chore(proxy): refactor self-signed config (#10154)

## Problem While reviewing #10152 I found it tricky to actually determine whether the connection used `allow_self_signed_compute` or not. I've tried to remove this setting in the past: * https://github.com/neondatabase/neon/pull/7884 * https://github.com/neondatabase/neon/pull/7437 * https://github.com/neondatabase/cloud/pull/13702 But each time it seems it is used by e2e tests ## Summary of changes The `node_info.allow_self_signed_computes` is always initialised to false, and then sometimes inherits the proxy config value. There's no need this needs to be in the node_info, so removing it and propagating it via `TcpMechansim` is simpler.
2026-06-04 22:10:39 +00:00 · 2024-12-16 11:15:25 +00:00
parent ebcbc1a482
commit 24d6587914
11 changed files with 20 additions and 30 deletions
--- a/proxy/src/auth/backend/console_redirect.rs
+++ b/proxy/src/auth/backend/console_redirect.rs
@@ -187,7 +187,6 @@ async fn authenticate(
        NodeInfo {
            config,
            aux: db_info.aux,
-            allow_self_signed_compute: false, // caller may override
        },
        db_info.allowed_ips,
    ))
--- a/proxy/src/auth/backend/local.rs
+++ b/proxy/src/auth/backend/local.rs
@@ -37,7 +37,6 @@ impl LocalBackend {
                    branch_id: BranchIdTag::get_interner().get_or_intern("local"),
                    cold_start_info: ColdStartInfo::WarmCached,
                },
-                allow_self_signed_compute: false,
            },
        }
    }
--- a/proxy/src/console_redirect_proxy.rs
+++ b/proxy/src/console_redirect_proxy.rs
@@ -213,9 +213,9 @@ pub(crate) async fn handle_client<S: AsyncRead + AsyncWrite + Unpin>(
            params_compat: true,
            params: &params,
            locks: &config.connect_compute_locks,
+            allow_self_signed_compute: config.allow_self_signed_compute,
        },
        &user_info,
-        config.allow_self_signed_compute,
        config.wake_compute_retry_config,
        config.connect_to_compute_retry_config,
    )
--- a/proxy/src/control_plane/client/cplane_proxy_v1.rs
+++ b/proxy/src/control_plane/client/cplane_proxy_v1.rs
@@ -250,7 +250,6 @@ impl NeonControlPlaneClient {
            let node = NodeInfo {
                config,
                aux: body.aux,
-                allow_self_signed_compute: false,
            };

            Ok(node)
--- a/proxy/src/control_plane/client/mock.rs
+++ b/proxy/src/control_plane/client/mock.rs
@@ -174,7 +174,6 @@ impl MockControlPlane {
                branch_id: (&BranchId::from("branch")).into(),
                cold_start_info: crate::control_plane::messages::ColdStartInfo::Warm,
            },
-            allow_self_signed_compute: false,
        };

        Ok(node)
--- a/proxy/src/control_plane/mod.rs
+++ b/proxy/src/control_plane/mod.rs
@@ -67,28 +67,21 @@ pub(crate) struct NodeInfo {

    /// Labels for proxy's metrics.
    pub(crate) aux: MetricsAuxInfo,
-
-    /// Whether we should accept self-signed certificates (for testing)
-    pub(crate) allow_self_signed_compute: bool,
 }

 impl NodeInfo {
    pub(crate) async fn connect(
        &self,
        ctx: &RequestContext,
+        allow_self_signed_compute: bool,
        timeout: Duration,
    ) -> Result<compute::PostgresConnection, compute::ConnectionError> {
        self.config
-            .connect(
-                ctx,
-                self.allow_self_signed_compute,
-                self.aux.clone(),
-                timeout,
-            )
+            .connect(ctx, allow_self_signed_compute, self.aux.clone(), timeout)
            .await
    }
+
    pub(crate) fn reuse_settings(&mut self, other: Self) {
-        self.allow_self_signed_compute = other.allow_self_signed_compute;
        self.config.reuse_password(other.config);
    }

--- a/proxy/src/proxy/connect_compute.rs
+++ b/proxy/src/proxy/connect_compute.rs
@@ -73,6 +73,9 @@ pub(crate) struct TcpMechanism<'a> {

    /// connect_to_compute concurrency lock
    pub(crate) locks: &'static ApiLocks<Host>,
+
+    /// Whether we should accept self-signed certificates (for testing)
+    pub(crate) allow_self_signed_compute: bool,
 }

 #[async_trait]
@@ -90,7 +93,11 @@ impl ConnectMechanism for TcpMechanism<'_> {
    ) -> Result<PostgresConnection, Self::Error> {
        let host = node_info.config.get_host();
        let permit = self.locks.get_permit(&host).await?;
-        permit.release_result(node_info.connect(ctx, timeout).await)
+        permit.release_result(
+            node_info
+                .connect(ctx, self.allow_self_signed_compute, timeout)
+                .await,
+        )
    }

    fn update_connect_config(&self, config: &mut compute::ConnCfg) {
@@ -104,7 +111,6 @@ pub(crate) async fn connect_to_compute<M: ConnectMechanism, B: ComputeConnectBac
    ctx: &RequestContext,
    mechanism: &M,
    user_info: &B,
-    allow_self_signed_compute: bool,
    wake_compute_retry_config: RetryConfig,
    connect_to_compute_retry_config: RetryConfig,
 ) -> Result<M::Connection, M::Error>
@@ -117,7 +123,6 @@ where
        wake_compute(&mut num_retries, ctx, user_info, wake_compute_retry_config).await?;

    node_info.set_keys(user_info.get_keys());
-    node_info.allow_self_signed_compute = allow_self_signed_compute;
    mechanism.update_connect_config(&mut node_info.config);

    // try once
--- a/proxy/src/proxy/mod.rs
+++ b/proxy/src/proxy/mod.rs
@@ -355,9 +355,9 @@ pub(crate) async fn handle_client<S: AsyncRead + AsyncWrite + Unpin>(
            params_compat,
            params: &params,
            locks: &config.connect_compute_locks,
+            allow_self_signed_compute: mode.allow_self_signed_compute(config),
        },
        &user_info,
-        mode.allow_self_signed_compute(config),
        config.wake_compute_retry_config,
        config.connect_to_compute_retry_config,
    )
--- a/proxy/src/proxy/tests/mod.rs
+++ b/proxy/src/proxy/tests/mod.rs
@@ -553,7 +553,6 @@ fn helper_create_cached_node_info(cache: &'static NodeInfoCache) -> CachedNodeIn
            branch_id: (&BranchId::from("branch")).into(),
            cold_start_info: crate::control_plane::messages::ColdStartInfo::Warm,
        },
-        allow_self_signed_compute: false,
    };
    let (_, node2) = cache.insert_unit("key".into(), Ok(node.clone()));
    node2.map(|()| node)
@@ -588,7 +587,7 @@ async fn connect_to_compute_success() {
        max_retries: 5,
        backoff_factor: 2.0,
    };
-    connect_to_compute(&ctx, &mechanism, &user_info, false, config, config)
+    connect_to_compute(&ctx, &mechanism, &user_info, config, config)
        .await
        .unwrap();
    mechanism.verify();
@@ -606,7 +605,7 @@ async fn connect_to_compute_retry() {
        max_retries: 5,
        backoff_factor: 2.0,
    };
-    connect_to_compute(&ctx, &mechanism, &user_info, false, config, config)
+    connect_to_compute(&ctx, &mechanism, &user_info, config, config)
        .await
        .unwrap();
    mechanism.verify();
@@ -625,7 +624,7 @@ async fn connect_to_compute_non_retry_1() {
        max_retries: 5,
        backoff_factor: 2.0,
    };
-    connect_to_compute(&ctx, &mechanism, &user_info, false, config, config)
+    connect_to_compute(&ctx, &mechanism, &user_info, config, config)
        .await
        .unwrap_err();
    mechanism.verify();
@@ -644,7 +643,7 @@ async fn connect_to_compute_non_retry_2() {
        max_retries: 5,
        backoff_factor: 2.0,
    };
-    connect_to_compute(&ctx, &mechanism, &user_info, false, config, config)
+    connect_to_compute(&ctx, &mechanism, &user_info, config, config)
        .await
        .unwrap();
    mechanism.verify();
@@ -674,7 +673,6 @@ async fn connect_to_compute_non_retry_3() {
        &ctx,
        &mechanism,
        &user_info,
-        false,
        wake_compute_retry_config,
        connect_to_compute_retry_config,
    )
@@ -696,7 +694,7 @@ async fn wake_retry() {
        max_retries: 5,
        backoff_factor: 2.0,
    };
-    connect_to_compute(&ctx, &mechanism, &user_info, false, config, config)
+    connect_to_compute(&ctx, &mechanism, &user_info, config, config)
        .await
        .unwrap();
    mechanism.verify();
@@ -715,7 +713,7 @@ async fn wake_non_retry() {
        max_retries: 5,
        backoff_factor: 2.0,
    };
-    connect_to_compute(&ctx, &mechanism, &user_info, false, config, config)
+    connect_to_compute(&ctx, &mechanism, &user_info, config, config)
        .await
        .unwrap_err();
    mechanism.verify();
--- a/proxy/src/redis/notifications.rs
+++ b/proxy/src/redis/notifications.rs
@@ -6,6 +6,7 @@ use pq_proto::CancelKeyData;
 use redis::aio::PubSub;
 use serde::{Deserialize, Serialize};
 use tokio_util::sync::CancellationToken;
+use tracing::Instrument;
 use uuid::Uuid;

 use super::connection_with_credentials_provider::ConnectionWithCredentialsProvider;
@@ -13,7 +14,6 @@ use crate::cache::project_info::ProjectInfoCache;
 use crate::cancellation::{CancelMap, CancellationHandler};
 use crate::intern::{ProjectIdInt, RoleNameInt};
 use crate::metrics::{Metrics, RedisErrors, RedisEventsCount};
-use tracing::Instrument;

 const CPLANE_CHANNEL_NAME: &str = "neondb-proxy-ws-updates";
 pub(crate) const PROXY_CHANNEL_NAME: &str = "neondb-proxy-to-proxy-updates";
--- a/proxy/src/serverless/backend.rs
+++ b/proxy/src/serverless/backend.rs
@@ -195,7 +195,6 @@ impl PoolingBackend {
                locks: &self.config.connect_compute_locks,
            },
            &backend,
-            false, // do not allow self signed compute for http flow
            self.config.wake_compute_retry_config,
            self.config.connect_to_compute_retry_config,
        )
@@ -237,7 +236,6 @@ impl PoolingBackend {
                locks: &self.config.connect_compute_locks,
            },
            &backend,
-            false, // do not allow self signed compute for http flow
            self.config.wake_compute_retry_config,
            self.config.connect_to_compute_retry_config,
        )