diff --git a/charts/tidb-cluster/templates/_helpers.tpl b/charts/tidb-cluster/templates/_helpers.tpl index 8d45360b8ee..837138eadc0 100644 --- a/charts/tidb-cluster/templates/_helpers.tpl +++ b/charts/tidb-cluster/templates/_helpers.tpl @@ -91,7 +91,7 @@ config-file: |- {{- if .Values.tidb.config }} {{ .Values.tidb.config | indent 2 }} {{- end -}} - {{- if or .Values.enableTLSCluster .Values.tidb.tlsClient.enabled }} + {{- if or .Values.enableTLSCluster (and .Values.tidb.tlsClient .Values.tidb.tlsClient.enabled) }} [security] {{- end -}} {{- if .Values.enableTLSCluster }} @@ -99,12 +99,8 @@ config-file: |- cluster-ssl-cert = "/var/lib/tidb-tls/tls.crt" cluster-ssl-key = "/var/lib/tidb-tls/tls.key" {{- end -}} - {{- if .Values.tidb.tlsClient.enabled }} - {{- if .Values.tidb.tlsClient.secretName }} + {{- if and .Values.tidb.tlsClient .Values.tidb.tlsClient.enabled }} ssl-ca = "/var/lib/tidb-server-tls/ca.crt" - {{- else }} - ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" - {{- end }} ssl-cert = "/var/lib/tidb-server-tls/tls.crt" ssl-key = "/var/lib/tidb-server-tls/tls.key" {{- end -}} diff --git a/charts/tidb-cluster/values.yaml b/charts/tidb-cluster/values.yaml index 3cecac13308..e500bbc5968 100644 --- a/charts/tidb-cluster/values.yaml +++ b/charts/tidb-cluster/values.yaml @@ -439,26 +439,19 @@ tidb: list: ["whitelist-1"] # Whether enable TLS connection between TiDB server and MySQL client. - # Note: TLS connection is not forced on the server side, plain connections are also accepted after enableing. + # https://pingcap.com/docs/stable/how-to/secure/enable-tls-clients/ tlsClient: - # When enabled, TiDB will accept TLS encrypted connections from MySQL client + # The steps to enable this feature: + # 1. Generate a TiDB server-side certificate and a client-side certifiacete for the TiDB cluster. + # There are multiple ways to generate certificates: + # - user-provided certificates: https://pingcap.com/docs/stable/how-to/secure/enable-tls-clients/ + # - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ + # - or use cert-manager signed certificates: https://cert-manager.io/ + # 2. Create a K8s Secret object which contains the TiDB server-side certificate created above. + # The name of this Secret must be: -tidb-server-secret. + # kubectl create secret generic -tidb-server-secret --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= + # 3. Then create the TiDB cluster with `tlsClient.enabled` set to `true`. enabled: false - # # secretName is the name of the secret that stores user-defined tidb server certificate, key and ca... - # # If not specified but tls client is enabled, certificated signed by k8s is created automatically. - # # Create this secret with the following command: - # # kubectl create secret generic --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= - # secretName: "demo-tidb-server-secret" - - # Auto-generated certificate in k8s: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ - # autoGenerated: - # # Extra SAN IP list - # extraSANIPList: - # - 1.1.1.1 - # - 2.2.2.2 - # # Extra SAN Domain list - # extraSANDomainList: - # - example1.com - # - example2.com # mysqlClient is used to set password for TiDB # it must has Python MySQL client installed diff --git a/pkg/apis/pingcap/v1alpha1/tidbcluster.go b/pkg/apis/pingcap/v1alpha1/tidbcluster.go index cb87fc3432d..ce3ce7f2705 100644 --- a/pkg/apis/pingcap/v1alpha1/tidbcluster.go +++ b/pkg/apis/pingcap/v1alpha1/tidbcluster.go @@ -350,10 +350,6 @@ func (tidb *TiDBSpec) IsAdvertiseAddressEnabled() bool { return *tidb.EnableAdvertiseAddress } -func (tidb *TiDBSpec) IsUserGeneratedCertificate() bool { - return tidb.IsTLSClientEnabled() && tidb.TLSClient.SecretName != "" -} - func (tidb *TiDBSpec) ShouldSeparateSlowLog() bool { separateSlowLog := tidb.SeparateSlowLog if separateSlowLog == nil { diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go index d583c2be18c..262d76e27fa 100644 --- a/pkg/apis/pingcap/v1alpha1/types.go +++ b/pkg/apis/pingcap/v1alpha1/types.go @@ -604,27 +604,18 @@ type PumpStatus struct { // TiDBTLSClient can enable TLS connection between TiDB server and MySQL client type TiDBTLSClient struct { // When enabled, TiDB will accept TLS encrypted connections from MySQL client + // The steps to enable this feature: + // 1. Generate a TiDB server-side certificate and a client-side certifiacete for the TiDB cluster. + // There are multiple ways to generate certificates: + // - user-provided certificates: https://pingcap.com/docs/stable/how-to/secure/enable-tls-clients/ + // - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ + // - or use cert-manager signed certificates: https://cert-manager.io/ + // 2. Create a K8s Secret object which contains the TiDB server-side certificate created above. + // The name of this Secret must be: -tidb-server-secret. + // kubectl create secret generic -tidb-server-secret --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= + // 3. Set Enabled to `true`. // +optional Enabled bool `json:"enabled,omitempty"` - - // Secret name which stores user-defined TiDB Server certificate, key and ca - // +optional - SecretName string `json:"secretName,omitempty"` - - // Auto-generated certificate - // +optional - AutoGenerated *TiDBAutoGeneratedCertificate `json:"autoGenerated,omitempty"` -} - -// TiDBAutoGeneratedCertificate is TiDB auto-generated certificate -type TiDBAutoGeneratedCertificate struct { - // Extra SAN IP list - // +optional - ExtraSANIPList []string `json:"extraSANIPList,omitempty"` - - // Extra SAN Domain list - // +optional - ExtraSANDomainList []string `json:"extraSANDomainList,omitempty"` } // +genclient diff --git a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go index 63eb9535255..f660699e831 100644 --- a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go @@ -2231,32 +2231,6 @@ func (in *TiDBAccessConfig) DeepCopy() *TiDBAccessConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TiDBAutoGeneratedCertificate) DeepCopyInto(out *TiDBAutoGeneratedCertificate) { - *out = *in - if in.ExtraSANIPList != nil { - in, out := &in.ExtraSANIPList, &out.ExtraSANIPList - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.ExtraSANDomainList != nil { - in, out := &in.ExtraSANDomainList, &out.ExtraSANDomainList - *out = make([]string, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TiDBAutoGeneratedCertificate. -func (in *TiDBAutoGeneratedCertificate) DeepCopy() *TiDBAutoGeneratedCertificate { - if in == nil { - return nil - } - out := new(TiDBAutoGeneratedCertificate) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TiDBConfig) DeepCopyInto(out *TiDBConfig) { *out = *in @@ -2539,7 +2513,7 @@ func (in *TiDBSpec) DeepCopyInto(out *TiDBSpec) { if in.TLSClient != nil { in, out := &in.TLSClient, &out.TLSClient *out = new(TiDBTLSClient) - (*in).DeepCopyInto(*out) + **out = **in } if in.SlowLogTailer != nil { in, out := &in.SlowLogTailer, &out.SlowLogTailer @@ -2607,11 +2581,6 @@ func (in *TiDBStatus) DeepCopy() *TiDBStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TiDBTLSClient) DeepCopyInto(out *TiDBTLSClient) { *out = *in - if in.AutoGenerated != nil { - in, out := &in.AutoGenerated, &out.AutoGenerated - *out = new(TiDBAutoGeneratedCertificate) - (*in).DeepCopyInto(*out) - } return } diff --git a/pkg/manager/member/tidb_member_manager.go b/pkg/manager/member/tidb_member_manager.go index eb113c213c7..3747a887a33 100644 --- a/pkg/manager/member/tidb_member_manager.go +++ b/pkg/manager/member/tidb_member_manager.go @@ -186,16 +186,6 @@ func (tmm *tidbMemberManager) syncTiDBStatefulSetForTidbCluster(tc *v1alpha1.Tid return err } } - if tc.Spec.TiDB.IsTLSClientEnabled() && !tc.Spec.TiDB.IsUserGeneratedCertificate() { - err := tmm.syncTiDBServerCerts(tc) - if err != nil { - return err - } - err = tmm.syncTiDBClientCerts(tc) - if err != nil { - return err - } - } err = tmm.setControl.CreateStatefulSet(tc, newTiDBSet) if err != nil { return err @@ -270,80 +260,6 @@ func (tmm *tidbMemberManager) syncTiDBClusterCerts(tc *v1alpha1.TidbCluster) err return tmm.certControl.Create(controller.GetOwnerRef(tc), certOpts) } -// syncTiDBServerCerts creates the cert pair for TiDB if not exist, the cert -// pair is used to communicate with DB clients with encrypted connections -func (tmm *tidbMemberManager) syncTiDBServerCerts(tc *v1alpha1.TidbCluster) error { - suffix := "tidb-server" - ns := tc.GetNamespace() - tcName := tc.GetName() - svcName := controller.TiDBMemberName(tcName) - - if tmm.certControl.CheckSecret(ns, svcName) { - return nil - } - - svc, err := tmm.svcLister.Services(ns).Get(svcName) - if err != nil { - return err - } - - hostList := []string{ - svcName, - fmt.Sprintf("%s.%s", svcName, ns), - fmt.Sprintf("%s.%s.svc", svcName, ns), - "localhost", - } - ipList := []string{ - "127.0.0.1", "::1", - svc.Spec.ClusterIP, - } - - if tc.Spec.TiDB.TLSClient.AutoGenerated != nil { - hostList = append(hostList, tc.Spec.TiDB.TLSClient.AutoGenerated.ExtraSANDomainList...) - ipList = append(ipList, tc.Spec.TiDB.TLSClient.AutoGenerated.ExtraSANIPList...) - } - - certOpts := &controller.TiDBClusterCertOptions{ - Namespace: ns, - Instance: tcName, - CommonName: svcName, - HostList: hostList, - IPList: ipList, - Component: "tidb", - Suffix: suffix, - } - - return tmm.certControl.Create(controller.GetOwnerRef(tc), certOpts) -} - -// syncTiDBClientCerts creates the cert pair for TiDB if not exist, the cert -// pair is used for DB clients to connect to TiDB server with encrypted connections -func (tmm *tidbMemberManager) syncTiDBClientCerts(tc *v1alpha1.TidbCluster) error { - suffix := "tidb-client" - ns := tc.GetNamespace() - tcName := tc.GetName() - commonName := fmt.Sprintf("%s-%s", tcName, suffix) - - if tmm.certControl.CheckSecret(ns, commonName) { - return nil - } - - hostList := []string{ - commonName, - } - - certOpts := &controller.TiDBClusterCertOptions{ - Namespace: ns, - Instance: tcName, - CommonName: commonName, - HostList: hostList, - Component: "tidb", - Suffix: suffix, - } - - return tmm.certControl.Create(controller.GetOwnerRef(tc), certOpts) -} - func (tmm *tidbMemberManager) syncTiDBService(tc *v1alpha1.TidbCluster) error { newSvc := getNewTiDBServiceOrNil(tc) @@ -441,11 +357,7 @@ func getTiDBConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) { if config.Security == nil { config.Security = &v1alpha1.Security{} } - if tc.Spec.TiDB.IsUserGeneratedCertificate() { - config.Security.SSLCA = pointer.StringPtr(path.Join(serverCertPath, tlsSecretRootCAKey)) - } else { - config.Security.SSLCA = pointer.StringPtr(serviceAccountCAPath) - } + config.Security.SSLCA = pointer.StringPtr(path.Join(serverCertPath, tlsSecretRootCAKey)) config.Security.SSLCert = pointer.StringPtr(path.Join(serverCertPath, corev1.TLSCertKey)) config.Security.SSLKey = pointer.StringPtr(path.Join(serverCertPath, corev1.TLSPrivateKeyKey)) } @@ -635,12 +547,7 @@ func getNewTiDBSetForTidbCluster(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) }) } if tc.Spec.TiDB.IsTLSClientEnabled() { - var secretName string - if tc.Spec.TiDB.IsUserGeneratedCertificate() { - secretName = tc.Spec.TiDB.TLSClient.SecretName - } else { - secretName = fmt.Sprintf("%s-%s", controller.TiDBMemberName(tcName), "server") - } + secretName := tlsClientSecretName(tc) vols = append(vols, corev1.Volume{ Name: "tidb-server-tls", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ @@ -911,6 +818,10 @@ func tidbStatefulSetIsUpgrading(podLister corelisters.PodLister, set *apps.State return false, nil } +func tlsClientSecretName(tc *v1alpha1.TidbCluster) string { + return fmt.Sprintf("%s-server-secret", controller.TiDBMemberName(tc.Name)) +} + type FakeTiDBMemberManager struct { err error } diff --git a/pkg/manager/member/tidb_member_manager_test.go b/pkg/manager/member/tidb_member_manager_test.go index 4f0aa34c926..8d36d8ba79b 100644 --- a/pkg/manager/member/tidb_member_manager_test.go +++ b/pkg/manager/member/tidb_member_manager_test.go @@ -1650,7 +1650,7 @@ func TestGetTiDBConfigMap(t *testing.T) { Data: map[string]string{ "startup-script": "", "config-file": `[security] - ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + ssl-ca = "/var/lib/tidb-server-tls/ca.crt" ssl-cert = "/var/lib/tidb-server-tls/tls.crt" ssl-key = "/var/lib/tidb-server-tls/tls.key" cluster-ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"