tiflash-proxy-next-gen: bump for CMEK encrypted data

[hbisheng]

What problem does this PR solve?

Issue Number: ref #10222

Problem Summary:
When next-gen CMEK is enabled, raft logs and SST files can be encrypted by TiFlash proxy; the currently pinned tiflash-proxy-next-gen version can't recognize/read the encrypted data formats.

What is changed and how it works?

Bump submodule contrib/tiflash-proxy-next-gen to c013b172a259ccf11f23303097cd2b940f13e192 to pick up next-gen CMEK compatibility changes.

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
  • Verified that when CMEK is enabled and TiFlash is enabled, TiFlash proxy would crash due to InvalidChecksum or encryption_key is not found without this commit.
• No code

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

None

Summary by CodeRabbit

• Chores
  • Updated internal submodule reference to maintain compatibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[ti-chi-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates the contrib/tiflash-proxy-next-gen submodule reference to point to a newer commit. This is a dependency version bump with no changes to the codebase itself—only the submodule pointer is modified.

Changes

Cohort / File(s)	Summary
Submodule Reference contrib/tiflash-proxy-next-gen	Updated submodule commit reference from 2505f2f8d3061d8e61aa6f4ff4b91ade95a50785 to c013b172a259ccf11f23303097cd2b940f13e192

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A submodule hopped to the next,
From one commit, to the text,
No code was changed, no logic bent,
Just pointers moved, time well spent! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'tiflash-proxy-next-gen: bump for CMEK encrypted data' is clear, specific, and directly related to the main change—updating the submodule to support next-gen CMEK encryption.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description follows the template with all required sections completed: problem statement with issue reference, detailed explanation of changes with commit message, and comprehensive test/side-effects/documentation checklists.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pingcap-cla-assistant]

All committers have signed the CLA.

[hbisheng]

cc @JaySon-Huang

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@contrib/tiflash-proxy-next-gen`:
- Line 1: Add automated integration tests to cover CMEK-encrypted data
compatibility: implement tests named like TestTiFlashCMEK_RaftLogs and
TestTiFlashCMEK_SSTFiles to bring up a TiKV/TiFlash test cluster with CMEK
enabled and verify the TiFlash proxy (the proxy component under
contrib/tiflash-proxy-next-gen) can read encrypted raft logs and SST files, and
add TestTiFlash_NoCMEK_Backcompat to ensure non-CMEK deployments still work.
Hook these into the existing integration test harness (e.g., the package tests
or integration_test suite used by contrib/tiflash-proxy-next-gen), reuse helpers
that start a TiKV/TiFlash cluster and inject CMEK keys, and assert proxy startup
and successful reads of raft log entries and SST content; fail the test if the
proxy crashes or returns decryption errors. Ensure tests clean up keys/state and
can be toggled/skipped if CMEK environment (KMS) is unavailable.

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-01-22 08:09:22.036418648 +0000 UTC m=+654189.650375494: ☑️ agreed by JaySon-Huang.
• 2026-01-22 08:16:36.313764868 +0000 UTC m=+654623.927721714: ☑️ agreed by CalvinNeo.

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CalvinNeo, JaySon-Huang, JinheLin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [CalvinNeo,JaySon-Huang,JinheLin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[JaySon-Huang]

/cherry-pick release-nextgen-20251011

[ti-chi-bot]

@JaySon-Huang: once the present PR merges, I will cherry-pick it on top of release-nextgen-20251011 in the new PR and assign it to you.

Details

In response to this:

/cherry-pick release-nextgen-20251011

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

[ti-chi-bot]

@JaySon-Huang: new pull request created to branch release-nextgen-20251011: #10672.

Details

In response to this:

/cherry-pick release-nextgen-20251011

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.