Skip to content

Commit

Permalink
add tls support between drainer and downstream database server (#2993)
Browse files Browse the repository at this point in the history
* add tls support between drainer and downstream database server
  • Loading branch information
lichunzhu authored Jul 22, 2020
1 parent 64ee732 commit 741b18e
Show file tree
Hide file tree
Showing 3 changed files with 76 additions and 0 deletions.
22 changes: 22 additions & 0 deletions charts/tidb-drainer/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,28 @@ config-file: |-
cert-allowed-cn = {{ .Values.tlsCluster.certAllowedCN | toJson }}
{{- end -}}
{{- end -}}
{{- if .Values.tlsSyncer }}
{{- if .Values.tlsSyncer.tlsClientSecretName }}
[syncer.to.security]
ssl-ca = "/var/lib/drainer-syncer-tls/ca.crt"
ssl-cert = "/var/lib/drainer-syncer-tls/tls.crt"
ssl-key = "/var/lib/drainer-syncer-tls/tls.key"
{{- if .Values.tlsSyncer.certAllowedCN }}
cert-allowed-cn = {{ .Values.tlsSyncer.certAllowedCN | toJson }}
{{- end -}}
{{- end -}}
{{- if .Values.tlsSyncer.checkpoint }}
{{- if .Values.tlsSyncer.checkpoint.tlsClientSecretName }}
[syncer.to.checkpoint.security]
ssl-ca = "/var/lib/drainer-syncer-checkpoint-tls/ca.crt"
ssl-cert = "/var/lib/drainer-syncer-checkpoint-tls/tls.crt"
ssl-key = "/var/lib/drainer-syncer-checkpoint-tls/tls.key"
{{- end -}}
{{- if .Values.tlsSyncer.checkpoint.certAllowedCN }}
cert-allowed-cn = {{ .Values.tlsSyncer.checkpoint.certAllowedCN | toJson }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{- define "drainer-configmap.name" -}}
Expand Down
28 changes: 28 additions & 0 deletions charts/tidb-drainer/templates/drainer-statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,20 @@ spec:
mountPath: /var/lib/drainer-tls
readOnly: true
{{- end }}
{{- if .Values.tlsSyncer }}
{{- if .Values.tlsSyncer.tlsClientSecretName }}
- name: drainer-syncer-tls
mountPath: /var/lib/drainer-syncer-tls
readOnly: true
{{- end }}
{{- if .Values.tlsSyncer.checkpoint }}
{{- if .Values.tlsSyncer.checkpoint.tlsClientSecretName }}
- name: drainer-syncer-checkpoint-tls
mountPath: /var/lib/drainer-syncer-checkpoint-tls
readOnly: true
{{- end }}
{{- end }}
{{- end }}
{{- if and (ne .Values.timezone "UTC") (ne .Values.timezone "") }}
env:
- name: TZ
Expand All @@ -74,6 +88,20 @@ spec:
secret:
secretName: {{ include "drainer.tlsSecretName" . }}
{{- end }}
{{- if .Values.tlsSyncer }}
{{- if .Values.tlsSyncer.tlsClientSecretName }}
- name: drainer-syncer-tls
secret:
secretName: {{ .Values.tlsSyncer.tlsClientSecretName }}
{{- end }}
{{- if .Values.tlsSyncer.checkpoint }}
{{- if .Values.tlsSyncer.checkpoint.tlsClientSecretName }}
- name: drainer-syncer-checkpoint-tls
secret:
secretName: {{ .Values.tlsSyncer.checkpoint.tlsClientSecretName }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
Expand Down
26 changes: 26 additions & 0 deletions charts/tidb-drainer/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,32 @@ tlsCluster:
certAllowedCN: []
# - TiDB

# The TLS config between drainer and the downstream database server (MySQL/TiDB)
tlsSyncer: {}
# The steps to enable this feature:
# 1. Create one secret object which contains the certificates for the downstream database server.
# For example: kubectl create secret generic ${downstream_database_secret_name} --namespace=${namespace} --from-file=tls.crt=client.pem --from-file=tls.key=client-key.pem --from-file=ca.crt=ca.pem
# 2. Then set `tlsSyncer.tlsClientSecretName` to `${downstream_database_secret_name}`.
# tlsClientSecretName: ${downstream_database_secret_name}
# certAllowedCN is the Common Name that allowed
# certAllowedCN:
# - TiDB

# checkpoint is the TLS config for the database you save binlog checkpoint.
# By default, Drainer will use downstream to save binlog checkpoint,
# so you do not need to configure [syncer.to.checkpoint.type] and
# you do not need to configure the `checkpoint` below.
# You have to configure this field only if you want to save binlog checkpoint
# to ** another database which has enabled TLS **.
# The steps to enable this feature is similar with those to enable tlsSyncer.tlsClientSecretName,
# which means you need to create one secret object containing the certificates for
# the checkpoint database and then set `checkpoint.tlsClientSecretName`.
# checkpoint:
# tlsClientSecretName: ${checkpoint_tidb_client_secret}
# certAllowedCN is the Common Name that allowed
# certAllowedCN:
# - TiDB

# Refer to https://github.com/pingcap/tidb-binlog/blob/master/cmd/drainer/drainer.toml
# [security] section will be generated automatically if tlsCluster.enabled is set to true so users do not need to configure it.
config: |
Expand Down

0 comments on commit 741b18e

Please sign in to comment.