Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS support for Pump and Drainer #1979

Merged
merged 3 commits into from
Mar 19, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions charts/tidb-drainer/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
{{- end -}}

{{- define "drainer.tlsSecretName" -}}
{{ .Values.clusterName }}-drainer
{{ .Values.clusterName }}-drainer-cluster-secret
{{- end -}}

{{/*
Expand All @@ -18,9 +18,9 @@ config-file: |-
{{- if .Values.config }}
{{ .Values.config | indent 2 }}
{{- end -}}
{{- if .Values.enableTLSCluster }}
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
[security]
ssl-ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
ssl-ca = "/var/lib/drainer-tls/ca.crt"
ssl-cert = "/var/lib/drainer-tls/tls.crt"
ssl-key = "/var/lib/drainer-tls/tls.key"
{{- end -}}
Expand All @@ -31,7 +31,7 @@ config-file: |-
{{- end -}}

{{- define "cluster.scheme" -}}
{{ if .Values.enableTLSCluster }}https{{ else }}http{{ end }}
{{ if and .Values.tlsCluster .Values.tlsCluster.enabled }}https{{ else }}http{{ end }}
{{- end -}}

{{- define "helm-toolkit.utils.template" -}}
Expand Down
4 changes: 2 additions & 2 deletions charts/tidb-drainer/templates/drainer-statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ spec:
mountPath: /data
- name: config
mountPath: /etc/drainer
{{- if .Values.enableTLSCluster }}
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
- name: drainer-tls
mountPath: /var/lib/drainer-tls
readOnly: true
Expand All @@ -65,7 +65,7 @@ spec:
items:
- key: config-file
path: drainer.toml
{{- if .Values.enableTLSCluster }}
{{- if and .Values.tlsCluster .Values.tlsCluster.enabled }}
- name: drainer-tls
secret:
secretName: {{ include "drainer.tlsSecretName" . }}
Expand Down
19 changes: 14 additions & 5 deletions charts/tidb-drainer/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,22 @@ disableDetect: false
# if drainer donesn't have checkpoint, use initial commitTS to initial checkpoint
initialCommitTs: 0

# Whether enable TLS connections between server nodes.
# When enabled, DRAINER will use TLS encrypted connections to transfer data with PUMP node,
# certificates will be generated by script "hack/create-cert.sh" manually
enableTLSCluster: false
# Whether enable the TLS connection between TiDB server components
tlsCluster:
# The steps to enable this feature:
# 1. Generate Drainer certificate.
# There are multiple ways to generate these certificates:
# - user-provided certificates: https://pingcap.com/docs/stable/how-to/secure/generate-self-signed-certificates/
# - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
# - or use cert-manager signed certificates: https://cert-manager.io/
# 2. Create one secret object for Drainer which contains the certificates created above.
# The name of this Secret must be: <clusterName>-drainer-cluster-secret.
# For Drainer: kubectl create secret generic <clusterName>-drainer-cluster-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
# 3. Then create the Drainer cluster with `tlsCluster.enabled` set to `true`.
enabled: false

# Refer to https://github.com/pingcap/tidb-binlog/blob/master/cmd/drainer/drainer.toml
# [security] section will be generated automatically if enableTLSCluster is set to true so users do not need to configure it.
# [security] section will be generated automatically if tlsCluster.enabled is set to true so users do not need to configure it.
config: |
detect-interval = 10
compressor = ""
Expand Down
49 changes: 3 additions & 46 deletions pkg/manager/member/pump_member_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"github.com/pingcap/tidb-operator/pkg/controller"
"github.com/pingcap/tidb-operator/pkg/label"
"github.com/pingcap/tidb-operator/pkg/manager"
"github.com/pingcap/tidb-operator/pkg/util"
apps "k8s.io/api/apps/v1"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
Expand Down Expand Up @@ -99,13 +100,6 @@ func (pmm *pumpMemberManager) syncPumpStatefulSetForTidbCluster(tc *v1alpha1.Tid
return err
}

if tc.IsTLSClusterEnabled() {
err := pmm.syncPumpStatefulsetCerts(tc)
if err != nil {
return err
}
}

newPumpSet, err := getNewPumpStatefulSet(tc, cm)
if err != nil {
return err
Expand Down Expand Up @@ -260,7 +254,7 @@ func getNewPumpConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
confTextStr = strings.Join([]string{
confTextStr,
"[security]",
fmt.Sprintf("ssl-ca = \"%s\"", serviceAccountCAPath),
fmt.Sprintf("ssl-ca = \"%s\"", path.Join(pumpCertPath, corev1.ServiceAccountRootCAKey)),
fmt.Sprintf("ssl-cert = \"%s\"", path.Join(pumpCertPath, corev1.TLSCertKey)),
fmt.Sprintf("ssl-key = \"%s\"", path.Join(pumpCertPath, corev1.TLSPrivateKeyKey))}, "\n")
}
Expand Down Expand Up @@ -379,7 +373,7 @@ func getNewPumpStatefulSet(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (*app
volumes = append(volumes, corev1.Volume{
Name: pumpCertVolumeMount, VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: controller.PumpMemberName(tc.Name),
SecretName: util.ClusterTLSSecretName(tc.Name, label.PumpLabelVal),
},
},
})
Expand Down Expand Up @@ -479,43 +473,6 @@ func getPumpLogLevel(tc *v1alpha1.TidbCluster) string {
return logLevel
}

// syncPumpStatefulsetCerts creates the cert pair for Pump if not exist, the cert
// pair is used to communicate with other TiDB components, like TiDB and Drainer
func (pmm *pumpMemberManager) syncPumpStatefulsetCerts(tc *v1alpha1.TidbCluster) error {
ns := tc.GetNamespace()
tcName := tc.GetName()
svcName := controller.PumpMemberName(tcName)
peerName := controller.PumpPeerMemberName(tcName)

if pmm.certControl.CheckSecret(ns, svcName) {
return nil
}

hostList := []string{
svcName,
peerName,
fmt.Sprintf("%s.%s", svcName, ns),
fmt.Sprintf("%s.%s", peerName, ns),
fmt.Sprintf("*.%s.%s", peerName, ns),
}

ipList := []string{
"127.0.0.1", "::1", // able to access https endpoint via loopback network
}

certOpts := &controller.TiDBClusterCertOptions{
Namespace: ns,
Instance: tcName,
CommonName: svcName,
HostList: hostList,
IPList: ipList,
Component: "pump",
Suffix: "pump",
}

return pmm.certControl.Create(controller.GetOwnerRef(tc), certOpts)
}

func (pmm *pumpMemberManager) pumpStatefulSetIsUpgrading(set *apps.StatefulSet, tc *v1alpha1.TidbCluster) (bool, error) {
if statefulSetIsUpgrading(set) {
return true, nil
Expand Down