Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: fix cluster TLS while using CR to create cluster #1773

Merged
merged 2 commits into from
Feb 26, 2020
Merged

tls: fix cluster TLS while using CR to create cluster #1773

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5c4e786
fix cluster TLS while using CR to create cluster
weekface Feb 25, 2020
edc5469
Merge branch 'master' into fix-cluster-tls-with-crd
sre-bot Feb 26, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions manifests/crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5696,13 +5696,13 @@ spec:
type: object
security:
properties:
ca_path:
ca-path:
type: string
cert_path:
cert-path:
type: string
cipher_file:
type: string
key_path:
key-path:
type: string
override_ssl_target:
type: string
Expand Down
6 changes: 3 additions & 3 deletions pkg/apis/pingcap/v1alpha1/openapi_generated.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions pkg/apis/pingcap/v1alpha1/tikv_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,11 +194,11 @@ type TiKVRaftDBConfig struct {
// +k8s:openapi-gen=true
type TiKVSecurityConfig struct {
// +optional
CAPath string `json:"ca_path,omitempty" toml:"ca_path,omitempty"`
CAPath string `json:"ca-path,omitempty" toml:"ca-path,omitempty"`
// +optional
CertPath string `json:"cert_path,omitempty" toml:"cert_path,omitempty"`
CertPath string `json:"cert-path,omitempty" toml:"cert-path,omitempty"`
// +optional
KeyPath string `json:"key_path,omitempty" toml:"key_path,omitempty"`
KeyPath string `json:"key-path,omitempty" toml:"key-path,omitempty"`
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are many other keys are connected with _, do they should be change to -? @aylei PTAL

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, _ are errors, I will open a PR to fix them

// +optional
OverrideSslTarget string `json:"override_ssl_target,omitempty" toml:"override_ssl_target,omitempty"`
// +optional
Expand Down
17 changes: 17 additions & 0 deletions pkg/manager/member/pd_member_manager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ package member

import (
"fmt"
"path"
"strconv"
"strings"

Expand All @@ -35,6 +36,11 @@ import (
glog "k8s.io/klog"
)

const (
// pdClusterCertPath is where the cert for inter-cluster communication stored (if any)
pdClusterCertPath = "/var/lib/pd-tls"
)

type pdMemberManager struct {
pdControl pdapi.PDControlInterface
setControl controller.StatefulSetControlInterface
Expand Down Expand Up @@ -709,6 +715,17 @@ func getPDConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
if config == nil {
return nil, nil
}

// override CA if tls enabled
if tc.IsTLSClusterEnabled() {
if config.Security == nil {
config.Security = &v1alpha1.PDSecurityConfig{}
}
config.Security.CAPath = serviceAccountCAPath
config.Security.CertPath = path.Join(pdClusterCertPath, "cert")
config.Security.KeyPath = path.Join(pdClusterCertPath, "key")
}

confText, err := MarshalTOML(config)
if err != nil {
return nil, err
Expand Down
17 changes: 17 additions & 0 deletions pkg/manager/member/tikv_member_manager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ package member

import (
"fmt"
"path"
"reflect"
"regexp"
"strings"
Expand All @@ -36,6 +37,11 @@ import (
glog "k8s.io/klog"
)

const (
// tikvClusterCertPath is where the cert for inter-cluster communication stored (if any)
tikvClusterCertPath = "/var/lib/tikv-tls"
)

// tikvMemberManager implements manager.Manager.
type tikvMemberManager struct {
setControl controller.StatefulSetControlInterface
Expand Down Expand Up @@ -525,6 +531,17 @@ func getTikVConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
if config == nil {
return nil, nil
}

// override CA if tls enabled
if tc.IsTLSClusterEnabled() {
if config.Security == nil {
config.Security = &v1alpha1.TiKVSecurityConfig{}
}
config.Security.CAPath = serviceAccountCAPath
config.Security.CertPath = path.Join(tikvClusterCertPath, "cert")
config.Security.KeyPath = path.Join(tikvClusterCertPath, "key")
}

confText, err := MarshalTOML(config)
if err != nil {
return nil, err
Expand Down