roachprod: Clusters should default to secure

[rmloveland]

Maybe it is insecure by default because it was faster to build it that way. (Totes understandable.)

However, if there are other reasons, e.g., default-secure clusters would break use cases and make things harder for internal folks, then that could be a great incentive to make it easier to do the right thing!

Suggestion: flip the default, and if internal users need an insecure cluster, they need to pass --insecure and we print the same warning we provide to our users. Delicious dog food!

(Filing because my experience working on adding secure options to the "Build an App" docs is teaching me that (at least from Java) doing it the "right way" is quite complex! But in the bad, uninteresting, fiddly and hard-to-get-right way, not in any of the good ways.)

Epic CRDB-10428

Jira issue: CRDB-5690

[petermattis]

@rmloveland Insecure was the default initially, and when support for --secure was added we never changed the default. If we change the default, we either need to fix roachtest to be able to work properly against secure clusters, or have it pass --insecure for the clusters it creates. The one annoyance I'm aware of with default-secure clusters is having to dismiss the browser warning about the cert when visiting the admin UI.

[jlinder]

I'm putting this to the side for a bit to work on #33377. Here's status notes on progress:

• Changes are on a branch:
  https://github.com/jlinder/cockroach/tree/jhl/roachprod-default-secure

• Changes already made include:

  • switched roachprod to be secure by default
  • updated the majority of roachtest to default to using secure roachprod clusters
  • added --insecure flag to roachtest to use insecure roachprod clusters

• There is still a bunch of testing that needs to be done for roachtest by
  running the different test suites and fixing the issues that arise. Possibly
  get all the tests to be run via teamcity on this branch. At least these tests
  have issues that need fixing:

  • kv/quiescence/nodes=3
  • kv/contention/nodes=4

[rafiss]

Just reflagging this issue, as I think it's still very relevant. I'm curious if there are any plans to return to this. I am specifically thinking of nightly testing. It would go a long way towards dogfooding and making sure our tests reflect realistic usage.

Some related work: The SQL Experience team is working on a new roachtest in #62166 and in order for the test to really be valuable, we need a secure cluster. See the PR for a new --secure flag that is being added to workload

Also, I believe in the future cockroach --insecure will go away (#53404), but @knz or @aaron-crl can talk more about those plans.

cc @jlinder @kenliu

[knz]

Yes so I would say this issue is relevant, and in an ideal world we would leverage the new cockroach connect command so that the roachtest code doesn't have to deal with cert creation and distribution itself. So I would say let's come back to this once the cockorach connect command gets out of alpha/beta testing.