Support user-defined tidb server/client certificate

charts/tidb-cluster/templates/_helpers.tpl

@@ -91,16 +91,20 @@ config-file: |-
     {{- if .Values.tidb.config }}
 {{ .Values.tidb.config | indent 2 }}
     {{- end -}}
-    {{- if or .Values.enableTLSCluster .Values.tidb.enableTLSClient }}
+    {{- if or .Values.enableTLSCluster .Values.tidb.tlsClient.enabled }}
   [security]
     {{- end -}}
     {{- if .Values.enableTLSCluster }}
   cluster-ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
   cluster-ssl-cert = "/var/lib/tidb-tls/cert"
   cluster-ssl-key = "/var/lib/tidb-tls/key"
     {{- end -}}
-    {{- if .Values.tidb.enableTLSClient }}
+    {{- if .Values.tidb.tlsClient.enabled }}
+    {{- if .Values.tidb.tlsClient.userGenerated.secretName }}
+  ssl-ca = "/var/lib/tidb-server-tls/ca"
+    {{- else }}
   ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+    {{- end }}
   ssl-cert = "/var/lib/tidb-server-tls/cert"
   ssl-key = "/var/lib/tidb-server-tls/key"
     {{- end -}}

charts/tidb-cluster/templates/tidb-cluster.yaml

@@ -92,18 +92,9 @@ spec:
   {{- end }}
     maxFailoverCount: {{ .Values.tikv.maxFailoverCount | default 3 }}
   tidb:
-    enableTLSClient: {{ .Values.tidb.enableTLSClient | default false }}
-  {{- if .Values.tidb.extraSANIPList }}
-    extraSANIPList:
-    {{- range .Values.tidb.extraSANIPList }}
-    - {{ . }}
-    {{- end }}
-  {{- end }}
-  {{- if .Values.tidb.extraSANDomainList }}
-    extraSANDomainList:
-    {{- range .Values.tidb.extraSANDomainList }}
-    - {{ . }}
-    {{- end }}
+  {{- if .Values.tidb.tlsClient }}
+    tlsClient:
+{{ toYaml .Values.tidb.tlsClient | indent 6 }}
   {{- end }}
     replicas: {{ .Values.tidb.replicas }}
     image: {{ .Values.tidb.image }}

charts/tidb-cluster/values.yaml

@@ -428,18 +428,25 @@ tidb:
     list: ["whitelist-1"]
 
   # Whether enable TLS connection between TiDB server and MySQL client.
-  # When enabled, TiDB will accept TLS encrypted connections from MySQL client, certificates will be generated
-  # automatically.
   # Note: TLS connection is not forced on the server side, plain connections are also accepted after enableing.
-  enableTLSClient: false
-  # # extra SAN IP list when you set tidb.enableTLSClient to true
-  # extraSANIPList:
-  #   - 1.1.1.1
-  #   - 2.2.2.2
-  # # extra SAN Domain List when you set tidb.enableTLSClient to true
-  # extraSANDomainList:
-  #   - example1.com
-  #   - example2.com
+  tlsClient:
+    # When enabled, TiDB will accept TLS encrypted connections from MySQL client
+    enabled: false
+    # Auto-generated certificate
+    autoGenerated:
+      # # extra SAN IP list
+      # extraSANIPList:
+      #  - 1.1.1.1
+      #  - 2.2.2.2
+      # # extra SAN Domain list
+      # extraSANDomainList:
+      #  - example1.com
+      #  - example2.com
+    # User-generated certificate
+    userGenerated:
+      # # secretName is the name of the secret which stores user-defined tidb server certificate, key and ca, create it with:
+      # # kubectl create secret generic <secret-name> --namespace=<namespace> --from-file=cert=<tidb server certificate file path> --from-file=key=<tidb server key file path> --from-file=ca=<ca file path>
+      # secretName: "demo-tidb-server-secret"
 
 # mysqlClient is used to set password for TiDB
 # it must has Python MySQL client installed

manifests/crd.yaml

@@ -3779,21 +3779,6 @@ spec:
                     cluster-level updateStrategy if present Optional: Defaults to
                     cluster-level setting'
                   type: string
-                enableTLSClient:
-                  description: 'Whether enable the TLS connection between the SQL
-                    client and TiDB server Optional: Defaults to false'
-                  type: boolean
-                extraSANDomainList:
-                  description: extra SAN Domain list when setting EnableTLSClient
-                    to true
-                  items:
-                    type: string
-                  type: array
-                extraSANIPList:
-                  description: extra SAN IP list when setting EnableTLSClient to true
-                  items:
-                    type: string
-                  type: array
                 hostNetwork:
                   description: 'Whether Hostnetwork of the component is enabled. Override
                     the cluster-level setting if present Optional: Defaults to cluster-level
@@ -3988,6 +3973,7 @@ spec:
                         to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
                       type: object
                   type: object
+                tlsClient: {}
                 tolerations:
                   description: 'Tolerations of the component. Override the cluster-level
                     tolerations if non-empty Optional: Defaults to cluster-level setting'

pkg/apis/pingcap/v1alpha1/tidbcluster.go

@@ -339,11 +339,15 @@ func (tc *TidbCluster) IsTiDBBinlogEnabled() bool {
 }
 
 func (tidb *TiDBSpec) IsTLSClientEnabled() bool {
-	enableTLSClient := tidb.EnableTLSClient
-	if enableTLSClient == nil {
-		return defaultEnableTLSClient
+	return tidb.TLSClient != nil && tidb.TLSClient.Enabled
+}
+
+func (tidb *TiDBSpec) IsUserGeneratedCertificate() bool {
+	if !tidb.IsTLSClientEnabled() {
+		return false
 	}
-	return *enableTLSClient
+
+	return tidb.TLSClient.UserGenerated != nil && tidb.TLSClient.UserGenerated.SecretName != ""
 }
 
 func (tidb *TiDBSpec) ShouldSeparateSlowLog() bool {

pkg/apis/pingcap/v1alpha1/types.go

@@ -308,15 +308,9 @@ type TiDBSpec struct {
 	SeparateSlowLog *bool `json:"separateSlowLog,omitempty"`
 
 	// Whether enable the TLS connection between the SQL client and TiDB server
-	// Optional: Defaults to false
+	// Optional: Defaults to nil
 	// +optional
-	EnableTLSClient *bool `json:"enableTLSClient,omitempty"`
-
-	// extra SAN IP list when setting EnableTLSClient to true
-	ExtraSANIPList []string `json:"extraSANIPList,omitempty"`
-
-	// extra SAN Domain list when setting EnableTLSClient to true
-	ExtraSANDomainList []string `json:"extraSANDomainList,omitempty"`
+	TLSClient *TiDBTLSClient `json:"tlsClient,omitempty"`
 
 	// The spec of the slow log tailer sidecar
 	// +optional
@@ -602,6 +596,39 @@ type PumpStatus struct {
 	StatefulSet *apps.StatefulSetStatus `json:"statefulSet,omitempty"`
 }
 
+// TiDBTLSClient can enable TLS connection between TiDB server and MySQL client
+type TiDBTLSClient struct {
+	// When enabled, TiDB will accept TLS encrypted connections from MySQL client
+	// +optional
+	Enabled bool `json:"enabled,omitempty"`
+
+	// Auto-generated certificate
+	// +optional
+	AutoGenerated *TiDBAutoGeneratedCertificate `json:"autoGenerated,omitempty"`
+
+	// User-generated certificate
+	// +optional
+	UserGenerated *TiDBUserGeneratedCertificate `json:"userGenerated,omitempty"`
+}
+
+// TiDBAutoGeneratedCertificate is TiDB auto-generated certificate
+type TiDBAutoGeneratedCertificate struct {
+	// Extra SAN IP list
+	// +optional
+	ExtraSANIPList []string `json:"extraSANIPList,omitempty"`
+
+	// Extra SAN Domain list
+	// +optional
+	ExtraSANDomainList []string `json:"extraSANDomainList,omitempty"`
+}
+
+// TiDBUserGeneratedCertificate is TiDB user-generated certificate
+type TiDBUserGeneratedCertificate struct {
+	// Secret name which stores user custom TiDB Server certificate, key and ca
+	// +optional
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object