tls: fix cluster TLS while using CR to create cluster (#1773) (#1785)

pingcap · Feb 26, 2020 · c6fcf39 · c6fcf39
1 parent 203fa95
commit c6fcf39
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 9 deletions.
diff --git a/manifests/crd.yaml b/manifests/crd.yaml
@@ -5696,13 +5696,13 @@ spec:
                       type: object
                     security:
                       properties:
-                        ca_path:
+                        ca-path:
                           type: string
-                        cert_path:
+                        cert-path:
                           type: string
                         cipher_file:
                           type: string
-                        key_path:
+                        key-path:
                           type: string
                         override_ssl_target:
                           type: string

diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
diff --git a/pkg/apis/pingcap/v1alpha1/tikv_config.go b/pkg/apis/pingcap/v1alpha1/tikv_config.go
@@ -194,11 +194,11 @@ type TiKVRaftDBConfig struct {
 // +k8s:openapi-gen=true
 type TiKVSecurityConfig struct {
 	// +optional
-	CAPath string `json:"ca_path,omitempty" toml:"ca_path,omitempty"`
+	CAPath string `json:"ca-path,omitempty" toml:"ca-path,omitempty"`
 	// +optional
-	CertPath string `json:"cert_path,omitempty" toml:"cert_path,omitempty"`
+	CertPath string `json:"cert-path,omitempty" toml:"cert-path,omitempty"`
 	// +optional
-	KeyPath string `json:"key_path,omitempty" toml:"key_path,omitempty"`
+	KeyPath string `json:"key-path,omitempty" toml:"key-path,omitempty"`
 	// +optional
 	OverrideSslTarget string `json:"override_ssl_target,omitempty" toml:"override_ssl_target,omitempty"`
 	// +optional

diff --git a/pkg/manager/member/pd_member_manager.go b/pkg/manager/member/pd_member_manager.go
@@ -15,6 +15,7 @@ package member
 
 import (
 	"fmt"
+	"path"
 	"strconv"
 	"strings"
 
@@ -35,6 +36,11 @@ import (
 	glog "k8s.io/klog"
 )
 
+const (
+	// pdClusterCertPath is where the cert for inter-cluster communication stored (if any)
+	pdClusterCertPath = "/var/lib/pd-tls"
+)
+
 type pdMemberManager struct {
 	pdControl    pdapi.PDControlInterface
 	setControl   controller.StatefulSetControlInterface
@@ -709,6 +715,17 @@ func getPDConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
 	if config == nil {
 		return nil, nil
 	}
+
+	// override CA if tls enabled
+	if tc.IsTLSClusterEnabled() {
+		if config.Security == nil {
+			config.Security = &v1alpha1.PDSecurityConfig{}
+		}
+		config.Security.CAPath = serviceAccountCAPath
+		config.Security.CertPath = path.Join(pdClusterCertPath, "cert")
+		config.Security.KeyPath = path.Join(pdClusterCertPath, "key")
+	}
+
 	confText, err := MarshalTOML(config)
 	if err != nil {
 		return nil, err

diff --git a/pkg/manager/member/tikv_member_manager.go b/pkg/manager/member/tikv_member_manager.go
@@ -15,6 +15,7 @@ package member
 
 import (
 	"fmt"
+	"path"
 	"reflect"
 	"regexp"
 	"strings"
@@ -36,6 +37,11 @@ import (
 	glog "k8s.io/klog"
 )
 
+const (
+	// tikvClusterCertPath is where the cert for inter-cluster communication stored (if any)
+	tikvClusterCertPath = "/var/lib/tikv-tls"
+)
+
 // tikvMemberManager implements manager.Manager.
 type tikvMemberManager struct {
 	setControl                   controller.StatefulSetControlInterface
@@ -525,6 +531,17 @@ func getTikVConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
 	if config == nil {
 		return nil, nil
 	}
+
+	// override CA if tls enabled
+	if tc.IsTLSClusterEnabled() {
+		if config.Security == nil {
+			config.Security = &v1alpha1.TiKVSecurityConfig{}
+		}
+		config.Security.CAPath = serviceAccountCAPath
+		config.Security.CertPath = path.Join(tikvClusterCertPath, "cert")
+		config.Security.KeyPath = path.Join(tikvClusterCertPath, "key")
+	}
+
 	confText, err := MarshalTOML(config)
 	if err != nil {
 		return nil, err