pingcap · TomShawn · Aug 17, 2020 · Aug 14, 2020 · Aug 14, 2020 · Aug 14, 2020
diff --git a/en/dm-master-configuration-file.md b/en/dm-master-configuration-file.md
@@ -30,6 +30,11 @@ advertise-peer-urls = "http://127.0.0.1:8291"
 # cluster configuration
 initial-cluster = "master1=http://127.0.0.1:8291,master2=http://127.0.0.1:8292,master3=http://127.0.0.1:8293"
 join = ""
+
+ssl-ca = "/path/to/ca.pem"
+ssl-cert = "/path/to/cert.pem"
+ssl-key = "/path/to/key.pem"
+cert-allowed-cn = ["dm"] 
 ```
 
 ## Configuration parameters
@@ -49,3 +54,7 @@ This section introduces the configuration parameters of DM-master.
 | `advertise-peer-urls` | Specifies the peer URL that DM-master advertises to the outside world. The value of `advertise-peer-urls` is by default the same as that of `peer-urls`. |
 | `initial-cluster` | The value of `initial-cluster` is the combination of the `advertise-peer-urls` value of all DM-master nodes in the initial cluster. |
 | `join` | The value of `join` is the combination of the `advertise-peer-urls` value of the existed DM-master nodes in the cluster. If the DM-master node is newly added, replace `initial-cluster` with `join`. |
+| `ssl-ca` | Path of file that contains list of trusted SSL CAs for connection with DM-master components. |
+| `ssl-cert` | Path of file that contains X509 certificate in PEM format for connection with DM-master components. |
+| `ssl-key` | Path of file that contains X509 key in PEM format for connection with DM-master components. |
+| `cert-allowed-cn` | Common Name list. |
diff --git a/en/dm-worker-configuration-file.md b/en/dm-worker-configuration-file.md
@@ -24,6 +24,11 @@ log-file = "dm-worker.log"
 worker-addr = ":8262"
 advertise-addr = "127.0.0.1:8262"
 join = "127.0.0.1:8261,127.0.0.1:8361,127.0.0.1:8461"
+
+ssl-ca = "/path/to/ca.pem"
+ssl-cert = "/path/to/cert.pem"
+ssl-key = "/path/to/key.pem"
+cert-allowed-cn = ["dm"] 
 ```
 
 ## Configuration parameters
@@ -38,3 +43,7 @@ join = "127.0.0.1:8261,127.0.0.1:8361,127.0.0.1:8461"
 | `worker-addr` | Specifies the address of DM-worker which provides services. You can omit the IP address and specify the port number only, such as ":8262". |
 | `advertise-addr` | Specifies the address that DM-worker advertises to the outside world. |
 | `join` | Corresponds to one or more [`master-addr`s](dm-master-configuration-file.md#global-configuration) in the DM-master configuration file. |
+| `ssl-ca` | Path of file that contains list of trusted SSL CAs for connection with DM-worker components. |
+| `ssl-cert` | Path of file that contains X509 certificate in PEM format for connection with DM-worker components. |
+| `ssl-key` | Path of file that contains X509 key in PEM format for connection with DM-worker components. |
+| `cert-allowed-cn` | Common Name list. |
diff --git a/en/source-configuration-file.md b/en/source-configuration-file.md
@@ -22,7 +22,11 @@ from:
   host: "127.0.0.1"
   port: 3306
   user: "root"
-  password: "ZqMLjZ2j5khNelDEfDoUhkD5aV5fIJOe0fiog9w=" # The user password of the upstream database. Note that the password must be encrypted using dmctl.
+  password: "ZqMLjZ2j5khNelDEfDoUhkD5aV5fIJOe0fiog9w=" # The user password of the upstream database. It is recommended to use the password encrypted with dmctl. 
+  security:                       # The TLS config of the upstream database
+    ssl-ca: "/path/to/ca.pem"
+    ssl-cert: "/path/to/cert.pem"
+    ssl-key: "/path/to/key.pem"
 ```
 
 ## Configuration parameters
@@ -38,4 +42,5 @@ This section describes each configuration parameter in the configuration file.
 | `host` | Specifies the host of the upstream database. |
 | `port` | Specifies the port of the upstream database. |
 | `user` | Specifies the username of the upstream database. |
-| `password` | Specifies the user password of the upstream database. Note that the password must be encrypted using dmctl. |
+| `password` | Specifies the user password of the upstream database. It is recommended to use the password encrypted with dmctl. |
+| `security` | Specifies the TLS config of the upstream database. |
diff --git a/en/task-configuration-file-full.md b/en/task-configuration-file-full.md
@@ -46,6 +46,10 @@ target-database:                # Configuration of the downstream database insta
     sql_mode: "ANSI_QUOTES,NO_ZERO_IN_DATE,NO_ZERO_DATE"
     tidb_skip_utf8_check: 1
     tidb_constraint_check_in_place: 0
+  security:                       # The TLS config of the downstream TiDB
+    ssl-ca: "/path/to/ca.pem"
+    ssl-cert: "/path/to/cert.pem"
+    ssl-key: "/path/to/key.pem"
 
 
 ## ******** Feature configuration set **********

diff --git a/zh/dm-master-configuration-file.md b/zh/dm-master-configuration-file.md
@@ -30,6 +30,10 @@ advertise-peer-urls = "http://127.0.0.1:8291"
 initial-cluster = "master1=http://127.0.0.1:8291,master2=http://127.0.0.1:8292,master3=http://127.0.0.1:8293"
 join = ""
 
+ssl-ca = "/path/to/ca.pem"
+ssl-cert = "/path/to/cert.pem"
+ssl-key = "/path/to/key.pem"
+cert-allowed-cn = ["dm"] 
 ```
 
 ## 配置项说明
@@ -47,3 +51,7 @@ join = ""
 | `advertise-peer-urls` | DM-master 向外界宣告的对等 URL。默认为 `peer-urls` 的值。|
 | `initial-cluster` | 初始集群中所有 DM-master 的 `advertise-peer-urls` 的值。|
 | `join` | 集群里已有的 DM-master 的 `advertise-peer-urls` 的值。如果是新加入的 DM-master 节点，使用 `join` 替代 `initial-cluster`。|
+| `ssl-ca` | DM-master 组件用于连接其它组件的 SSL CA 证书所在的路径  |
+| `ssl-cert` | DM-master 组件用于连接其它组件的 PEM 格式的 X509 证书所在的路径 |
+| `ssl-key` | DM-master 组件用于连接其它组件的 PEM 格式的 X509 密钥所在的路径  |
+| `cert-allowed-cn` | 证书检查 Common Name 列表 |
diff --git a/zh/dm-worker-configuration-file.md b/zh/dm-worker-configuration-file.md
@@ -22,6 +22,11 @@ log-file = "dm-worker.log"
 worker-addr = ":8262"
 advertise-addr = "127.0.0.1:8262"
 join = "127.0.0.1:8261,127.0.0.1:8361,127.0.0.1:8461"
+
+ssl-ca = "/path/to/ca.pem"
+ssl-cert = "/path/to/cert.pem"
+ssl-key = "/path/to/key.pem"
+cert-allowed-cn = ["dm"] 
 ```
 
 ## 配置项说明
@@ -36,3 +41,7 @@ join = "127.0.0.1:8261,127.0.0.1:8361,127.0.0.1:8461"
 | `worker-addr` | DM-worker 服务的地址，可以省略 IP 信息，例如：":8262"。|
 | `advertise-addr` | DM-worker 向外界宣告的地址。 |
 | `join` | 对应一个或多个 DM-master 配置中的 [`master-addr`](dm-master-configuration-file.md#global-配置)。 |
+| `ssl-ca` | DM-worker 组件用于连接其它组件的 SSL CA 证书所在的路径  |
+| `ssl-cert` | DM-worker 组件用于连接其它组件的 PEM 格式的 X509 证书所在的路径 |
+| `ssl-key` | DM-worker 组件用于连接其它组件的 PEM 格式的 X509 密钥所在的路径  |
+| `cert-allowed-cn` | 证书检查 Common Name 列表 |
diff --git a/zh/source-configuration-file.md b/zh/source-configuration-file.md
@@ -21,7 +21,11 @@ from:
   host: "127.0.0.1"
   port: 3306
   user: "root"
-  password: "ZqMLjZ2j5khNelDEfDoUhkD5aV5fIJOe0fiog9w=" # 使用 dmctl 对上游数据库的用户密码加密之后的密码
+  password: "ZqMLjZ2j5khNelDEfDoUhkD5aV5fIJOe0fiog9w=" # 推荐使用 dmctl 对上游数据库的用户密码加密之后的密码
+  security:                       # 上游数据库 TLS 相关配置                             
+    ssl-ca: "/path/to/ca.pem"
+    ssl-cert: "/path/to/cert.pem"
+    ssl-key: "/path/to/key.pem"
 ```
 
 ## 配置项说明
@@ -35,4 +39,5 @@ from:
 | `host` | 上游数据库的 host。|
 | `port` | 上游数据库的端口。|
 | `user` | 上游数据库使用的用户名。|
-| `password` | 上游数据库的用户密码。注意：需要使用 dmctl 加密后的密码。|
+| `password` | 上游数据库的用户密码。推荐使用 dmctl 加密后的密码。|
+| `security` | 上游数据库 TLS 相关配置。|
diff --git a/zh/task-configuration-file-full.md b/zh/task-configuration-file-full.md
@@ -50,6 +50,10 @@ target-database:                # 下游数据库实例配置
     sql_mode: "ANSI_QUOTES,NO_ZERO_IN_DATE,NO_ZERO_DATE"
     tidb_skip_utf8_check: 1
     tidb_constraint_check_in_place: 0
+  security:                       # 下游 TiDB TLS 相关配置                             
+    ssl-ca: "/path/to/ca.pem"
+    ssl-cert: "/path/to/cert.pem"
+    ssl-key: "/path/to/key.pem"
 
 ## ******** 功能配置集 **********