To support various certificate issuers and methods, for example: user-defined certificates, K8s builtin CA system or cert-manager, we will refactor the TiDB Cluster/Client TLS feature with new API and new usage.
First, we will change the Cluster/Client TLS API to:
If the user set tlsCluster.enabled to true, then tidb-operator will assume that there are several Secrets named with: <cluster-name>-pd-cluster-secret, <cluster-name>-tikv-cluster-secret, <cluster-name>-tidb-cluster-secret, <cluser-name>-cluster-client-secret and other TiDB components's Secrets are created.
Each Secret data should have three keys: tls.crt, tls.key and ca.crt:
These Secrets can be created by the use manually, by K8s builtin CA system or by cert-manager. PD/TiKV/TiDB/... will use these Secrets to start server.
tidb-operator will not supply these certificates automatically.
To support various certificate issuers and methods, for example: user-defined certificates, K8s builtin CA system or cert-manager, we will refactor the TiDB Cluster/Client TLS feature with new API and new usage.
First, we will change the Cluster/Client TLS API to:
That is all the whole API we needed.
If the user set
tlsCluster.enabled
totrue
, then tidb-operator will assume that there are several Secrets named with:<cluster-name>-pd-cluster-secret
,<cluster-name>-tikv-cluster-secret
,<cluster-name>-tidb-cluster-secret
,<cluser-name>-cluster-client-secret
and other TiDB components's Secrets are created.Each Secret data should have three keys:
tls.crt
,tls.key
andca.crt
:These Secrets can be created by the use manually, by K8s builtin CA system or by cert-manager. PD/TiKV/TiDB/... will use these Secrets to start server.
tidb-operator will not supply these certificates automatically.
There are several tasks:
require-secure-transport
option to TiDB Server https://github.com/pingcap/tidb/pull/15341require-secure-transport
optionhttp
nothttps
scheme, https://github.com/pingcap/tidb-binlog/issues/936cert-allowed-cn
https://github.com/pingcap/tidb-operator/pull/2061cert-allowed-cn
: https://github.com/pingcap/tidb-operator/issues/2046Low priority or do not do issues: