Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: TLS between TiDB components #1870

Merged
merged 8 commits into from
Mar 12, 2020
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions charts/tidb-cluster/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}}

{{- define "cluster.scheme" -}}
{{ if .Values.enableTLSCluster }}https{{ else }}http{{ end }}
{{ if and .Values.tlsCluster .Values.tlsCluster.enabled }}https{{ else }}http{{ end }}
{{- end -}}

{{/*
Expand All @@ -41,9 +41,9 @@ config-file: |-
{{- if .Values.pd.config }}
{{ .Values.pd.config | indent 2 }}
{{- end -}}
{{- if .Values.enableTLSCluster }}
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
[security]
cacert-path = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
cacert-path = "/var/lib/pd-tls/ca.crt"
cert-path = "/var/lib/pd-tls/tls.crt"
key-path = "/var/lib/pd-tls/tls.key"
{{- end -}}
Expand All @@ -64,9 +64,9 @@ config-file: |-
{{- if .Values.tikv.config }}
{{ .Values.tikv.config | indent 2 }}
{{- end -}}
{{- if .Values.enableTLSCluster }}
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
[security]
ca-path = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
ca-path = "/var/lib/tikv-tls/ca.crt"
cert-path = "/var/lib/tikv-tls/tls.crt"
key-path = "/var/lib/tikv-tls/tls.key"
{{- end -}}
Expand All @@ -91,11 +91,11 @@ config-file: |-
{{- if .Values.tidb.config }}
{{ .Values.tidb.config | indent 2 }}
{{- end -}}
{{- if or .Values.enableTLSCluster (and .Values.tidb.tlsClient .Values.tidb.tlsClient.enabled) }}
{{- if or (and .Values.tlsCluster .Values.tlsCluster.enabled) (and .Values.tidb.tlsClient .Values.tidb.tlsClient.enabled) }}
[security]
{{- end -}}
{{- if .Values.enableTLSCluster }}
cluster-ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
cluster-ssl-ca = "/var/lib/tidb-tls/ca.crt"
cluster-ssl-cert = "/var/lib/tidb-tls/tls.crt"
cluster-ssl-key = "/var/lib/tidb-tls/tls.key"
{{- end -}}
Expand All @@ -122,7 +122,7 @@ Encapsulate pump configmap data for consistent digest calculation
pump-config: |-
{{- if .Values.binlog.pump.config }}
{{ .Values.binlog.pump.config | indent 2 }}
{{- if .Values.enableTLSCluster }}
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
[security]
ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
ssl-cert = "/var/lib/pump-tls/tls.crt"
Expand Down
24 changes: 12 additions & 12 deletions charts/tidb-cluster/templates/config/_prometheus-config.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,10 @@ scrape_configs:
{{- end }}
tls_config:
insecure_skip_verify: true
{{- if .Values.enableTLSCluster }}
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
cert_file: /var/lib/pd-client-tls/tls.crt
key_file: /var/lib/pd-client-tls/tls.key
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
ca_file: /var/lib/cluster-client-tls/ca.crt
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

all pods's client certificate mounted to /var/lib/cluster-client-tls.

cert_file: /var/lib/cluster-client-tls/tls.crt
key_file: /var/lib/cluster-client-tls/tls.key
scheme: https
{{- end }}
relabel_configs:
Expand Down Expand Up @@ -73,10 +73,10 @@ scrape_configs:
{{- end }}
tls_config:
insecure_skip_verify: true
{{- if .Values.enableTLSCluster }}
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
cert_file: /var/lib/pd-client-tls/tls.crt
key_file: /var/lib/pd-client-tls/tls.key
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
ca_file: /var/lib/cluster-client-tls/ca.crt
cert_file: /var/lib/cluster-client-tls/tls.crt
key_file: /var/lib/cluster-client-tls/tls.key
scheme: https
{{- end }}
relabel_configs:
Expand Down Expand Up @@ -127,10 +127,10 @@ scrape_configs:
insecure_skip_verify: true
# TiKV doesn't support scheme https for now.
# And we should fix it after TiKV fix this issue: https://github.com/tikv/tikv/issues/5340
# {{- if .Values.enableTLSCluster }}
# ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# cert_file: /var/lib/pd-client-tls/tls.crt
# key_file: /var/lib/pd-client-tls/tls.key
# {{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
# ca_file: /var/lib/cluster-client-tls/ca.crt
# cert_file: /var/lib/cluster-client-tls/tls.crt
# key_file: /var/lib/cluster-client-tls/tls.key
# scheme: https
# {{- end }}
relabel_configs:
Expand Down
2 changes: 1 addition & 1 deletion charts/tidb-cluster/templates/config/_pump-config.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ sync-log = {{ .Values.binlog.pump.syncLog | default true }}
# write-buffer = 67108864
# write-L0-pause-trigger = 24
# write-L0-slowdown-trigger = 17
{{ if .Values.enableTLSCluster }}
{{ if and .Values.tlsCluster .Values.tlsCluster.enabled }}
[security]
# Path of file that contains list of trusted SSL CAs for connection with cluster components.
ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
Expand Down
12 changes: 6 additions & 6 deletions charts/tidb-cluster/templates/monitor-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -134,9 +134,9 @@ spec:
- name: prometheus-rules
mountPath: /prometheus-rules
readOnly: false
{{- if .Values.enableTLSCluster }}
- name: tls-pd-client
mountPath: /var/lib/pd-client-tls
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
- name: cluster-client-tls
mountPath: /var/lib/cluster-client-tls
readOnly: true
{{- end }}
{{- if .Values.monitor.grafana.create }}
Expand Down Expand Up @@ -241,11 +241,11 @@ spec:
name: prometheus-rules
- emptyDir: {}
name: grafana-dashboard
{{- if .Values.enableTLSCluster }}
- name: tls-pd-client
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
- name: cluster-client-tls
secret:
defaultMode: 420
secretName: {{ .Release.Name }}-pd-client
secretName: {{ .Release.Name }}-cluster-client-secret
{{- end }}
{{- if .Values.monitor.tolerations }}
tolerations:
Expand Down
4 changes: 2 additions & 2 deletions charts/tidb-cluster/templates/pump-statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ spec:
mountPath: /data
- name: config
mountPath: /etc/pump
{{- if .Values.enableTLSCluster }}
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
- name: pump-tls
mountPath: /var/lib/pump-tls
readOnly: true
Expand All @@ -78,7 +78,7 @@ spec:
items:
- key: pump-config
path: pump.toml
{{- if .Values.enableTLSCluster }}
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
- name: pump-tls
secret:
secretName: {{ include "pump.tlsSecretName" . }}
Expand Down
5 changes: 4 additions & 1 deletion charts/tidb-cluster/templates/tidb-cluster.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,10 @@ spec:
pvReclaimPolicy: {{ .Values.pvReclaimPolicy }}
enablePVReclaim: {{ .Values.enablePVReclaim }}
timezone: {{ .Values.timezone | default "UTC" }}
enableTLSCluster: {{ .Values.enableTLSCluster | default false }}
{{- if .Values.tlsCluster }}
tlsCluster:
{{ toYaml .Values.tlsCluster | indent 4 }}
{{- end }}
services:
{{ toYaml .Values.services | indent 4 }}
schedulerName: {{ .Values.schedulerName | default "default-scheduler" }}
Expand Down
23 changes: 18 additions & 5 deletions charts/tidb-cluster/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,23 @@ discovery:
# if the ConfigMap was not changed.
enableConfigMapRollout: true

# Whether enable TLS connections between server nodes.
# When enabled, PD/TiDB/TiKV/PUMP will use TLS encrypted connections to transfer data between each node,
# certificates will be generated automatically (if not already present).
enableTLSCluster: false
# Whether enable the TLS connection between TiDB server components
tlsCluster:
# The steps to enable this feature:
# 1. Generate TiDB server components certificates and a client-side certifiacete for them.
# There are multiple ways to generate these certificates:
# - user-provided certificates: https://pingcap.com/docs/stable/how-to/secure/generate-self-signed-certificates/
# - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
# - or use cert-manager signed certificates: https://cert-manager.io/
# 2. Create one secret object for one component which contains the certificates created above.
# The name of this Secret must be: <clusterName>-<componentName>-cluster-secret.
# For PD: kubectl create secret generic <clusterName>-pd-cluster-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
# For TiKV: kubectl create secret generic <clusterName>-tikv-cluster-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
# For TiDB: kubectl create secret generic <clusterName>-tidb-cluster-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
# For Client: kubectl create secret generic <clusterName>-cluster-client-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
# Same for other components.
# 3. Then create the TiDB cluster with `tlsCluster.enabled` set to `true`.
enabled: false

pd:
# Please refer to https://github.com/pingcap/pd/blob/master/conf/config.toml for the default
Expand Down Expand Up @@ -616,7 +629,7 @@ binlog:
# pump configurations (change to the tags of your pump version),
# just follow the format in the file and configure in the 'config' section
# as below if you want to customize any configuration.
# [security] section will be generated automatically if enableTLSCluster is set to true so users do not need to configure it.
# [security] section will be generated automatically if tlsCluster.enabled is set to true so users do not need to configure it.
# config: |
# gc = 7
# heartbeat-interval = 2
Expand Down
5 changes: 1 addition & 4 deletions manifests/crd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -675,10 +675,6 @@ spec:
description: 'Whether enable PVC reclaim for orphan PVC left by statefulset
scale-in Optional: Defaults to false'
type: boolean
enableTLSCluster:
description: 'Enable TLS connection between TiDB server components Optional:
Defaults to false'
type: boolean
helper:
description: HelperSpec contains details of helper component
properties:
Expand Down Expand Up @@ -6055,6 +6051,7 @@ spec:
timezone:
description: 'Time zone of TiDB cluster Pods Optional: Defaults to UTC'
type: string
tlsCluster: {}
tolerations:
description: Base tolerations of TiDB cluster Pods, components may add
more tolerations upon this respectively
Expand Down
5 changes: 2 additions & 3 deletions pkg/apis/pingcap/v1alpha1/defaulting/tidbcluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,8 @@ func setTidbClusterSpecDefault(tc *v1alpha1.TidbCluster) {
if string(tc.Spec.ImagePullPolicy) == "" {
tc.Spec.ImagePullPolicy = corev1.PullIfNotPresent
}
if tc.Spec.EnableTLSCluster == nil {
d := false
tc.Spec.EnableTLSCluster = &d
if tc.Spec.TLSCluster == nil {
tc.Spec.TLSCluster = &v1alpha1.TLSCluster{Enabled: false}
}
if tc.Spec.EnablePVReclaim == nil {
d := false
Expand Down
9 changes: 4 additions & 5 deletions pkg/apis/pingcap/v1alpha1/openapi_generated.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 1 addition & 5 deletions pkg/apis/pingcap/v1alpha1/tidbcluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -300,11 +300,7 @@ func (tc *TidbCluster) GetClusterID() string {
}

func (tc *TidbCluster) IsTLSClusterEnabled() bool {
enableTLCluster := tc.Spec.EnableTLSCluster
if enableTLCluster == nil {
return defaultEnableTLSCluster
}
return *enableTLCluster
return tc.Spec.TLSCluster != nil && tc.Spec.TLSCluster.Enabled
}

func (tc *TidbCluster) Scheme() string {
Expand Down
29 changes: 26 additions & 3 deletions pkg/apis/pingcap/v1alpha1/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -150,10 +150,10 @@ type TidbClusterSpec struct {
// +optional
EnablePVReclaim *bool `json:"enablePVReclaim,omitempty"`

// Enable TLS connection between TiDB server components
// Optional: Defaults to false
// Whether enable the TLS connection between TiDB server components
// Optional: Defaults to nil
// +optional
EnableTLSCluster *bool `json:"enableTLSCluster,omitempty"`
TLSCluster *TLSCluster `json:"tlsCluster,omitempty"`

// Whether Hostnetwork is enabled for TiDB cluster Pods
// Optional: Defaults to false
Expand Down Expand Up @@ -618,6 +618,29 @@ type TiDBTLSClient struct {
Enabled bool `json:"enabled,omitempty"`
}

// TLSCluster can enable TLS connection between TiDB server components
// https://pingcap.com/docs/stable/how-to/secure/enable-tls-between-components/
type TLSCluster struct {
// Enable mutual TLS authentication among TiDB components
// Once enabled, the mutual authentication applies to all components,
// and it does not support applying to only part of the components.
// The steps to enable this feature:
// 1. Generate TiDB server components certificates and a client-side certifiacete for them.
// There are multiple ways to generate these certificates:
// - user-provided certificates: https://pingcap.com/docs/stable/how-to/secure/generate-self-signed-certificates/
// - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
// - or use cert-manager signed certificates: https://cert-manager.io/
// 2. Create one secret object for one component which contains the certificates created above.
// The name of this Secret must be: <clusterName>-<componentName>-cluster-secret.
// For PD: kubectl create secret generic <clusterName>-pd-cluster-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
// For TiKV: kubectl create secret generic <clusterName>-tikv-cluster-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
// For TiDB: kubectl create secret generic <clusterName>-tidb-cluster-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
// For Client: kubectl create secret generic <clusterName>-cluster-client-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
// Same for other components.
// +optional
Enabled bool `json:"enabled,omitempty"`
}

// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

Expand Down
22 changes: 19 additions & 3 deletions pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading