roachprod: default to secure clusters unless GCE cockroach-ephemeral

[golgeek]

Since #147737, to ease testing for engineering teams, roachprod defaults to insecure clusters. This change has led to security impact for other entities at CRL.

This patch brings smart selection of secure vs. insecure cluster depending on the Cloud project the cluster is provisionned in. If the cluster is provisionned in the engineering's ephemeral GCP project, it will default to insecure, while all other configurations will default to secure.

In order to achieve that, and because this depends on the cluster's configuration that is not available at the CLI package level, the CLI now keeps track of the user's arguments (--secure, --insecure, default) and passes the information to the roachprod library.

Epic: none
Release note: None

[cockroach-teamcity]

This change is 

[golgeek]

No flag, cockroach-ephemeral cluster, -> insecure:

➜  cockroach git:(ludo/secure-clusters) ✗ ./bin/roachprod start "${CLUSTER}"
WARN: cluster ludoleroux-test defaults to insecure, because it is in project cockroach-ephemeral
2025/08/01 21:07:07 cockroach.go:620: ludoleroux-test (system): starting cockroach processes
2025/08/01 21:07:07 cockroach.go:936: starting node 1

Secure flag, cockroach-ephemeral cluster, -> secure:

➜  cockroach git:(ludo/secure-clusters) ✗ ./bin/roachprod start "${CLUSTER}" --secure
2025/08/01 21:07:37 cluster_synced.go:1605: ludoleroux-test: checking certs.tar
ludoleroux-test: initializing certs 1/1 
ludoleroux-test: distributing certs 0/0 
2025/08/01 21:07:43 cockroach.go:620: ludoleroux-test (system): starting cockroach processes
2025/08/01 21:07:43 cockroach.go:936: starting node 1

No flag, non cockroach-ephemeral cluster (AWS), -> secure:

➜  cockroach git:(ludo/secure-clusters) ✗ ./bin/roachprod start "${CLUSTER}-aws"
2025/08/01 21:14:14 cockroach.go:574: WARNING: Service registration and custom ports are not supported for this cluster.
Setting ports to default SQL Port: 26257, and Admin UI Port: 26258.
Attempting to start any additional external SQL processes will fail.
2025/08/01 21:14:14 cluster_synced.go:1605: ludoleroux-test-aws: checking certs.tar
ludoleroux-test-aws: initializing certs 1/1 
ludoleroux-test-aws: distributing certs 0/0 
2025/08/01 21:14:19 cockroach.go:620: ludoleroux-test-aws (system): starting cockroach processes
2025/08/01 21:14:19 cockroach.go:936: starting node 1

Insecure flag, non-cockroach-ephemeral cluster (AWS), -> insecure:

➜  cockroach git:(ludo/secure-clusters) ✗ ./bin/roachprod start "${CLUSTER}-aws" --insecure
2025/08/01 21:15:51 cockroach.go:574: WARNING: Service registration and custom ports are not supported for this cluster.
Setting ports to default SQL Port: 26257, and Admin UI Port: 26258.
Attempting to start any additional external SQL processes will fail.
2025/08/01 21:15:51 cockroach.go:620: ludoleroux-test-aws (system): starting cockroach processes
2025/08/01 21:15:51 cockroach.go:936: starting node 1

[golgeek]

TC runs:

• GCE
• AWS

[herkolategan]

I understand passing a tri-state value to convey if the user explicitly intended to set secure, otherwise we infer it based on context. But since the only context that we really need to infer it is at CLI level, could we not use this https://github.com/cockroachdb/cockroach/blob/master/pkg/cmd/roachprod/cli/util.go#L140, and determine if someone is passing a project or set the env var for a project that we change the default behaviour. Then it will automatically trickle through to the roachprod library, which then doesn't have to care about intent?

Since they won't be able to access their cluster without setting the correct project in any case? And if the project is set we can infer the default at CLI level?

[herkolategan]

Nit: Having a hidden flag hitching a ride on ClusterSettings here has me a bit worried. I kind of liked the fact that ClusterSettings was a pure exported struct without any hidden tricks.

[golgeek]

I understand passing a tri-state value to convey if the user explicitly intended to set secure, otherwise we infer it based on context. But since the only context that we really need to infer it is at CLI level, could we not use this https://github.com/cockroachdb/cockroach/blob/master/pkg/cmd/roachprod/cli/util.go#L140, and determine if someone is passing a project or set the env var for a project that we change the default behaviour. Then it will automatically trickle through to the roachprod library, which then doesn't have to care about intent?

Since they won't be able to access their cluster without setting the correct project in any case? And if the project is set we can infer the default at CLI level?

Not sure I understand your point.

The issue that forced me to pass a tri-state value is that the cluster start operation applies to an already created cluster, and is 100% decorrelated from the cluster creation.

In a nutshel:

1. you create a cluster in a project (we have the info)
2. [you stage]
3. you start your cluster, potentially specifying if you want to force secure or insecure, but without specifying the project the cluster resides in

At step 3, the cli doesn't know about the project the cluster lives in and cannot pre-compute a default applied to the project. So it could pass a general secure, but the roachprod libray then has no way of determining if it's a default secure or a CLI forced secure, which is important in cockroach-ephemeral as default would be insecure unless --secure was forced.

[herkolategan]

Not sure I understand your point.
The issue that forced me to pass a tri-state value is that the cluster start operation applies to an already created cluster, and is 100% decorrelated from the cluster creation.

You're right, forgot about that aspect. In my mind to run "start" (or any other command) on the cluster in question you have to have to pass the project as well, but forgot the cluster cache keeps that info, so you don't have to.

I'll take another pass in a minute :)

[herkolategan]

I might be nitpicking now, and I may have some ulterior motives to avoid a conflict on ClusterSettingOption with one of my PRs... but hear me out:

Could roachprod.go not provide an exported function call that retrieves a cluster's info. And then the CLI can in Wrap(...) [1] make that call? Would also be a good way to fail early on, on a non-existent cluster?

But it may still be a significant change since any command that uses "secure" would need to be updated to pass the cluster name, usually arg 0, to Wrap [1] - so that it can do the default secure logic.

I could be wrong, but I think most or all of the operations would use the cache, so it wouldn't be an expensive call, and then the decision can be made on the CLI?

[1] master/pkg/cmd/roachprod/cli/util.go#L140 / https://github.com/cockroachdb/cockroach/blob/master/pkg/cmd/roachprod/cli/util.go#L106

[golgeek]

Could roachprod.go not provide an exported function call that retrieves a cluster's info. And then the CLI can in Wrap(...) [1] make that call? Would also be a good way to fail early on, on a non-existent cluster?

Took the night to reflect on it, and I do feel like it's putting a lot of (too much?) intelligence into the CLI.

Making the decision on a default behavior depending on a cluster state is a business rule and not user-defined.
The day we expose roachprod with a different entrypoint (as an API --or a desktop app!--), the same rule has to apply across all entrypoints. On a much more realistic outcome, if the CLI becomes a mere HTTP wrapper that queries a central service having this kind of rules in the central service prevents outdated clients to still spawn default insecure clusters when we switch the rule.

If what really bothers you is the addition of this dual-state or tri-state boolean in the install.ClusterSettingOption interface, I guess I could try and refactor to extract it from the ClusterSettings. Though it would require adding an extra argument to a ton of funcs.

[herkolategan]

can replace apply(settings *ClusterSettings) with ClusterSettingOption inline, to make the composition clear that SecureOption is a ClusterSettingOption

[golgeek]

Not really, or it wouldn't satisfy the ClusterSettingOptions interface anymore:

// ClusterSettingOption is the interface satisfied by options to MakeClusterSettings.
type ClusterSettingOption interface {
	apply(settings *ClusterSettings)
}

[herkolategan]

Pretty sure this works:

type SecureOption interface {
	ClusterSettingOption
	compute(c *SyncedCluster) error
}

Checked out the PR to confirm and run tests.

[herkolategan]

This will ensure if someone updates ClusterSettingOption, that your option inherits the changes (i.e., it would provide better hints that the implementation needs to be updated).

[golgeek]

Oh! Smart! Thanks!
I thought you wanted to change the signature of the apply() method on the SecureOption interface :)

Edit: updated

[herkolategan]

I guess this all boils down to the fact that we don't store any state, especially cockroach related state. It's the same issue we had with managing tenants / virtual clusters, and opted to store the state in DNS records. It tends to create a mess with defaults regarding different scenarios. The onus is placed on the user to remember details about the cluster, and if not we need to infer what we think the properties of the cluster is based on some context.

The 3 states of Secure is actually: (true, false, guess based on context). The last entry is still a best guess since an older version of roachprod could have been used to create the cluster. When we move to some kind of central state I reckon there would be no need for any of this hopefully.

I'm not opposed to the solution in this PR. It just felt a bit heavy to support a very specific use case, but given the current state of things there's likely no squeaky clean way around it.

[golgeek]

I guess this all boils down to the fact that we don't store any state, especially cockroach related state. It's the same issue we had with managing tenants / virtual clusters, and opted to store the state in DNS records. It tends to create a mess with defaults regarding different scenarios. The onus is placed on the user to remember details about the cluster, and if not we need to infer what we think the properties of the cluster is based on some context.

The 3 states of Secure is actually: (true, false, guess based on context). The last entry is still a best guess since an older version of roachprod could have been used to create the cluster. When we move to some kind of central state I reckon there would be no need for any of this hopefully.

I'm not opposed to the solution in this PR. It just felt a bit heavy to support a very specific use case, but given the current state of things there's likely no squeaky clean way around it.

Yep, I've restarted the work on centralized (very close to have an actual demo working), and hopefully keeping a state will become easier from there as we could migrate the state stored in DNS to the service (as well as compute the DNS zone for A records in the service).

This is intended as a stop gap PR, though we all know what stop gap usually means.......

[herkolategan]

LGTM, I tried to think of a different approach, but nothing especially cleaner comes to mind.

I did wonder for a second if we should make the "main/exported" option (ClusterSettings.Secure) on the struct itself have multiple states {True, False, Default}, and then compute at the last minute where we need to convert Default -> True or False. But this would probably result in a much larger foot print to keep track of.

[srosenberg]

Nit: compute is somewhat ambiguous relative to apply. It also doesn't actually compute much. How about making it into,

overrideForCluster(c *SyncedCluster) error)

[golgeek]

Went with the verbose overrideBasedOnClusterSettings(c *SyncedCluster) error).

[srosenberg]

Nit: for brevity, could fold the nullity check into the method.

[golgeek]

As this is an interface, this method is bound to have multiple implementation, so this check being implemented multiple times vs. the single call. It feels safer to implement it there once and for all.

[srosenberg]

Nit: this could spam the log multiple times. E.g., I see it twice during roachprod start; the second time is during updatePrometheusTargets. Maybe we could suppress it by persisting the override into the cluster metadata (i.e., *cloud.Cluster)?

[golgeek]

Feels like a much more involved project. Let's revisit and store the secure state of a cluster when we implement a service registry? Or in a subsequent PR if logging verbosity is getting out of hand.

[golgeek]

TFTRs!

bors r=herkolategan,srosenberg

[craig]

Build succeeded:

• examples_orms
• linux_amd64_fips_build
• lint
• check_generated_code
• docker_image_amd64
• unit_tests
• local_roachtest
• linux_amd64_build
• acceptance
• local_roachtest_fips