roachprod: default --insecure to true

[srosenberg]

As of [1], [2], roachprod defaulted to
"secure" mode to keep it in one-to-one
correspondence with roachtest. However,
upon further reflection (see an internal thread [3]),
"secure mode" adds an unnecessary friction.

As of this change, roachprod now defaults to
"insecure" mode while roachtest continues to
default to "secure". Further, drtprod also
continues to default to "secure" mode.

[1] #123593
[2] #123826
[3] https://cockroachlabs.slack.com/archives/C023S0V4YEB/p1748888536180379?thread_ts=1724452649.312729&cid=C023S0V4YEB

Epic: none

Release note: None

[cockroach-teamcity]

This change is 

[DarrylWong]

Change LGTM but I think we still want DRT clusters to be secure right?

[srosenberg]

Change LGTM but I think we still want DRT clusters to be secure right?

They were previously "insecure" because of the missing wrapper, which enables "secure" via a side-effect [1]. @nameisbhaskar fyi

[1]

cockroach/pkg/cmd/roachprod/cli/util.go

Line 109 in 4fbdf6d

isSecure, err = isSecureCluster(cmd)

[DarrylWong]

My understanding of the drtprod wrapper is that it's mainly used to call the execute yaml command. The yaml execution itself invokes a roachprod binary which does correctly check isSecureCluster.

My comment was more so referring to the fact the DRP folks may want to update their scripts to pass in a secure flag when creating a cluster, e.g.:

diff --git a/pkg/cmd/drtprod/configs/drt_scale_300.yaml b/pkg/cmd/drtprod/configs/drt_scale_300.yaml
index 3f3bc3955d8..260808e6bd6 100644
--- a/pkg/cmd/drtprod/configs/drt_scale_300.yaml
+++ b/pkg/cmd/drtprod/configs/drt_scale_300.yaml
@@ -28,6 +28,7 @@ targets:
         args:
           - $CLUSTER
         flags:
+          secure: true

or better yet have some configurable global default for DRT clusters.

[srosenberg]

My understanding of the drtprod wrapper is that it's mainly used to call the execute yaml command. The yaml execution itself invokes a roachprod binary which does correctly check isSecureCluster.

I don't think it does (see GetYamlProcessor). Prior to this PR, if you run roachprod ... you get "secure" mode by default and "insecure" with drtprod.

[nameisbhaskar]

LGTM!

[nameisbhaskar]

My understanding of the drtprod wrapper is that it's mainly used to call the execute yaml command. The yaml execution itself invokes a roachprod binary which does correctly check isSecureCluster.

I don't think it does (see GetYamlProcessor). Prior to this PR, if you run roachprod ... you get "secure" mode by default and "insecure" with drtprod.

Yes, we will have to change all the YAML configurations to include this secure flag.

[srosenberg]

I don't think it does (see GetYamlProcessor). Prior to this PR, if you run roachprod ... you get "secure" mode by default and "insecure" with drtprod.

That wasn't quite right. The YamlProcessor defaults to passing secure=true into roachprod.Run, so we don't really need to update any of the existing yaml. In drtprod/cli.Init we now set COCKROACH_ROACHPROD_INSECURE=false to preserve the "secure" mode as default. Thus, both commands and yaml will continue to default to "secure", whereas roachprod commands will default to "insecure". PTAL!

[srosenberg]

Smoke Test -- SELECT_PROBABILITY=0.4

[srosenberg]

TFTR!

bors r=herkolategan,darrylwong,nameisbhaskar

[craig]

This PR was included in a batch that successfully built, but then failed to merge into master (it was a non-fast-forward update). It will be automatically retried.

[craig]

Build succeeded:

• linux_amd64_build
• local_roachtest
• check_generated_code
• linux_amd64_fips_build
• acceptance
• unit_tests
• local_roachtest_fips
• lint
• examples_orms
• docker_image_amd64