

Previsouly the sql proxy code was in the CC repo. This was making the
testing of the proxy against a live SQL server hard and was also
requiring a frequent cockroach repo bumps in case of changes.
This moves all the code from the CC report to the DB repo so now the
proxy is part of the cockroach executable.

More detailed list of changed:
* The old, sample star-proxy code has been retired in favor of the code
  moving over from the CC repo.
* The code that handles individual connections to the backend has been
  separated into a new ProxyHandler. Added tests for the proxy handler.
* BackendConfig has been retired.
* Using stop.Stopper to control the shutdown of the proxy.
* Added a command under mt that can be used to run the test directory
  server.
* Added proxy options to control idle timeout, rate limits, config
  options, use of directory server etc.
* Added code to monitor and handle os signals (HUP, TERM, INT).
* Intergated the cert manager so the certificates can be reloaded on
  external signal.
* Fixed the SQL tenant process so now the idle timeout causes the
  stopper to quiesce and the process to terminate successfuly.
* Set up the logging for the new proxy.
* Added a self-signed cert type to the cert manager to be used when
  testing secure connections witout generating explicit key/cert files.
* Moved the HookGlobal code from CC that can be used for temporary hooks
  during testing.

Here is how to test end to end the proxy, SQL tenant and host server,
using the test directory:
```
./cockroach start-single-node --insecure --log="{sinks: {stderr: {filter: info}}}"

./cockroach mt test-directory --port 36257 --log="{sinks: {stderr: {filter: info}}}"

./cockroach mt start-proxy --directory=:36257 --listen-metrics=:8081 --log="{sinks: {stderr: {filter: info}}}" --insecure

./cockroach sql  --url="postgresql://[email protected]:46257/dim-dog-2.defaultdb" --insecure
```

Release note: None

pkg/BUILD.bazel

@@ -27,6 +27,7 @@ ALL_TESTS = [
     "//pkg/ccl/sqlproxyccl/cache:cache_test",
     "//pkg/ccl/sqlproxyccl/denylist:denylist_test",
     "//pkg/ccl/sqlproxyccl/tenant:tenant_test",
+    "//pkg/ccl/sqlproxyccl/tenantdirsvr:tenantdirsvr_test",
     "//pkg/ccl/sqlproxyccl:sqlproxyccl_test",
     "//pkg/ccl/storageccl/engineccl:engineccl_test",
     "//pkg/ccl/storageccl:storageccl_test",

pkg/ccl/cliccl/BUILD.bazel

@@ -7,7 +7,6 @@ go_library(
         "debug.go",
         "debug_backup.go",
         "demo.go",
-        "mtproxy.go",
         "start.go",
     ],
     importpath = "github.com/cockroachdb/cockroach/pkg/ccl/cliccl",
@@ -19,7 +18,6 @@ go_library(
         "//pkg/ccl/backupccl",
         "//pkg/ccl/baseccl",
         "//pkg/ccl/cliccl/cliflagsccl",
-        "//pkg/ccl/sqlproxyccl",
         "//pkg/ccl/storageccl",
         "//pkg/ccl/storageccl/engineccl/enginepbccl:enginepbccl_go_proto",
         "//pkg/ccl/workloadccl/cliccl",
@@ -53,12 +51,9 @@ go_library(
         "//pkg/util/timeutil/pgdate",
         "//pkg/util/uuid",
         "@com_github_cockroachdb_apd_v2//:apd",
-        "@com_github_cockroachdb_cmux//:cmux",
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_cockroachdb_errors//oserror",
-        "@com_github_jackc_pgproto3_v2//:pgproto3",
         "@com_github_spf13_cobra//:cobra",
-        "@org_golang_x_sync//errgroup",
     ],
 )
 

pkg/ccl/sqlproxyccl/BUILD.bazel

@@ -11,20 +11,31 @@ go_library(
         "idle_disconnect_connection.go",
         "metrics.go",
         "proxy.go",
+        "proxy_handler.go",
         "server.go",
         ":gen-errorcode-stringer",  # keep
     ],
     importpath = "github.com/cockroachdb/cockroach/pkg/ccl/sqlproxyccl",
     visibility = ["//visibility:public"],
     deps = [
+        "//pkg/ccl/sqlproxyccl/admitter",
+        "//pkg/ccl/sqlproxyccl/cache",
+        "//pkg/ccl/sqlproxyccl/denylist",
+        "//pkg/ccl/sqlproxyccl/tenant",
+        "//pkg/roachpb",
+        "//pkg/security/certmgr",
+        "//pkg/util",
         "//pkg/util/contextutil",
         "//pkg/util/httputil",
         "//pkg/util/log",
         "//pkg/util/metric",
+        "//pkg/util/stop",
         "//pkg/util/syncutil",
         "//pkg/util/timeutil",
         "@com_github_cockroachdb_errors//:errors",
+        "@com_github_cockroachdb_logtags//:logtags",
         "@com_github_jackc_pgproto3_v2//:pgproto3",
+        "@org_golang_google_grpc//:go_default_library",
     ],
 )
 
@@ -36,7 +47,7 @@ go_test(
         "frontend_admitter_test.go",
         "idle_disconnect_connection_test.go",
         "main_test.go",
-        "proxy_test.go",
+        "proxy_handler_test.go",
         "server_test.go",
     ],
     data = [
@@ -58,6 +69,7 @@ go_test(
         "//pkg/testutils/testcluster",
         "//pkg/util/leaktest",
         "//pkg/util/randutil",
+        "//pkg/util/stop",
         "//pkg/util/timeutil",
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_jackc_pgconn//:pgconn",

pkg/ccl/sqlproxyccl/authentication.go

@@ -14,7 +14,10 @@ import (
 	"github.com/jackc/pgproto3/v2"
 )
 
-func authenticate(clientConn, crdbConn net.Conn) error {
+// Authenticate handles the startup of the pgwire protocol to the point where
+// the connections is considered authenticated. If that doesn't happen, it
+// returns an error.
+var Authenticate = func(clientConn, crdbConn net.Conn) error {
 	fe := pgproto3.NewBackend(pgproto3.NewChunkReader(clientConn), clientConn)
 	be := pgproto3.NewFrontend(pgproto3.NewChunkReader(crdbConn), crdbConn)
 

pkg/ccl/sqlproxyccl/authentication_test.go

@@ -33,7 +33,7 @@ func TestAuthenticateOK(t *testing.T) {
 		require.Equal(t, beMsg, &pgproto3.ReadyForQuery{})
 	}()
 
-	require.NoError(t, authenticate(srv, cli))
+	require.NoError(t, Authenticate(srv, cli))
 }
 
 func TestAuthenticateClearText(t *testing.T) {
@@ -75,7 +75,7 @@ func TestAuthenticateClearText(t *testing.T) {
 		require.Equal(t, beMsg, &pgproto3.ReadyForQuery{})
 	}()
 
-	require.NoError(t, authenticate(srv, cli))
+	require.NoError(t, Authenticate(srv, cli))
 }
 
 func TestAuthenticateError(t *testing.T) {
@@ -93,11 +93,11 @@ func TestAuthenticateError(t *testing.T) {
 		require.Equal(t, beMsg, &pgproto3.ErrorResponse{Severity: "FATAL", Code: "foo"})
 	}()
 
-	err := authenticate(srv, cli)
+	err := Authenticate(srv, cli)
 	require.Error(t, err)
 	codeErr := (*CodeError)(nil)
 	require.True(t, errors.As(err, &codeErr))
-	require.Equal(t, CodeAuthFailed, codeErr.code)
+	require.Equal(t, CodeAuthFailed, codeErr.Code)
 }
 
 func TestAuthenticateUnexpectedMessage(t *testing.T) {
@@ -115,9 +115,9 @@ func TestAuthenticateUnexpectedMessage(t *testing.T) {
 		require.Equal(t, beMsg, &pgproto3.BindComplete{})
 	}()
 
-	err := authenticate(srv, cli)
+	err := Authenticate(srv, cli)
 	require.Error(t, err)
 	codeErr := (*CodeError)(nil)
 	require.True(t, errors.As(err, &codeErr))
-	require.Equal(t, CodeBackendDisconnected, codeErr.code)
+	require.Equal(t, CodeBackendDisconnected, codeErr.Code)
 }

pkg/ccl/sqlproxyccl/backend_dialer.go

@@ -19,7 +19,7 @@ import (
 
 // BackendDial is an example backend dialer that does a TCP/IP connection
 // to a backend, SSL and forwards the start message.
-func BackendDial(
+var BackendDial = func(
 	msg *pgproto3.StartupMessage, outgoingAddress string, tlsConfig *tls.Config,
 ) (net.Conn, error) {
 	conn, err := net.Dial("tcp", outgoingAddress)

pkg/ccl/sqlproxyccl/error.go

@@ -85,18 +85,18 @@ const (
 // CodeError is combines an error with one of the above codes to ease
 // the processing of the errors.
 type CodeError struct {
-	code ErrorCode
+	Code ErrorCode
 	err  error
 }
 
 func (e *CodeError) Error() string {
-	return fmt.Sprintf("%s: %s", e.code, e.err)
+	return fmt.Sprintf("%s: %s", e.Code, e.err)
 }
 
 // NewErrorf returns a new CodeError out of the supplied args.
 func NewErrorf(code ErrorCode, format string, args ...interface{}) error {
 	return &CodeError{
-		code: code,
+		Code: code,
 		err:  errors.Errorf(format, args...),
 	}
 }