Skip to content

cli: tests unable to establish a GRPC connections in secure tenant SQL servers #77173

Closed
Closed
cli: tests unable to establish a GRPC connections in secure tenant SQL servers#77173
Labels
A-multitenancyRelated to multi-tenancyC-bugCode not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior.C-cleanupTech debt, refactors, loose ends, etc. Solution not expected to significantly change behavior.T-multitenantIssues owned by the multi-tenant virtual team
@abarganier

Description

@abarganier
abarganier
opened on Feb 28, 2022

Describe the problem

When trying to test the debug zip command against a tenant server in unit tests with --insecure=false mode, SSL authentication fails when trying to establish a gRPC connection.

establishing RPC connection to ...
ERROR: SSL authentication error while connecting.
initial connection heartbeat failed: rpc error: ...

We should fix the underlying test infrastructure to support testing in secure mode. For this specific case, testing in secure mode is necessary because the insertion of a TenantID into a context.Context is coupled to the TLS authentication.

To Reproduce

What did you do? Describe in your own words.

If possible, provide steps to reproduce the behavior:

  1. Open pkg/cli/zip_tenant_test.go which contains TestTenantZip, the test in question.
  2. Set Insecure: false in the TestCLIParans
  3. Modify CreateTestCerts in pkg/security/securitytest/testcerts.go. Add the following entries to the assets slice to pull in the relevant tenant cert files. Without this, the tenant server fails to start as it depends on these certificate files.
filepath.Join(security.EmbeddedCertsDir, "client-tenant.10.crt"),
filepath.Join(security.EmbeddedCertsDir, "client-tenant.10.key"),
  1. Update the TestTenantArgs in testutils.go. Set the SSLCertsDir to the directory that CreateTestCerts loaded its files into (back in step 3). This is done as part of the storage server config.
  2. Run TestTenantZip, observe error that occurs in the handler within zip.go when trying to establish a gRPC connection.

Expected behavior
The zip CLI command should be able to successfully establish a gRPC connection when the tenant is running in secure mode.

Additional data / screenshots
A couple additional details are worth noting:

  • The tenant, host, and client are sharing the same temporary directory as SSLCertsDir. I'm in the process of creating separation here to see if it makes a difference.
  • Logging around establishment of a gRPC connection is lacking, which makes it difficult to understand the root cause of this issue.
  • Enabling testingConnLogEnabled and/or testingAuthLogEnabled on the pgWire server within the tenant did not provide any additional insight.

Jira issue: CRDB-13447

Epic CRDB-31933

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-multitenancyRelated to multi-tenancyC-bugCode not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior.C-cleanupTech debt, refactors, loose ends, etc. Solution not expected to significantly change behavior.T-multitenantIssues owned by the multi-tenant virtual team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions