Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add basic TLS support for TiDB cluster #750
Add basic TLS support for TiDB cluster #750
Changes from all commits
f31172f
5bb2384
99956b7
84cc8bd
71bf08d
ecfe87e
926073e
e4b319a
4da9be3
451011a
b6cd879
030a04c
b392aa2
4b27ddd
665e2fa
57ff597
d8e982e
4f9bea5
04a9b59
0602bb5
eea2feb
7d9d03b
990b357
7f1e876
0dca5a7
eb628d7
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we support users to configure their own MySQL certificates? Users may want to configure an existing certificate in the new cluster.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @tennix @weekface What do you think?
One case is when a user migrates a MySQL instance which already has TLS enabled but doesn't want to update application certificates. The user must configure exiting certificates into tidb-server.
If we're going to support this, do we need to support users to configure secret with an arbitrary name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking about the same thing too, but AFAIK we don't have any plan to support custom certs yet, if we do, custom CA importing would also need to be added, and we need to validate user uploaded certs to ensure they are signed by the uploaded CA, that would need more code changes and seems better to be another PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree. however, it seems not right to use cluster TLS certs as tidb-server TLS server for MySQL clients, focusing on cluster TLS support only in this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we did not support the custom certs now, I don't think it is necessary to expose these parameters to the user, which will make the user confused or misconfigured.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIRC, have you changed the way the certs was injected, by injecting certs in the program instead of mount certs into pod?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it's been changed in #782
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to create the
client-tls
secret manually?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As of this PR, Yes, and the cert need to be signed by the k8s CA by
kubectl certificate approve
, as described in the PR OP.PR #782 implements the automatic process of generating certs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make this optional, otherwise, it will fail when users don't need to enable TLS