failed to set cert-allowed-cn option for pump

[weekface]

I create TidbCluster with following:

apiVersion: pingcap.com/v1alpha1
kind: TidbCluster
metadata:
  name: cluster-tls
  namespace: cluster-tls
spec:
  tlsCluster:
    enabled: true
  version: nightly
  timezone: UTC
  pvReclaimPolicy: Delete
  helper:
    imagePullPolicy: Always
  pd:
    baseImage: pingcap/pd
    replicas: 1
    requests:
      storage: "1Gi"
    config:
      security:
        cert-allowed-cn:
          - "TiDB"
  tikv:
    baseImage: pingcap/tikv
    replicas: 1
    requests:
      storage: "1Gi"
    config:
      security:
        cert-allowed-cn:
          - "TiDB"
          - "tikv"
  tidb:
    baseImage: pingcap/tidb
    replicas: 1
    service:
      type: ClusterIP
    config:
      security:
        cluster-verify-cn:
          - "TiDB"
          - "tidb2"
  pump:
    baseImage: pingcap/tidb-binlog
    replicas: 1
    requests:
      storage: 10Gi
    config:
      security:
        cert-allowed-cn:
          - "TiDB"
          - "Pump"

Pump failed to start, because the config generated was wrong:

[2020/03/27 06:35:22.605 +00:00] [FATAL] [main.go:41] ["verifying flags failed. See 'pump --help'."] [error="Near line 4 (last key parsed ''): Key 'security' has already been defined."] [errorVerbose="Near line 4 (last key parsed ''): Key 'security' has already been defined.\ngithub.com/pingcap/errors.AddStack\n\t/home/jenkins/agent/workspace/release_tidb_3.1/go/pkg/mod/github.com/pingcap/errors@v0.11.5-0.20190809092503-95897b64e011/errors.go:174\ngithub.com/pingcap/errors.Trace\n\t/home/jenkins/agent/workspace/release_tidb_3.1/go/pkg/mod/github.com/pingcap/errors@v0.11.5-0.20190809092503-95897b64e011/juju_adaptor.go:15\ngithub.com/pingcap/tidb-binlog/pkg/util.StrictDecodeFile\n\t/home/jenkins/agent/workspace/release_tidb_3.1/go/src/github.com/pingcap/tidb-binlog/pkg/util/util.go:197\ngithub.com/pingcap/tidb-binlog/pump.(*Config).configFromFile\n\t/home/jenkins/agent/workspace/release_tidb_3.1/go/src/github.com/pingcap/tidb-binlog/pump/config.go:177\ngithub.com/pingcap/tidb-binlog/pump.(*Config).Parse\n\t/home/jenkins/agent/workspace/release_tidb_3.1/go/src/github.com/pingcap/tidb-binlog/pump/config.go:141\nmain.main\n\t/home/jenkins/agent/workspace/release_tidb_3.1/go/src/github.com/pingcap/tidb-binlog/cmd/pump/main.go:40\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:203\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1357"] [stack="github.com/pingcap/log.Fatal\n\t/home/jenkins/agent/workspace/release_tidb_3.1/go/pkg/mod/github.com/pingcap/log@v0.0.0-20200117041106-d28c14d3b1cd/global.go:59\nmain.main\n\t/home/jenkins/agent/workspace/release_tidb_3.1/go/src/github.com/pingcap/tidb-binlog/cmd/pump/main.go:41\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:203"]

# kubectl get cm -n cluster-tls cluster-tls-pump -oyaml
apiVersion: v1
data:
  pump-config: |-
    [security]
      cert-allowed-cn = ["TiDB", "Pump"]

    [security]
    ssl-ca = "/var/lib/pump-tls/ca.crt"
    ssl-cert = "/var/lib/pump-tls/tls.crt"
    ssl-key = "/var/lib/pump-tls/tls.key"
kind: ConfigMap
metadata:
  creationTimestamp: "2020-03-27T06:33:01Z"
  labels:
    app.kubernetes.io/component: pump
    app.kubernetes.io/instance: cluster-tls
    app.kubernetes.io/managed-by: tidb-operator
    app.kubernetes.io/name: tidb-cluster
  name: cluster-tls-pump
  namespace: cluster-tls
  ownerReferences:
  - apiVersion: pingcap.com/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: TidbCluster
    name: cluster-tls
    uid: 2a2961fe-a597-4360-aeb9-88d5b7559a91
  resourceVersion: "15275"
  selfLink: /api/v1/namespaces/cluster-tls/configmaps/cluster-tls-pump
  uid: c8afcf8f-cad9-4e49-9a4e-4f08599bdef3

[weekface]

fixed by #2061