Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

backend: keep backend TLS config consistent with frontend TLS config #303

Merged
merged 2 commits into from
Jun 6, 2023
Merged

backend: keep backend TLS config consistent with frontend TLS config #303

merged 2 commits into from
Jun 6, 2023

Conversation

djshow832
Copy link
Collaborator

@djshow832 djshow832 commented Jun 6, 2023
edited
Loading

What problem does this PR solve?

Issue Number: close #302

Problem Summary:
Currently, the TLS config between client and TiProxy is specified by the client, the TLS between TiProxy and TiDB is always disabled.

In the current implementation, the TLS config between TiProxy and TiDB is specified by TiProxy config. However, what we want is to keep consistent with client -> TiProxy. That is:

  • If client->TiProxy is enabled, TiProxy -> TiDB is also enabled
  • If client->TiProxy is disabled, TiProxy -> TiDB is also disabled

What is changed and how it works:
Enable TLS between TiProxy and TiDB when:

  • client enables TLS
  • proxy configured TLS certs.
  • backend supports TLS

This is compatible with both serverless and dedicated tiers.

However, this makes RequireBackendTLS sometimes useless: it requires TLS from the backend but it doesn't need TLS.

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)
  • No code

Notable changes

  • Has configuration change
  • Has HTTP API interfaces change
  • Has tiproxyctl change
  • Other user behavior changes

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

None

@djshow832 djshow832 requested a review from xhebox June 6, 2023 08:05
@djshow832 djshow832 changed the title enable tls according to client backend: keep backend TLS config consistent with frontend TLS config Jun 6, 2023
@djshow832 djshow832 merged commit 95c9c3c into pingcap:main Jun 6, 2023
@djshow832 djshow832 deleted the ssl branch June 6, 2023 09:19
@djshow832 djshow832 mentioned this pull request Sep 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xhebox xhebox xhebox approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dynamic Specification of TLS or Non-TLS Communication
2 participants
@djshow832 @xhebox