From 561f9ed25fec78ee3d3e85f52b294fd6584d6cdb Mon Sep 17 00:00:00 2001
From: weekface <weekface@gmail.com>
Date: Tue, 31 Mar 2020 16:10:15 +0800
Subject: [PATCH 1/4] support pd dashboard config

---
 docs/api-references/docs.html                 | 62 +++++++++++++++++++
 manifests/crd.yaml                            |  1 +
 .../pingcap/v1alpha1/openapi_generated.go     |  7 ++-
 pkg/apis/pingcap/v1alpha1/pd_config.go        | 10 +++
 .../pingcap/v1alpha1/zz_generated.deepcopy.go | 21 +++++++
 pkg/manager/member/pd_member_manager.go       | 25 +++++++-
 6 files changed, 124 insertions(+), 2 deletions(-)

diff --git a/docs/api-references/docs.html b/docs/api-references/docs.html
index ccdbf13214..f04aa0959a 100644
--- a/docs/api-references/docs.html
+++ b/docs/api-references/docs.html
@@ -2888,6 +2888,55 @@ <h3 id="pingcap.com/v1alpha1.CrdKinds">CrdKinds
 </tr>
 </tbody>
 </table>
+<h3 id="pingcap.com/v1alpha1.DashboardConfig">DashboardConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.PDConfig">PDConfig</a>)
+</p>
+<p>
+<p>DashboardConfig is the configuration for tidb-dashboard.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>tidb_cacert_path</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>tidb_cert_path</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>tidb_key_path</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="pingcap.com/v1alpha1.Experimental">Experimental
 </h3>
 <p>
@@ -4098,6 +4147,19 @@ <h3 id="pingcap.com/v1alpha1.PDConfig">PDConfig
 Optional: Defaults to true</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>dashboard</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.DashboardConfig">
+DashboardConfig
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="pingcap.com/v1alpha1.PDFailureMember">PDFailureMember
diff --git a/manifests/crd.yaml b/manifests/crd.yaml
index 289f1e06fb..18e920ec23 100644
--- a/manifests/crd.yaml
+++ b/manifests/crd.yaml
@@ -1344,6 +1344,7 @@ spec:
                       type: string
                     cluster-version:
                       type: string
+                    dashboard: {}
                     election-interval:
                       description: ElectionInterval is the interval for etcd Raft
                         election.
diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
index 7639d254b2..690bcd5488 100644
--- a/pkg/apis/pingcap/v1alpha1/openapi_generated.go
+++ b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
@@ -1674,11 +1674,16 @@ func schema_pkg_apis_pingcap_v1alpha1_PDConfig(ref common.ReferenceCallback) com
 							Format:      "",
 						},
 					},
+					"dashboard": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.DashboardConfig"),
+						},
+					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDLogConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDMetricConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDNamespaceConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDReplicationConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDScheduleConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDSecurityConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDServerConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDStoreLabel"},
+			"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.DashboardConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDLogConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDMetricConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDNamespaceConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDReplicationConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDScheduleConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDSecurityConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDServerConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.PDStoreLabel"},
 	}
 }
 
diff --git a/pkg/apis/pingcap/v1alpha1/pd_config.go b/pkg/apis/pingcap/v1alpha1/pd_config.go
index 29b56875dd..f3b2e6612f 100644
--- a/pkg/apis/pingcap/v1alpha1/pd_config.go
+++ b/pkg/apis/pingcap/v1alpha1/pd_config.go
@@ -118,6 +118,16 @@ type PDConfig struct {
 	// Optional: Defaults to true
 	// +optional
 	NamespaceClassifier string `toml:"namespace-classifier,omitempty" json:"namespace-classifier,omitempty"`
+
+	// +optional
+	Dashboard *DashboardConfig `toml:"dashboard,omitempty" json:"dashboard,omitempty"`
+}
+
+// DashboardConfig is the configuration for tidb-dashboard.
+type DashboardConfig struct {
+	TiDBCAPath   string `toml:"tidb-cacert-path,omitempty" json:"tidb_cacert_path,omitempty"`
+	TiDBCertPath string `toml:"tidb-cert-path,omitempty" json:"tidb_cert_path,omitempty"`
+	TiDBKeyPath  string `toml:"tidb-key-path,omitempty" json:"tidb_key_path,omitempty"`
 }
 
 // PDLogConfig serializes log related config in toml/json.
diff --git a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
index c845be403b..c459e24d98 100644
--- a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
@@ -594,6 +594,22 @@ func (in *CrdKinds) DeepCopy() *CrdKinds {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DashboardConfig) DeepCopyInto(out *DashboardConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DashboardConfig.
+func (in *DashboardConfig) DeepCopy() *DashboardConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(DashboardConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataResource) DeepCopyInto(out *DataResource) {
 	*out = *in
@@ -1104,6 +1120,11 @@ func (in *PDConfig) DeepCopyInto(out *PDConfig) {
 			}
 		}
 	}
+	if in.Dashboard != nil {
+		in, out := &in.Dashboard, &out.Dashboard
+		*out = new(DashboardConfig)
+		**out = **in
+	}
 	return
 }
 
diff --git a/pkg/manager/member/pd_member_manager.go b/pkg/manager/member/pd_member_manager.go
index ac78b88342..ed63494dd5 100644
--- a/pkg/manager/member/pd_member_manager.go
+++ b/pkg/manager/member/pd_member_manager.go
@@ -38,7 +38,8 @@ import (
 
 const (
 	// pdClusterCertPath is where the cert for inter-cluster communication stored (if any)
-	pdClusterCertPath = "/var/lib/pd-tls"
+	pdClusterCertPath  = "/var/lib/pd-tls"
+	tidbClientCertPath = "/var/lib/tidb-client-tls"
 )
 
 type pdMemberManager struct {
@@ -513,6 +514,11 @@ func getNewPDSetForTidbCluster(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (
 			Name: "pd-tls", ReadOnly: true, MountPath: "/var/lib/pd-tls",
 		})
 	}
+	if tc.Spec.TiDB.IsTLSClientEnabled() {
+		volMounts = append(volMounts, corev1.VolumeMount{
+			Name: "tidb-client-tls", ReadOnly: true, MountPath: "/var/lib/tidb-client-tls",
+		})
+	}
 
 	vols := []corev1.Volume{
 		annVolume,
@@ -546,6 +552,15 @@ func getNewPDSetForTidbCluster(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (
 			},
 		})
 	}
+	if tc.Spec.TiDB.IsTLSClientEnabled() {
+		vols = append(vols, corev1.Volume{
+			Name: "tidb-client-tls", VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: util.TiDBClientTLSSecretName(tc.Name),
+				},
+			},
+		})
+	}
 
 	storageRequest, err := controller.ParseStorageRequest(tc.Spec.PD.Requests)
 	if err != nil {
@@ -688,6 +703,14 @@ func getPDConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
 		config.Security.CertPath = path.Join(pdClusterCertPath, corev1.TLSCertKey)
 		config.Security.KeyPath = path.Join(pdClusterCertPath, corev1.TLSPrivateKeyKey)
 	}
+	if tc.Spec.TiDB.IsTLSClientEnabled() {
+		if config.Dashboard == nil {
+			config.Dashboard = &v1alpha1.DashboardConfig{}
+		}
+		config.Dashboard.TiDBCAPath = path.Join(tidbClientCertPath, tlsSecretRootCAKey)
+		config.Dashboard.TiDBCertPath = path.Join(tidbClientCertPath, corev1.TLSCertKey)
+		config.Dashboard.TiDBKeyPath = path.Join(tidbClientCertPath, corev1.TLSPrivateKeyKey)
+	}
 
 	confText, err := MarshalTOML(config)
 	if err != nil {

From 86d255096c30bba1366bf243b2453eca080adbc7 Mon Sep 17 00:00:00 2001
From: weekface <weekface@gmail.com>
Date: Tue, 31 Mar 2020 17:34:21 +0800
Subject: [PATCH 2/4] Update pkg/manager/member/pd_member_manager.go

Co-Authored-By: DanielZhangQD <36026334+DanielZhangQD@users.noreply.github.com>
---
 pkg/manager/member/pd_member_manager.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/manager/member/pd_member_manager.go b/pkg/manager/member/pd_member_manager.go
index ed63494dd5..71af3e745b 100644
--- a/pkg/manager/member/pd_member_manager.go
+++ b/pkg/manager/member/pd_member_manager.go
@@ -516,7 +516,7 @@ func getNewPDSetForTidbCluster(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (
 	}
 	if tc.Spec.TiDB.IsTLSClientEnabled() {
 		volMounts = append(volMounts, corev1.VolumeMount{
-			Name: "tidb-client-tls", ReadOnly: true, MountPath: "/var/lib/tidb-client-tls",
+			Name: "tidb-client-tls", ReadOnly: true, MountPath: tidbClientCertPath,
 		})
 	}
 

From 966b99ae16dbc3d94ff0874388113b1d5f8476d1 Mon Sep 17 00:00:00 2001
From: weekface <weekface@gmail.com>
Date: Thu, 2 Apr 2020 16:39:54 +0800
Subject: [PATCH 3/4] fix ci

---
 examples/selfsigned-tls/tidb-server-cert.yaml | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/examples/selfsigned-tls/tidb-server-cert.yaml b/examples/selfsigned-tls/tidb-server-cert.yaml
index 6580dc5091..ac9eb1d147 100644
--- a/examples/selfsigned-tls/tidb-server-cert.yaml
+++ b/examples/selfsigned-tls/tidb-server-cert.yaml
@@ -20,3 +20,25 @@ spec:
   issuerRef:
     name: selfsigned-cert-issuer
     kind: Issuer
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: tidb-client-cert
+spec:
+  secretName: tls-tidb-client-secret # <cluster>-tidb-client-secret
+  subject:
+    organizationalUnits:
+      - "TiDB Operator"
+  organization:
+    - "PingCAP"
+  duration: "8760h" # 364 days
+  # If you want verify server cert Common Name (e.g. --ssl-verify-server-cert
+  # flag in MySQL CLI), you must configure the HostName you used to connect the
+  # server here.
+  commonName: "tls-tidb-client"
+  usages:
+    - "client auth"
+  issuerRef:
+    name: selfsigned-cert-issuer
+    kind: Issuer

From 51b6dd5a634803dc124925c976194cfd64c72054 Mon Sep 17 00:00:00 2001
From: weekface <weekface@gmail.com>
Date: Fri, 3 Apr 2020 11:01:45 +0800
Subject: [PATCH 4/4] address comment

---
 examples/selfsigned-tls/tidb-client-cert.yaml | 21 ++++++++++++++++++
 examples/selfsigned-tls/tidb-server-cert.yaml | 22 -------------------
 2 files changed, 21 insertions(+), 22 deletions(-)
 create mode 100644 examples/selfsigned-tls/tidb-client-cert.yaml

diff --git a/examples/selfsigned-tls/tidb-client-cert.yaml b/examples/selfsigned-tls/tidb-client-cert.yaml
new file mode 100644
index 0000000000..df740c27ed
--- /dev/null
+++ b/examples/selfsigned-tls/tidb-client-cert.yaml
@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: tidb-client-cert
+spec:
+  secretName: tls-tidb-client-secret # <cluster>-tidb-client-secret
+  subject:
+    organizationalUnits:
+      - "TiDB Operator"
+  organization:
+    - "PingCAP"
+  duration: "8760h" # 364 days
+  # If you want verify server cert Common Name (e.g. --ssl-verify-server-cert
+  # flag in MySQL CLI), you must configure the HostName you used to connect the
+  # server here.
+  commonName: "tls-tidb-client"
+  usages:
+    - "client auth"
+  issuerRef:
+    name: selfsigned-cert-issuer
+    kind: Issuer
diff --git a/examples/selfsigned-tls/tidb-server-cert.yaml b/examples/selfsigned-tls/tidb-server-cert.yaml
index ac9eb1d147..6580dc5091 100644
--- a/examples/selfsigned-tls/tidb-server-cert.yaml
+++ b/examples/selfsigned-tls/tidb-server-cert.yaml
@@ -20,25 +20,3 @@ spec:
   issuerRef:
     name: selfsigned-cert-issuer
     kind: Issuer
----
-apiVersion: cert-manager.io/v1alpha2
-kind: Certificate
-metadata:
-  name: tidb-client-cert
-spec:
-  secretName: tls-tidb-client-secret # <cluster>-tidb-client-secret
-  subject:
-    organizationalUnits:
-      - "TiDB Operator"
-  organization:
-    - "PingCAP"
-  duration: "8760h" # 364 days
-  # If you want verify server cert Common Name (e.g. --ssl-verify-server-cert
-  # flag in MySQL CLI), you must configure the HostName you used to connect the
-  # server here.
-  commonName: "tls-tidb-client"
-  usages:
-    - "client auth"
-  issuerRef:
-    name: selfsigned-cert-issuer
-    kind: Issuer