Add basic TLS support for TiDB cluster

[AstroProfundis]

What problem does this PR solve?

Add basic TLS support for TiDB cluster.

When creating new TiDB cluster, set enableTLSServer to true will enable the TLS encryption feature in PD/TiDB/TiKV.

Setting enableTLSClient to true will enable support of TLS encrypted connection from MySQL client.

What is changed and how does it work?

Server certs are placed in Secrets with the same namespace as the cluster, and named <release-name>-{pd, tidb, tikv}, client certs are placed in Secrets with the same namespace as the cluster, and named client-tls, another client cert is placed in TiDB Operator's namespace and named client-tls.

All certs are signed by the CA of the Kubernetes cluster.

All client requests (from operator) are modified to support TLS encrypted connections.

Check List

Tests

• Manual test (add detailed scripts or steps below)

Manually validated on internal testing k8s cluster.

Known Issues

• Does not support of switching enableTLSServer on/off after creation of cluster
• gRPC uses unencrypted connections between multiple PDs, this might be an issue of cert generation and is still under investigation

Code changes

• Has Helm charts change
• Has Go code change

Related changes

• Need to update the documentation after all works are done

Does this PR introduce a user-facing change?:

Add basic support of TLS encrypted connections in TiDB cluster

[weekface]

/run-e2e-in-kind

[CLAassistant]

All committers have signed the CLA.

[gregwebs]

Where are the certs generated?

[AstroProfundis]

@gregwebs As of this PR, certs are generated manually, I'm working on an auto-generating feature for necessary certs

@cofyc It doesn't matter, PD accepts any valid certs that signed by the same CA as server (the k8s CA in this case), so controller can use one client cert for all TiDB clusters

[gregwebs]

@AstroProfundis cert-manager is widely used for certificate generation and management and is working well for me now: https://docs.cert-manager.io/en/latest/tasks/issuers/index.html

[AstroProfundis]

@tennix @cofyc @weekface PTAL

The basic process is working with this PR with some limitations:

• Secrets that store the certs need to be manually added (and certs are manually issued with k8s' certificate management facility as well)
• Only 1 PD replica is working at present, no limitations for TiDB and TiKV

Automatically management of certs should be added in another PR (still WIP), and the known multi-PD connectivity issue is still under investigation, not likely to be fixed in this PR.

[tennix]

LGTM

[tennix]

/run-e2e-in-kind

[onlymellb]

IIRC, have you changed the way the certs was injected, by injecting certs in the program instead of mount certs into pod?

[AstroProfundis]

Yes, it's been changed in #782

[weekface]

Do we need to create the client-tls secret manually?

[AstroProfundis]

As of this PR, Yes, and the cert need to be signed by the k8s CA by kubectl certificate approve, as described in the PR OP.

PR #782 implements the automatic process of generating certs.

[cofyc]

make this optional, otherwise, it will fail when users don't need to enable TLS

[onlymellb]

Some problem with func NewDefaultTiDBControl

[AstroProfundis]

The logic of NewPDClient is changed in #782 and does not have this issue anymore

[onlymellb]

But func NewDefaultTiDBControl still has this problem

[AstroProfundis]

NewDefaultTiDBControl has been changed in the latest commit 7d9d03b

[cofyc]

/run-e2e-test

[cofyc]

/run-e2e-test

[weekface]

/run-e2e-in-kind