pingcap · sre-bot · Apr 7, 2020 · Mar 31, 2020 · Mar 31, 2020 · Mar 31, 2020
diff --git a/docs/api-references/docs.md b/docs/api-references/docs.md
@@ -2894,6 +2894,55 @@ CrdKind
 </tr>
 </tbody>
 </table>
+<h3 id="pingcap.com/v1alpha1.DashboardConfig">DashboardConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.PDConfig">PDConfig</a>)
+</p>
+<p>
+<p>DashboardConfig is the configuration for tidb-dashboard.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>tidb_cacert_path</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>tidb_cert_path</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>tidb_key_path</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="pingcap.com/v1alpha1.Experimental">Experimental
 </h3>
 <p>
@@ -4104,6 +4153,19 @@ namespaces.
 Optional: Defaults to true</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>dashboard</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.DashboardConfig">
+DashboardConfig
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="pingcap.com/v1alpha1.PDFailureMember">PDFailureMember

diff --git a/examples/selfsigned-tls/tidb-client-cert.yaml b/examples/selfsigned-tls/tidb-client-cert.yaml
@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: tidb-client-cert
+spec:
+  secretName: tls-tidb-client-secret # <cluster>-tidb-client-secret
+  subject:
+    organizationalUnits:
+      - "TiDB Operator"
+  organization:
+    - "PingCAP"
+  duration: "8760h" # 364 days
+  # If you want verify server cert Common Name (e.g. --ssl-verify-server-cert
+  # flag in MySQL CLI), you must configure the HostName you used to connect the
+  # server here.
+  commonName: "tls-tidb-client"
+  usages:
+    - "client auth"
+  issuerRef:
+    name: selfsigned-cert-issuer
+    kind: Issuer
diff --git a/manifests/crd.yaml b/manifests/crd.yaml
@@ -1344,6 +1344,7 @@ spec:
                       type: string
                     cluster-version:
                       type: string
+                    dashboard: {}
                     election-interval:
                       description: ElectionInterval is the interval for etcd Raft
                         election.

diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
diff --git a/pkg/apis/pingcap/v1alpha1/pd_config.go b/pkg/apis/pingcap/v1alpha1/pd_config.go
@@ -118,6 +118,16 @@ type PDConfig struct {
 	// Optional: Defaults to true
 	// +optional
 	NamespaceClassifier string `toml:"namespace-classifier,omitempty" json:"namespace-classifier,omitempty"`
+
+	// +optional
+	Dashboard *DashboardConfig `toml:"dashboard,omitempty" json:"dashboard,omitempty"`
+}
+
+// DashboardConfig is the configuration for tidb-dashboard.
+type DashboardConfig struct {
+	TiDBCAPath   string `toml:"tidb-cacert-path,omitempty" json:"tidb_cacert_path,omitempty"`
+	TiDBCertPath string `toml:"tidb-cert-path,omitempty" json:"tidb_cert_path,omitempty"`
+	TiDBKeyPath  string `toml:"tidb-key-path,omitempty" json:"tidb_key_path,omitempty"`
 }
 
 // PDLogConfig serializes log related config in toml/json.

diff --git a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/manager/member/pd_member_manager.go b/pkg/manager/member/pd_member_manager.go
@@ -38,7 +38,8 @@ import (
 
 const (
 	// pdClusterCertPath is where the cert for inter-cluster communication stored (if any)
-	pdClusterCertPath = "/var/lib/pd-tls"
+	pdClusterCertPath  = "/var/lib/pd-tls"
+	tidbClientCertPath = "/var/lib/tidb-client-tls"
 )
 
 type pdMemberManager struct {
@@ -513,6 +514,11 @@ func getNewPDSetForTidbCluster(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (
 			Name: "pd-tls", ReadOnly: true, MountPath: "/var/lib/pd-tls",
 		})
 	}
+	if tc.Spec.TiDB.IsTLSClientEnabled() {
+		volMounts = append(volMounts, corev1.VolumeMount{
+			Name: "tidb-client-tls", ReadOnly: true, MountPath: tidbClientCertPath,
+		})
+	}
 
 	vols := []corev1.Volume{
 		annVolume,
@@ -546,6 +552,15 @@ func getNewPDSetForTidbCluster(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (
 			},
 		})
 	}
+	if tc.Spec.TiDB.IsTLSClientEnabled() {
+		vols = append(vols, corev1.Volume{
+			Name: "tidb-client-tls", VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: util.TiDBClientTLSSecretName(tc.Name),
+				},
+			},
+		})
+	}
 
 	storageRequest, err := controller.ParseStorageRequest(tc.Spec.PD.Requests)
 	if err != nil {
@@ -688,6 +703,14 @@ func getPDConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
 		config.Security.CertPath = path.Join(pdClusterCertPath, corev1.TLSCertKey)
 		config.Security.KeyPath = path.Join(pdClusterCertPath, corev1.TLSPrivateKeyKey)
 	}
+	if tc.Spec.TiDB.IsTLSClientEnabled() {
+		if config.Dashboard == nil {
+			config.Dashboard = &v1alpha1.DashboardConfig{}
+		}
+		config.Dashboard.TiDBCAPath = path.Join(tidbClientCertPath, tlsSecretRootCAKey)
+		config.Dashboard.TiDBCertPath = path.Join(tidbClientCertPath, corev1.TLSCertKey)
+		config.Dashboard.TiDBKeyPath = path.Join(tidbClientCertPath, corev1.TLSPrivateKeyKey)
+	}
 
 	confText, err := MarshalTOML(config)
 	if err != nil {