feat: use rsandbox as ProxySQL monitor, add R/W split proxy users (#69, #70)

[renecannao]

Summary

• Monitor user changed from msandbox (full privileges) to rsandbox (replication role) — only needs USAGE + REPLICATION CLIENT for health checks
• Proxy users now include three users for proper R/W split:
  • msandbox default_hostgroup=0 (general purpose)
  • msandbox_rw default_hostgroup=0 (explicit writer)
  • msandbox_ro default_hostgroup=1 (explicit reader)
• use_proxy script connects as msandbox (app user), not monitor user
• PostgreSQL backends keep single user (no R/W split users in PG)

Closes #69, closes #70

Test Plan

• All 10 unit tests pass
• Build succeeds
• Integration test script updated to verify rsandbox monitor + R/W users

Summary by CodeRabbit

• Changes

  • Updated ProxySQL monitor credentials from msandbox to rsandbox
  • MySQL configurations now use dedicated proxy user accounts (msandbox, msandbox_rw, msandbox_ro) for read/write split operations
  • PostgreSQL continues to use monitor user credentials

• Tests

  • Extended integration tests to validate new ProxySQL configuration credentials and proxy user entries

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

ProxySQL configuration generation now differentiates between PostgreSQL and MySQL backends. PostgreSQL deployments continue using a single monitor user from configuration, while MySQL deployments switch to three hardcoded proxy users (msandbox, msandbox_rw, msandbox_ro). The monitor user credentials are changed from msandbox to rsandbox across all configurations.

Changes

Cohort / File(s)	Summary
Core Configuration Logic providers/proxysql/config.go	Added conditional branching in GenerateConfig to emit different user entries based on isPgsql flag. PostgreSQL uses cfg.MonitorUser/cfg.MonitorPass for single user block; MySQL uses three hardcoded proxy users with assigned hostgroups.
Configuration Defaults and Sandbox Setup providers/proxysql/proxysql.go, sandbox/proxysql_topology.go	Changed default monitor user credentials from msandbox to rsandbox. MySQL proxy script generation now hardcodes msandbox credentials instead of using monitor credentials.
Testing Updates providers/proxysql/config_test.go, test/proxysql-integration-tests.sh	Updated test assertions to expect monitor_username="rsandbox". Added unit and integration test validations for three MySQL proxy users (msandbox, msandbox_rw, msandbox_ro) with correct hostgroup assignments.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A sandbox tale with users new,
rsandbox guards while msandbox crew
_rw and _ro split the load,
ProxySQL hops down the MySQL road! 🛣️✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.11% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: switching to rsandbox as monitor user and adding R/W split proxy users.
Linked Issues check	✅ Passed	All objectives from #69 and #70 are met: rsandbox monitor user replaces msandbox, and three proxy users (msandbox, msandbox_rw, msandbox_ro) with proper hostgroups are configured.
Out of Scope Changes check	✅ Passed	All changes directly address the linked issues; no unrelated modifications are present beyond the scope of monitor user and R/W split proxy user configuration.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch worktree-agent-ad524a08

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the ProxySQL provider to support read/write splitting for MySQL by introducing three distinct proxy users (msandbox, msandbox_rw, and msandbox_ro) while maintaining a single user for PostgreSQL. It also changes the default monitor credentials from msandbox to rsandbox across the configuration, scripts, and tests. Feedback highlights that the global change to rsandbox may break PostgreSQL compatibility and that hardcoding MySQL proxy users and credentials in the use_proxy script reduces flexibility and prevents users from customizing application credentials as they could previously.

[gemini-code-assist]

The default monitor user and password are changed to rsandbox globally. This will likely break PostgreSQL sandboxes, which typically use postgres or msandbox and do not recognize the rsandbox user or the MySQL-specific replication privileges mentioned in the PR description. The default should be conditional on the backend provider.

[gemini-code-assist]

The MySQL proxy users are now hardcoded to msandbox variants. This is inconsistent with the PostgreSQL implementation (lines 87-93) which still uses the configurable MonitorUser. This change prevents users from customizing the application user credentials via the monitor_user option as they could before. Consider allowing these to be configurable or at least using the monitor credentials as a fallback.

[gemini-code-assist]

The use_proxy script for MySQL hardcodes the username and password (-u msandbox -pmsandbox). This makes the script fragile if the user credentials in the configuration are ever changed. It also makes it difficult to override the user via command-line arguments as the hardcoded flags will still be present and may conflict with user-provided arguments.

[Copilot]

Pull request overview

This PR updates the ProxySQL addon configuration to use a least-privilege monitoring user and to introduce distinct ProxySQL frontend users for read/write split testing, while adjusting helper scripts and tests accordingly.

Changes:

• Switch ProxySQL monitor credentials from msandbox to rsandbox.
• Generate MySQL ProxySQL mysql_users entries for msandbox, msandbox_rw (HG0), and msandbox_ro (HG1) to support explicit R/W split.
• Update use_proxy script behavior and integration/unit tests to reflect the new monitor/proxy users.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
test/proxysql-integration-tests.sh	Updates integration checks to validate rsandbox monitoring and presence of msandbox_rw/msandbox_ro users.
sandbox/proxysql_topology.go	Changes ProxySQL deployment defaults to use rsandbox monitor credentials.
providers/proxysql/proxysql.go	Changes default monitor credentials and updates use_proxy script generation for MySQL to use msandbox.
providers/proxysql/config.go	Adjusts generated ProxySQL config: PostgreSQL keeps single user; MySQL gets three frontend users for R/W split.
providers/proxysql/config_test.go	Updates tests to expect rsandbox monitor user and asserts presence of the new MySQL frontend users.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

DeployProxySQLForTopology hard-codes monitor_user/monitor_password to rsandbox. This breaks --with-proxysql for PostgreSQL sandboxes (cmd/single.go passes backendProvider="postgresql" but PostgreSQL sandboxes use DbUser="postgres"), causing ProxySQL to be configured with a non-existent monitoring/frontend user. Please set monitor credentials based on backendProvider (e.g., default to postgres for postgresql) and/or accept monitor_user/monitor_password as inputs instead of hard-coding them here.

[Copilot]

GenerateConfig() now hard-codes MySQL frontend users/passwords to msandbox/msandbox (and msandbox_rw/msandbox_ro). This makes ProxySQL config incorrect when the sandbox is deployed with non-default --db-user/--db-password (the grants templates create these users with {{.DbUser}}/{{.DbPassword}}). Consider deriving these usernames/passwords from inputs (e.g., add fields to ProxySQLConfig or provider options for proxy user/password) so ProxySQL stays in sync with the sandbox credentials.

[Copilot]

The generated use_proxy script is now hard-coded to connect as msandbox/msandbox for MySQL. This will fail for sandboxes created with custom --db-user/--db-password (and also makes it impossible to easily test msandbox_rw/msandbox_ro via the helper script). Suggest making the proxy client credentials configurable (e.g., via provider options) and/or generating separate helper scripts for rw/ro users.