add more SANs to tidb server certificate

pingcap · Feb 14, 2020 · 056339d · 056339d
1 parent 87f2acf
commit 056339d
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 1 deletion.
diff --git a/charts/tidb-cluster/templates/tidb-cluster.yaml b/charts/tidb-cluster/templates/tidb-cluster.yaml
@@ -93,6 +93,18 @@ spec:
     maxFailoverCount: {{ .Values.tikv.maxFailoverCount | default 3 }}
   tidb:
     enableTLSClient: {{ .Values.tidb.enableTLSClient | default false }}
+  {{- if .Values.tidb.extraSANIPList }}
+    extraSANIPList:
+    {{- range .Values.tidb.extraSANIPList }}
+    - {{ . }}
+    {{- end }}
+  {{- end }}
+  {{- if .Values.tidb.extraSANDomain }}
+    extraSANDomain:
+    {{- range .Values.tidb.extraSANDomain }}
+    - {{ . }}
+    {{- end }}
+  {{- end }}
     replicas: {{ .Values.tidb.replicas }}
     image: {{ .Values.tidb.image }}
     imagePullPolicy: {{ .Values.tidb.imagePullPolicy | default "IfNotPresent" }}

diff --git a/charts/tidb-cluster/values.yaml b/charts/tidb-cluster/values.yaml
@@ -432,6 +432,14 @@ tidb:
   # automatically.
   # Note: TLS connection is not forced on the server side, plain connections are also accepted after enableing.
   enableTLSClient: false
+  # # extra SAN IP list when you set tidb.enableTLSClient to true
+  # extraSANIPList:
+  #   - 1.1.1.1
+  #   - 2.2.2.2
+  # # extra SAN Domain when you set tidb.enableTLSClient to true
+  # extraSANDomain:
+  #   - example1.com
+  #   - example2.com
 
 # mysqlClient is used to set password for TiDB
 # it must has Python MySQL client installed

diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go
@@ -312,6 +312,12 @@ type TiDBSpec struct {
 	// +optional
 	EnableTLSClient *bool `json:"enableTLSClient,omitempty"`
 
+	// extra SAN IP list when setting EnableTLSClient to true
+	ExtraSANIPList []string `json:"extraSANIPList,omitempty"`
+
+	// extra SAN Domain when setting EnableTLSClient to true
+	ExtraSANDomain []string `json:"extraSANDomain,omitempty"`
+
 	// The spec of the slow log tailer sidecar
 	// +optional
 	SlowLogTailer *TiDBSlowLogTailerSpec `json:"slowLogTailer,omitempty"`

diff --git a/pkg/manager/member/tidb_member_manager.go b/pkg/manager/member/tidb_member_manager.go
@@ -241,8 +241,11 @@ func (tmm *tidbMemberManager) syncTiDBClusterCerts(tc *v1alpha1.TidbCluster) err
 		svcName,
 		peerName,
 		fmt.Sprintf("%s.%s", svcName, ns),
+		fmt.Sprintf("%s.%s.svc", svcName, ns),
 		fmt.Sprintf("%s.%s", peerName, ns),
+		fmt.Sprintf("%s.%s.svc", peerName, ns),
 		fmt.Sprintf("*.%s.%s", peerName, ns),
+		fmt.Sprintf("*.%s.%s.svc", peerName, ns),
 	}
 
 	ipList := []string{
@@ -268,22 +271,41 @@ func (tmm *tidbMemberManager) syncTiDBServerCerts(tc *v1alpha1.TidbCluster) erro
 	suffix := "tidb-server"
 	ns := tc.GetNamespace()
 	tcName := tc.GetName()
-	svcName := fmt.Sprintf("%s-%s", tcName, suffix)
+	svcName := controller.TiDBMemberName(tcName)
 
 	if tmm.certControl.CheckSecret(ns, svcName) {
 		return nil
 	}
 
+	svc, err := tmm.svcLister.Services(ns).Get(svcName)
+	if err != nil {
+		return err
+	}
+
 	hostList := []string{
 		svcName,
 		fmt.Sprintf("%s.%s", svcName, ns),
+		fmt.Sprintf("%s.%s.svc", svcName, ns),
+		"localhost",
+	}
+	if len(tc.Spec.TiDB.ExtraSANDomain) != 0 {
+		hostList = append(hostList, tc.Spec.TiDB.ExtraSANDomain...)
+	}
+
+	ipList := []string{
+		"127.0.0.1", "::1",
+		svc.Spec.ClusterIP,
+	}
+	if len(tc.Spec.TiDB.ExtraSANIPList) != 0 {
+		ipList = append(ipList, tc.Spec.TiDB.ExtraSANIPList...)
 	}
 
 	certOpts := &controller.TiDBClusterCertOptions{
 		Namespace:  ns,
 		Instance:   tcName,
 		CommonName: svcName,
 		HostList:   hostList,
+		IPList:     ipList,
 		Component:  "tidb",
 		Suffix:     suffix,
 	}