support tls for tiflash

docs/api-references/docs.md

@@ -3034,6 +3034,30 @@ int64
 </tr>
 <tr>
 <td>
+<code>tcp_port_secure</code></br>
+<em>
+int32
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Optional: Defaults to 9000</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>https_port</code></br>
+<em>
+int32
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Optional: Defaults to 8123</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>logger</code></br>
 <em>
 <a href="#flashlogger">
@@ -3045,6 +3069,19 @@ FlashLogger
 <em>(Optional)</em>
 </td>
 </tr>
+<tr>
+<td>
+<code>security</code></br>
+<em>
+<a href="#tikvsecurityconfig">
+TiKVSecurityConfig
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="componentaccessor">ComponentAccessor</h3>
@@ -13965,6 +14002,7 @@ TiKVStorageReadPoolConfig
 <h3 id="tikvsecurityconfig">TiKVSecurityConfig</h3>
 <p>
 (<em>Appears on:</em>
+<a href="#commonconfig">CommonConfig</a>, 
 <a href="#tikvconfig">TiKVConfig</a>)
 </p>
 <p>

pkg/apis/pingcap/v1alpha1/tiflash_config.go

@@ -124,6 +124,14 @@ type CommonConfig struct {
 	// +optional
 	// +k8s:openapi-gen=false
 	HTTPPort *int32 `json:"http_port,omitempty" toml:"http_port,omitempty"`
+	// Optional: Defaults to 9000
+	// +optional
+	// +k8s:openapi-gen=false
+	TCPPortSecure *int32 `json:"tcp_port_secure,omitempty" toml:"tcp_port_secure,omitempty"`
+	// Optional: Defaults to 8123
+	// +optional
+	// +k8s:openapi-gen=false
+	HTTPSPort *int32 `json:"https_port,omitempty" toml:"https_port,omitempty"`
 	// Optional: Defaults to 9009
 	// +optional
 	// +k8s:openapi-gen=false
@@ -150,6 +158,9 @@ type CommonConfig struct {
 	// +optional
 	// +k8s:openapi-gen=false
 	FlashProfile *FlashProfile `json:"profiles,omitempty" toml:"profiles,omitempty"`
+	// +optional
+	// +k8s:openapi-gen=false
+	Security *TiKVSecurityConfig `json:"security,omitempty" toml:"security,omitempty"`
 }
 
 // FlashProfile is the configuration of [profiles] section.

pkg/manager/member/tiflash_member_manager.go

@@ -15,6 +15,7 @@ package member
 
 import (
 	"fmt"
+	"path"
 	"reflect"
 	"regexp"
 	"strings"
@@ -41,6 +42,8 @@ import (
 const (
 	//find a better way to manage store only managed by tiflash in Operator
 	tiflashStoreLimitPattern = `%s-tiflash-\d+\.%s-tiflash-peer\.%s\.svc\:\d+`
+	tiflashCertPath          = "/var/lib/tiflash-tls"
+	tiflashCertVolumeName    = "tiflash-tls"
 )
 
 // tiflashMemberManager implements manager.Manager.
@@ -332,12 +335,11 @@ func getNewStatefulSet(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (*apps.St
 			Name: fmt.Sprintf("data%d", k), MountPath: fmt.Sprintf("/data%d", k)})
 	}
 
-	// TiFlash does not support TLS yet
-	// if tc.IsTLSClusterEnabled() {
-	// 	volMounts = append(volMounts, corev1.VolumeMount{
-	// 		Name: "tiflash-tls", ReadOnly: true, MountPath: "/var/lib/tiflash-tls",
-	// 	})
-	// }
+	if tc.IsTLSClusterEnabled() {
+		volMounts = append(volMounts, corev1.VolumeMount{
+			Name: tiflashCertVolumeName, ReadOnly: true, MountPath: tiflashCertPath,
+		})
+	}
 
 	vols := []corev1.Volume{
 		annVolume,
@@ -350,15 +352,15 @@ func getNewStatefulSet(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (*apps.St
 		},
 	}
 
-	// if tc.IsTLSClusterEnabled() {
-	// 	vols = append(vols, corev1.Volume{
-	// 		Name: "tiflash-tls", VolumeSource: corev1.VolumeSource{
-	// 			Secret: &corev1.SecretVolumeSource{
-	// 				SecretName: util.ClusterTLSSecretName(tc.Name, label.TiFlashLabelVal),
-	// 			},
-	// 		},
-	// 	})
-	// }
+	if tc.IsTLSClusterEnabled() {
+		vols = append(vols, corev1.Volume{
+			Name: tiflashCertVolumeName, VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: util.ClusterTLSSecretName(tc.Name, label.TiFlashLabelVal),
+				},
+			},
+		})
+	}
 
 	sysctls := "sysctl -w"
 	var initContainers []corev1.Container
@@ -587,15 +589,27 @@ func getTiFlashConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
 	}
 	setTiFlashConfigDefault(config, tc.Name, tc.Namespace)
 
-	// override CA if tls enabled
-	// if tc.IsTLSClusterEnabled() {
-	// 	if config.Security == nil {
-	// 		config.Security = &v1alpha1.TiFlashSecurityConfig{}
-	// 	}
-	// 	config.Security.CAPath = path.Join(tiflashClusterCertPath, tlsSecretRootCAKey)
-	// 	config.Security.CertPath = path.Join(tiflashClusterCertPath, corev1.TLSCertKey)
-	// 	config.Security.KeyPath = path.Join(tiflashClusterCertPath, corev1.TLSPrivateKeyKey)
-	// }
+	if tc.IsTLSClusterEnabled() {
+		if config.CommonConfig.Security == nil {
+			config.CommonConfig.Security = &v1alpha1.TiKVSecurityConfig{}
+		}
+		if config.ProxyConfig.Security == nil {
+			config.ProxyConfig.Security = &v1alpha1.TiKVSecurityConfig{}
+		}
+		config.ProxyConfig.Security.CAPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.ServiceAccountRootCAKey))
+		config.ProxyConfig.Security.CertPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSCertKey))
+		config.ProxyConfig.Security.KeyPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSPrivateKeyKey))
+		config.CommonConfig.Security.CAPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.ServiceAccountRootCAKey))
+		config.CommonConfig.Security.CertPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSCertKey))
+		config.CommonConfig.Security.KeyPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSPrivateKeyKey))
+		// unset the http ports
+		config.CommonConfig.HTTPPort = nil
+		config.CommonConfig.TCPPort = nil
+	} else {
+		// unset the https ports
+		config.CommonConfig.HTTPSPort = nil
+		config.CommonConfig.TCPPortSecure = nil
+	}
 
 	configText, err := MarshalTOML(config.CommonConfig)
 	if err != nil {

pkg/manager/member/tiflash_util.go

@@ -178,6 +178,14 @@ func setTiFlashCommonConfigDefault(config *v1alpha1.CommonConfig, clusterName, n
 		var p int32 = 9000
 		config.TCPPort = &p
 	}
+	if config.TCPPortSecure == nil {
+		var p int32 = 9000
+		config.TCPPortSecure = &p
+	}
+	if config.HTTPSPort == nil {
+		var p int32 = 8123
+		config.HTTPSPort = &p
+	}
 	if config.HTTPPort == nil {
 		var p int32 = 8123
 		config.HTTPPort = &p