Skip to content

Commit

Permalink
use k8s standard tls secret format (#1824)
Browse files Browse the repository at this point in the history
* use standard tls secret format

* fix tls config in prometheus scrape config
  • Loading branch information
cofyc authored Mar 2, 2020
1 parent 9b69f6d commit aed1835
Show file tree
Hide file tree
Showing 14 changed files with 54 additions and 47 deletions.
22 changes: 11 additions & 11 deletions charts/tidb-cluster/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,8 @@ config-file: |-
{{- if .Values.enableTLSCluster }}
[security]
cacert-path = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
cert-path = "/var/lib/pd-tls/cert"
key-path = "/var/lib/pd-tls/key"
cert-path = "/var/lib/pd-tls/tls.crt"
key-path = "/var/lib/pd-tls/tls.key"
{{- end -}}

{{- end -}}
Expand All @@ -67,8 +67,8 @@ config-file: |-
{{- if .Values.enableTLSCluster }}
[security]
ca-path = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
cert-path = "/var/lib/tikv-tls/cert"
key-path = "/var/lib/tikv-tls/key"
cert-path = "/var/lib/tikv-tls/tls.crt"
key-path = "/var/lib/tikv-tls/tls.key"
{{- end -}}

{{- end -}}
Expand Down Expand Up @@ -96,17 +96,17 @@ config-file: |-
{{- end -}}
{{- if .Values.enableTLSCluster }}
cluster-ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
cluster-ssl-cert = "/var/lib/tidb-tls/cert"
cluster-ssl-key = "/var/lib/tidb-tls/key"
cluster-ssl-cert = "/var/lib/tidb-tls/tls.crt"
cluster-ssl-key = "/var/lib/tidb-tls/tls.key"
{{- end -}}
{{- if .Values.tidb.tlsClient.enabled }}
{{- if .Values.tidb.tlsClient.secretName }}
ssl-ca = "/var/lib/tidb-server-tls/ca"
ssl-ca = "/var/lib/tidb-server-tls/ca.crt"
{{- else }}
ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
{{- end }}
ssl-cert = "/var/lib/tidb-server-tls/cert"
ssl-key = "/var/lib/tidb-server-tls/key"
ssl-cert = "/var/lib/tidb-server-tls/tls.crt"
ssl-key = "/var/lib/tidb-server-tls/tls.key"
{{- end -}}

{{- end -}}
Expand All @@ -129,8 +129,8 @@ pump-config: |-
{{- if .Values.enableTLSCluster }}
[security]
ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
ssl-cert = "/var/lib/pump-tls/cert"
ssl-key = "/var/lib/pump-tls/key"
ssl-cert = "/var/lib/pump-tls/tls.crt"
ssl-key = "/var/lib/pump-tls/tls.key"
{{- end -}}
{{- else -}}
{{ tuple "config/_pump-config.tpl" . | include "helm-toolkit.utils.template" | indent 2 }}
Expand Down
12 changes: 6 additions & 6 deletions charts/tidb-cluster/templates/config/_prometheus-config.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ scrape_configs:
insecure_skip_verify: true
{{- if .Values.enableTLSCluster }}
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
cert_file: /var/lib/pd-client-tls/cert
key_file: /var/lib/pd-client-tls/key
cert_file: /var/lib/pd-client-tls/tls.crt
key_file: /var/lib/pd-client-tls/tls.key
scheme: https
{{- end }}
relabel_configs:
Expand Down Expand Up @@ -75,8 +75,8 @@ scrape_configs:
insecure_skip_verify: true
{{- if .Values.enableTLSCluster }}
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
cert_file: /var/lib/pd-client-tls/cert
key_file: /var/lib/pd-client-tls/key
cert_file: /var/lib/pd-client-tls/tls.crt
key_file: /var/lib/pd-client-tls/tls.key
scheme: https
{{- end }}
relabel_configs:
Expand Down Expand Up @@ -129,8 +129,8 @@ scrape_configs:
# And we should fix it after TiKV fix this issue: https://github.com/tikv/tikv/issues/5340
# {{- if .Values.enableTLSCluster }}
# ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# cert_file: /var/lib/pd-client-tls/cert
# key_file: /var/lib/pd-client-tls/key
# cert_file: /var/lib/pd-client-tls/tls.crt
# key_file: /var/lib/pd-client-tls/tls.key
# scheme: https
# {{- end }}
relabel_configs:
Expand Down
4 changes: 2 additions & 2 deletions charts/tidb-cluster/templates/config/_pump-config.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,8 @@ sync-log = {{ .Values.binlog.pump.syncLog | default true }}
# Path of file that contains list of trusted SSL CAs for connection with cluster components.
ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
# Path of file that contains X509 certificate in PEM format for connection with cluster components.
ssl-cert = "/var/lib/pump-tls/cert"
ssl-cert = "/var/lib/pump-tls/tls.crt"
# Path of file that contains X509 key in PEM format for connection with cluster components.
ssl-key = "/var/lib/pump-tls/key"
ssl-key = "/var/lib/pump-tls/tls.key"
{{- end -}}

2 changes: 1 addition & 1 deletion charts/tidb-cluster/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -435,7 +435,7 @@ tidb:
# # secretName is the name of the secret that stores user-defined tidb server certificate, key and ca...
# # If not specified but tls client is enabled, certificated signed by k8s is created automatically.
# # Create this secret with the following command:
# # kubectl create secret generic <secret-name> --namespace=<namespace> --from-file=cert=<tidb server certificate file path> --from-file=key=<tidb server key file path> --from-file=ca=<ca file path>
# # kubectl create secret generic <secret-name> --namespace=<namespace> --from-file=tls.crt=<tidb server certificate file path> --from-file=tls.key=<tidb server key file path> --from-file=ca.crt=<ca file path>
# secretName: "demo-tidb-server-secret"

# Auto-generated certificate in k8s: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
Expand Down
4 changes: 2 additions & 2 deletions charts/tidb-drainer/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ config-file: |-
{{- if .Values.enableTLSCluster }}
[security]
ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
ssl-cert = "/var/lib/drainer-tls/cert"
ssl-key = "/var/lib/drainer-tls/key"
ssl-cert = "/var/lib/drainer-tls/tls.crt"
ssl-key = "/var/lib/drainer-tls/tls.key"
{{- end -}}
{{- end -}}

Expand Down
6 changes: 3 additions & 3 deletions hack/create-cert.sh
Original file line number Diff line number Diff line change
Expand Up @@ -144,8 +144,8 @@ fi
echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem

# create the secret with CA cert and server cert/key
kubectl create secret generic ${secret} \
--from-file=key=${tmpdir}/server-key.pem \
--from-file=cert=${tmpdir}/server-cert.pem \
kubectl create secret tls ${secret} \
--key=${tmpdir}/server-key.pem \
--cert=${tmpdir}/server-cert.pem \
--dry-run -o yaml |
kubectl -n ${namespace} apply -f -
8 changes: 5 additions & 3 deletions pkg/controller/secret_control.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"github.com/pingcap/tidb-operator/pkg/label"
certutil "github.com/pingcap/tidb-operator/pkg/util/crypto"
corev1 "k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
Expand Down Expand Up @@ -65,9 +66,10 @@ func (rsc *realSecretControl) Create(or metav1.OwnerReference, certOpts *TiDBClu
OwnerReferences: []metav1.OwnerReference{or},
},
Data: map[string][]byte{
"cert": cert,
"key": key,
v1.TLSCertKey: cert,
v1.TLSPrivateKeyKey: key,
},
Type: v1.SecretTypeTLS,
}

_, err := rsc.kubeCli.CoreV1().Secrets(certOpts.Namespace).Create(secret)
Expand All @@ -84,7 +86,7 @@ func (rsc *realSecretControl) Load(ns string, secretName string) ([]byte, []byte
return nil, nil, err
}

return secret.Data["cert"], secret.Data["key"], nil
return secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey], nil
}

// Check returns true if the secret already exist
Expand Down
4 changes: 2 additions & 2 deletions pkg/manager/member/pd_member_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -722,8 +722,8 @@ func getPDConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
config.Security = &v1alpha1.PDSecurityConfig{}
}
config.Security.CAPath = serviceAccountCAPath
config.Security.CertPath = path.Join(pdClusterCertPath, "cert")
config.Security.KeyPath = path.Join(pdClusterCertPath, "key")
config.Security.CertPath = path.Join(pdClusterCertPath, corev1.TLSCertKey)
config.Security.KeyPath = path.Join(pdClusterCertPath, corev1.TLSPrivateKeyKey)
}

confText, err := MarshalTOML(config)
Expand Down
4 changes: 2 additions & 2 deletions pkg/manager/member/pump_member_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -261,8 +261,8 @@ func getNewPumpConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
confTextStr,
"[security]",
fmt.Sprintf("ssl-ca = \"%s\"", serviceAccountCAPath),
fmt.Sprintf("ssl-cert = \"%s\"", path.Join(pumpCertPath, "cert")),
fmt.Sprintf("ssl-key = \"%s\"", path.Join(pumpCertPath, "key"))}, "\n")
fmt.Sprintf("ssl-cert = \"%s\"", path.Join(pumpCertPath, corev1.TLSCertKey)),
fmt.Sprintf("ssl-key = \"%s\"", path.Join(pumpCertPath, corev1.TLSPrivateKeyKey))}, "\n")
}
data := map[string]string{
"pump-config": confTextStr,
Expand Down
14 changes: 9 additions & 5 deletions pkg/manager/member/tidb_member_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ const (
serverCertPath = "/var/lib/tidb-server-tls"
// serviceAccountCAPath is where is CABundle of serviceaccount locates
serviceAccountCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
// tlsSecretRootCAKey is the key used in tls secret for the root CA.
// When user use self-signed certificates, the root CA must be provided. We
// following the same convention used in Kubernetes service token.
tlsSecretRootCAKey = corev1.ServiceAccountRootCAKey
)

type tidbMemberManager struct {
Expand Down Expand Up @@ -430,20 +434,20 @@ func getTiDBConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
config.Security = &v1alpha1.Security{}
}
config.Security.ClusterSSLCA = pointer.StringPtr(serviceAccountCAPath)
config.Security.ClusterSSLCert = pointer.StringPtr(path.Join(clusterCertPath, "cert"))
config.Security.ClusterSSLKey = pointer.StringPtr(path.Join(clusterCertPath, "key"))
config.Security.ClusterSSLCert = pointer.StringPtr(path.Join(clusterCertPath, corev1.TLSCertKey))
config.Security.ClusterSSLKey = pointer.StringPtr(path.Join(clusterCertPath, corev1.TLSPrivateKeyKey))
}
if tc.Spec.TiDB.IsTLSClientEnabled() {
if config.Security == nil {
config.Security = &v1alpha1.Security{}
}
if tc.Spec.TiDB.IsUserGeneratedCertificate() {
config.Security.SSLCA = pointer.StringPtr(path.Join(serverCertPath, "ca"))
config.Security.SSLCA = pointer.StringPtr(path.Join(serverCertPath, tlsSecretRootCAKey))
} else {
config.Security.SSLCA = pointer.StringPtr(serviceAccountCAPath)
}
config.Security.SSLCert = pointer.StringPtr(path.Join(serverCertPath, "cert"))
config.Security.SSLKey = pointer.StringPtr(path.Join(serverCertPath, "key"))
config.Security.SSLCert = pointer.StringPtr(path.Join(serverCertPath, corev1.TLSCertKey))
config.Security.SSLKey = pointer.StringPtr(path.Join(serverCertPath, corev1.TLSPrivateKeyKey))
}
confText, err := MarshalTOML(config)
if err != nil {
Expand Down
8 changes: 4 additions & 4 deletions pkg/manager/member/tidb_member_manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1651,11 +1651,11 @@ func TestGetTiDBConfigMap(t *testing.T) {
"startup-script": "",
"config-file": `[security]
ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
ssl-cert = "/var/lib/tidb-server-tls/cert"
ssl-key = "/var/lib/tidb-server-tls/key"
ssl-cert = "/var/lib/tidb-server-tls/tls.crt"
ssl-key = "/var/lib/tidb-server-tls/tls.key"
cluster-ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
cluster-ssl-cert = "/var/lib/tidb-tls/cert"
cluster-ssl-key = "/var/lib/tidb-tls/key"
cluster-ssl-cert = "/var/lib/tidb-tls/tls.crt"
cluster-ssl-key = "/var/lib/tidb-tls/tls.key"
`,
},
},
Expand Down
4 changes: 2 additions & 2 deletions pkg/manager/member/tikv_member_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -538,8 +538,8 @@ func getTikVConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
config.Security = &v1alpha1.TiKVSecurityConfig{}
}
config.Security.CAPath = serviceAccountCAPath
config.Security.CertPath = path.Join(tikvClusterCertPath, "cert")
config.Security.KeyPath = path.Join(tikvClusterCertPath, "key")
config.Security.CertPath = path.Join(tikvClusterCertPath, corev1.TLSCertKey)
config.Security.KeyPath = path.Join(tikvClusterCertPath, corev1.TLSPrivateKeyKey)
}

confText, err := MarshalTOML(config)
Expand Down
4 changes: 2 additions & 2 deletions pkg/monitor/monitor/template.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,8 @@ const (
nodeNameLabel = "__meta_kubernetes_pod_node_name"
podIPLabel = "__meta_kubernetes_pod_ip"
caFilePath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
certFilePath = "/var/lib/pd-client-tls/cert"
keyFilePath = "/var/lib/pd-client-tls/key"
certFilePath = "/var/lib/pd-client-tls/tls.crt"
keyFilePath = "/var/lib/pd-client-tls/tls.key"
)

var (
Expand Down
5 changes: 3 additions & 2 deletions pkg/pdapi/pdapi.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
"time"

"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
v1 "k8s.io/api/core/v1"
"k8s.io/klog"

"github.com/pingcap/kvproto/pkg/metapb"
Expand Down Expand Up @@ -84,8 +85,8 @@ func GetTLSConfig(kubeCli kubernetes.Interface, namespace Namespace, tcName stri
}
}

clientCert, certExists := secret.Data["cert"]
clientKey, keyExists := secret.Data["key"]
clientCert, certExists := secret.Data[v1.TLSCertKey]
clientKey, keyExists := secret.Data[v1.TLSPrivateKeyKey]
if !certExists || !keyExists {
return nil, fmt.Errorf("cert or key does not exist in secret %s/%s", namespace, secretName)
}
Expand Down

0 comments on commit aed1835

Please sign in to comment.