Merge branch 'master' into yinliang/support-kms-decryption

charts/tidb-cluster/templates/_helpers.tpl

@@ -28,7 +28,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 
 {{- define "cluster.scheme" -}}
-{{ if .Values.enableTLSCluster }}https{{ else }}http{{ end }}
+{{ if and .Values.tlsCluster .Values.tlsCluster.enabled  }}https{{ else }}http{{ end }}
 {{- end -}}
 
 {{/*
@@ -41,9 +41,9 @@ config-file: |-
     {{- if .Values.pd.config }}
 {{ .Values.pd.config | indent 2 }}
     {{- end -}}
-    {{- if .Values.enableTLSCluster }}
+    {{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
   [security]
-  cacert-path = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+  cacert-path = "/var/lib/pd-tls/ca.crt"
   cert-path = "/var/lib/pd-tls/tls.crt"
   key-path = "/var/lib/pd-tls/tls.key"
     {{- end -}}
@@ -64,9 +64,9 @@ config-file: |-
     {{- if .Values.tikv.config }}
 {{ .Values.tikv.config | indent 2 }}
     {{- end -}}
-    {{- if .Values.enableTLSCluster }}
+    {{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
   [security]
-  ca-path = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+  ca-path = "/var/lib/tikv-tls/ca.crt"
   cert-path = "/var/lib/tikv-tls/tls.crt"
   key-path = "/var/lib/tikv-tls/tls.key"
     {{- end -}}
@@ -91,11 +91,11 @@ config-file: |-
     {{- if .Values.tidb.config }}
 {{ .Values.tidb.config | indent 2 }}
     {{- end -}}
-    {{- if or .Values.enableTLSCluster (and .Values.tidb.tlsClient .Values.tidb.tlsClient.enabled) }}
+    {{- if or (and .Values.tlsCluster .Values.tlsCluster.enabled) (and .Values.tidb.tlsClient .Values.tidb.tlsClient.enabled) }}
   [security]
     {{- end -}}
-    {{- if .Values.enableTLSCluster }}
-  cluster-ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+    {{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
+  cluster-ssl-ca = "/var/lib/tidb-tls/ca.crt"
   cluster-ssl-cert = "/var/lib/tidb-tls/tls.crt"
   cluster-ssl-key = "/var/lib/tidb-tls/tls.key"
     {{- end -}}
@@ -122,7 +122,7 @@ Encapsulate pump configmap data for consistent digest calculation
 pump-config: |-
     {{- if .Values.binlog.pump.config }}
 {{ .Values.binlog.pump.config | indent 2 }}
-    {{- if .Values.enableTLSCluster }}
+    {{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
   [security]
   ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
   ssl-cert = "/var/lib/pump-tls/tls.crt"

charts/tidb-cluster/templates/config/_prometheus-config.tpl

@@ -19,13 +19,17 @@ scrape_configs:
       names:
       - {{ .Release.Namespace }}
   {{- end }}
+  {{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
+  scheme: https
+  tls_config:
+    insecure_skip_verify: false
+    ca_file: /var/lib/cluster-client-tls/ca.crt
+    cert_file: /var/lib/cluster-client-tls/tls.crt
+    key_file: /var/lib/cluster-client-tls/tls.key
+  {{- else }}
+  scheme: http
   tls_config:
     insecure_skip_verify: true
-  {{- if .Values.enableTLSCluster }}
-    ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-    cert_file: /var/lib/pd-client-tls/tls.crt
-    key_file: /var/lib/pd-client-tls/tls.key
-  scheme: https
   {{- end }}
   relabel_configs:
   - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance]
@@ -41,11 +45,12 @@ scrape_configs:
     action: replace
     target_label: __metrics_path__
     regex: (.+)
-  - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
-    action: replace
-    regex: ([^:]+)(?::\d+)?;(\d+)
-    replacement: $1:$2
+  - source_labels: [__meta_kubernetes_pod_name, __meta_kubernetes_pod_label_app_kubernetes_io_instance,
+      __meta_kubernetes_pod_annotation_prometheus_io_port]
+    regex: (.+);(.+);(.+)
     target_label: __address__
+    replacement: $1.$2-pd-peer:$3
+    action: replace
   - source_labels: [__meta_kubernetes_namespace]
     action: replace
     target_label: kubernetes_namespace
@@ -71,13 +76,17 @@ scrape_configs:
       names:
       - {{ .Release.Namespace }}
   {{- end }}
+  {{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
+  scheme: https
+  tls_config:
+    insecure_skip_verify: false
+    ca_file: /var/lib/cluster-client-tls/ca.crt
+    cert_file: /var/lib/cluster-client-tls/tls.crt
+    key_file: /var/lib/cluster-client-tls/tls.key
+  {{- else }}
+  scheme: http
   tls_config:
     insecure_skip_verify: true
-  {{- if .Values.enableTLSCluster }}
-    ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-    cert_file: /var/lib/pd-client-tls/tls.crt
-    key_file: /var/lib/pd-client-tls/tls.key
-  scheme: https
   {{- end }}
   relabel_configs:
   - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance]
@@ -93,11 +102,12 @@ scrape_configs:
     action: replace
     target_label: __metrics_path__
     regex: (.+)
-  - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
-    action: replace
-    regex: ([^:]+)(?::\d+)?;(\d+)
-    replacement: $1:$2
+  - source_labels: [__meta_kubernetes_pod_name, __meta_kubernetes_pod_label_app_kubernetes_io_instance,
+      __meta_kubernetes_pod_annotation_prometheus_io_port]
+    regex: (.+);(.+);(.+)
     target_label: __address__
+    replacement: $1.$2-tidb-peer:$3
+    action: replace
   - source_labels: [__meta_kubernetes_namespace]
     action: replace
     target_label: kubernetes_namespace
@@ -123,16 +133,23 @@ scrape_configs:
       names:
       - {{ .Release.Namespace }}
   {{- end }}
+  scheme: http
   tls_config:
     insecure_skip_verify: true
-# TiKV doesn't support scheme https for now. 
-# And we should fix it after TiKV fix this issue: https://github.com/tikv/tikv/issues/5340
-# {{- if .Values.enableTLSCluster }}
-#     ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-#     cert_file: /var/lib/pd-client-tls/tls.crt
-#     key_file: /var/lib/pd-client-tls/tls.key
-#   scheme: https
-# {{- end }}
+  # TiKV doesn't support scheme https for now.
+  # And we should fix it after TiKV fix this issue: https://github.com/tikv/tikv/issues/5340
+  # {{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
+  # scheme: https
+  # tls_config:
+  #   insecure_skip_verify: false
+  #   ca_file: /var/lib/cluster-client-tls/ca.crt
+  #   cert_file: /var/lib/cluster-client-tls/tls.crt
+  #   key_file: /var/lib/cluster-client-tls/tls.key
+  # {{- else }}
+  # scheme: http
+  # tls_config:
+  #   insecure_skip_verify: true
+  # {{- end }}
   relabel_configs:
   - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance]
     action: keep
@@ -147,11 +164,12 @@ scrape_configs:
     action: replace
     target_label: __metrics_path__
     regex: (.+)
-  - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
-    action: replace
-    regex: ([^:]+)(?::\d+)?;(\d+)
-    replacement: $1:$2
+  - source_labels: [__meta_kubernetes_pod_name, __meta_kubernetes_pod_label_app_kubernetes_io_instance,
+      __meta_kubernetes_pod_annotation_prometheus_io_port]
+    regex: (.+);(.+);(.+)
     target_label: __address__
+    replacement: $1.$2-tikv-peer:$3
+    action: replace
   - source_labels: [__meta_kubernetes_namespace]
     action: replace
     target_label: kubernetes_namespace

charts/tidb-cluster/templates/config/_pump-config.tpl

@@ -35,7 +35,7 @@ sync-log = {{ .Values.binlog.pump.syncLog | default true }}
 # write-buffer = 67108864
 # write-L0-pause-trigger = 24
 # write-L0-slowdown-trigger = 17
-{{ if .Values.enableTLSCluster }}
+{{ if and .Values.tlsCluster .Values.tlsCluster.enabled }}
 [security]
 # Path of file that contains list of trusted SSL CAs for connection with cluster components.
 ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"

charts/tidb-cluster/templates/monitor-deployment.yaml

@@ -134,9 +134,9 @@ spec:
           - name: prometheus-rules
             mountPath: /prometheus-rules
             readOnly: false
-          {{- if .Values.enableTLSCluster }}
-          - name: tls-pd-client
-            mountPath: /var/lib/pd-client-tls
+          {{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
+          - name: cluster-client-tls
+            mountPath: /var/lib/cluster-client-tls
             readOnly: true
           {{- end }}
       {{- if .Values.monitor.grafana.create }}
@@ -241,11 +241,11 @@ spec:
         name: prometheus-rules
       - emptyDir: {}
         name: grafana-dashboard
-      {{- if .Values.enableTLSCluster }}
-      - name: tls-pd-client
+      {{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
+      - name: cluster-client-tls
         secret:
           defaultMode: 420
-          secretName: {{ .Release.Name }}-pd-client
+          secretName: {{ .Release.Name }}-cluster-client-secret
       {{- end }}
     {{- if .Values.monitor.tolerations }}
       tolerations:

charts/tidb-cluster/templates/pump-statefulset.yaml

@@ -55,7 +55,7 @@ spec:
           mountPath: /data
         - name: config
           mountPath: /etc/pump
-      {{- if .Values.enableTLSCluster }}
+      {{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
         - name: pump-tls
           mountPath: /var/lib/pump-tls
           readOnly: true
@@ -78,7 +78,7 @@ spec:
           items:
           - key: pump-config
             path: pump.toml
-    {{- if .Values.enableTLSCluster }}
+    {{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
       - name: pump-tls
         secret:
           secretName: {{ include "pump.tlsSecretName" . }}

charts/tidb-cluster/templates/tidb-cluster.yaml

@@ -21,7 +21,10 @@ spec:
   pvReclaimPolicy: {{ .Values.pvReclaimPolicy }}
   enablePVReclaim: {{ .Values.enablePVReclaim }}
   timezone: {{ .Values.timezone | default "UTC" }}
-  enableTLSCluster: {{ .Values.enableTLSCluster | default false }}
+{{- if .Values.tlsCluster }}
+  tlsCluster:
+{{ toYaml .Values.tlsCluster | indent 4 }}
+{{- end }}
   services:
 {{ toYaml .Values.services | indent 4 }}
   schedulerName: {{ .Values.schedulerName | default "default-scheduler" }}

charts/tidb-cluster/values.yaml

@@ -55,10 +55,23 @@ discovery:
 # if the ConfigMap was not changed.
 enableConfigMapRollout: true
 
-# Whether enable TLS connections between server nodes.
-# When enabled, PD/TiDB/TiKV/PUMP will use TLS encrypted connections to transfer data between each node,
-# certificates will be generated automatically (if not already present).
-enableTLSCluster: false
+# Whether enable the TLS connection between TiDB server components
+tlsCluster:
+  # The steps to enable this feature:
+  #   1. Generate TiDB server components certificates and a client-side certifiacete for them.
+  #      There are multiple ways to generate these certificates:
+  #        - user-provided certificates: https://pingcap.com/docs/stable/how-to/secure/generate-self-signed-certificates/
+  #        - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
+  #        - or use cert-manager signed certificates: https://cert-manager.io/
+  #   2. Create one secret object for one component which contains the certificates created above.
+  #      The name of this Secret must be: <clusterName>-<componentName>-cluster-secret.
+  #        For PD: kubectl create secret generic <clusterName>-pd-cluster-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
+  #        For TiKV: kubectl create secret generic <clusterName>-tikv-cluster-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
+  #        For TiDB: kubectl create secret generic <clusterName>-tidb-cluster-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
+  #        For Client: kubectl create secret generic <clusterName>-cluster-client-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
+  #        Same for other components.
+  #   3. Then create the TiDB cluster with `tlsCluster.enabled` set to `true`.
+  enabled: false
 
 pd:
   # Please refer to https://github.com/pingcap/pd/blob/master/conf/config.toml for the default
@@ -618,7 +631,7 @@ binlog:
     # pump configurations (change to the tags of your pump version),
     # just follow the format in the file and configure in the 'config' section
     # as below if you want to customize any configuration.
-    # [security] section will be generated automatically if enableTLSCluster is set to true so users do not need to configure it.
+    # [security] section will be generated automatically if tlsCluster.enabled is set to true so users do not need to configure it.
     # config: |
     #   gc = 7
     #   heartbeat-interval = 2

charts/tikv-importer/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

charts/tikv-importer/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+description: A Helm chart for TiKV Importer
+name: tikv-importer
+version: dev
+home: https://github.com/pingcap/tidb-operator
+sources:
+  - https://github.com/pingcap/tidb-operator
+keywords:
+  - newsql
+  - htap
+  - database
+  - mysql
+  - raft

charts/tikv-importer/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "chart.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Encapsulate tikv-importer configmap data for consistent digest calculation
+*/}}
+{{- define "importer-configmap.data" -}}
+config-file: |-
+    {{- if .Values.config }}
+{{ .Values.config | indent 2 }}
+    {{- end -}}
+{{- end -}}
+
+{{- define "importer-configmap.data-digest" -}}
+{{ include "importer-configmap.data" . | sha256sum | trunc 8 }}
+{{- end -}}

charts/tikv-importer/templates/tikv-importer-configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.clusterName }}-importer-{{ template "importer-configmap.data-digest" . }}
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: importer
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+data:
+{{ include "importer-configmap.data" . | indent 2 }}

charts/tikv-importer/templates/tikv-importer-service.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.clusterName }}-importer
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: importer
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+spec:
+  clusterIP: None
+  ports:
+  - name: importer
+    port: 8287
+  selector:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: importer