Support cert-manager for certificate management

[tennix]

Feature Request

Is your feature request related to a problem? Please describe:

Currently, the TiDB cluster TLS certificate is managed by tidb-operator using k8s built-in certificate generation. It does not support certificate renewal, it's better to use cert-manager to manage the certificates. Also it supports other kinds of certificate provider like letsencrypt.

Describe the feature you'd like:

Integrate cert-manager for certificate management.

[gregwebs]

cert-manager may be the default in the K8s world now.
However, we should also try to see how a user could use SPIFFE. This is a standard that is meant to provide a framework for automatic cert provisioning. It works without k8s, but works with it as well.

[Smana]

Regarding cert-manager we just need to be able to define the secret created by cert-manager and just support the expected file names: tls.key, tls.crt, ca.crt

That would be a very good first step, then I don't know how would be handle the renewal ? How is it handled right now by the way ?

[tennix]

@Smana cert-manager support certificate renewal. And TiDB components will support re-read certificate files every time a new connection is established. So the service will not be interrupted during certificate renewal.

[weekface]

tidb-operator support any certificate CA includes cert-manager: #1855

Certificate renew alse verified. Closing