pingcap · Yisaer · Mar 18, 2020 · Mar 16, 2020 · Mar 16, 2020 · Mar 16, 2020
diff --git a/charts/tidb-cluster/values.yaml b/charts/tidb-cluster/values.yaml
@@ -467,7 +467,10 @@ tidb:
     #   2. Create a K8s Secret object which contains the TiDB server-side certificate created above.
     #      The name of this Secret must be: <clusterName>-tidb-server-secret.
     #        kubectl create secret generic <clusterName>-tidb-server-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
-    #   3. Then create the TiDB cluster with `tlsClient.enabled` set to `true`.
+    #   3. Create a K8s Secret object which contains the TiDB client-side certificate created above which will be used by TiDB Operator.
+    #      The name of this Secret must be: <clusterName>-tidb-client-secret.
+    #        kubectl create secret generic <clusterName>-tidb-client-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
+    #   4. Then create the TiDB cluster with `tlsClient.enabled` set to `true`.
     enabled: false
 
 # mysqlClient is used to set password for TiDB

diff --git a/docs/api-references/docs.html b/docs/api-references/docs.html
@@ -7665,7 +7665,10 @@ <h3 id="pingcap.com/v1alpha1.TiDBTLSClient">TiDBTLSClient
 2. Create a K8s Secret object which contains the TiDB server-side certificate created above.
 The name of this Secret must be: <clusterName>-tidb-server-secret.
 kubectl create secret generic <clusterName>-tidb-server-secret &ndash;namespace=<namespace> &ndash;from-file=tls.crt=<path/to/tls.crt> &ndash;from-file=tls.key=<path/to/tls.key> &ndash;from-file=ca.crt=<path/to/ca.crt>
-3. Set Enabled to <code>true</code>.</p>
+3. Create a K8s Secret object which contains the TiDB client-side certificate created above which will be used by TiDB Operator.
+The name of this Secret must be: <clusterName>-tidb-client-secret.
+kubectl create secret generic <clusterName>-tidb-client-secret &ndash;namespace=<namespace> &ndash;from-file=tls.crt=<path/to/tls.crt> &ndash;from-file=tls.key=<path/to/tls.key> &ndash;from-file=ca.crt=<path/to/ca.crt>
+4. Set Enabled to <code>true</code>.</p>
 </td>
 </tr>
 </tbody>

diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go
@@ -616,7 +616,10 @@ type TiDBTLSClient struct {
 	//   2. Create a K8s Secret object which contains the TiDB server-side certificate created above.
 	//      The name of this Secret must be: <clusterName>-tidb-server-secret.
 	//        kubectl create secret generic <clusterName>-tidb-server-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
-	//   3. Set Enabled to `true`.
+	//   3. Create a K8s Secret object which contains the TiDB client-side certificate created above which will be used by TiDB Operator.
+	//      The name of this Secret must be: <clusterName>-tidb-client-secret.
+	//        kubectl create secret generic <clusterName>-tidb-client-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
+	//   4. Set Enabled to `true`.
 	// +optional
 	Enabled bool `json:"enabled,omitempty"`
 }

diff --git a/pkg/controller/tidbinitializer/tidb_initializer_controller.go b/pkg/controller/tidbinitializer/tidb_initializer_controller.go
@@ -64,6 +64,7 @@ func NewController(
 	recorder := eventBroadcaster.NewRecorder(v1alpha1.Scheme, corev1.EventSource{Component: "tidbinitializer"})
 
 	tidbInitializerInformer := informerFactory.Pingcap().V1alpha1().TidbInitializers()
+	tidbClusterInformer := informerFactory.Pingcap().V1alpha1().TidbClusters()
 	jobInformer := kubeInformerFactory.Batch().V1().Jobs()
 	typedControl := controller.NewTypedControl(controller.NewRealGenericControl(genericCli, recorder))
 
@@ -75,6 +76,7 @@ func NewController(
 				jobInformer.Lister(),
 				genericCli,
 				tidbInitializerInformer.Lister(),
+				tidbClusterInformer.Lister(),
 				typedControl,
 			),
 		),

diff --git a/pkg/manager/member/template.go b/pkg/manager/member/template.go
@@ -281,7 +281,11 @@ var tidbInitStartScriptTpl = template.Must(template.New("tidb-init-start-script"
 host = '{{ .ClusterName }}-tidb'
 permit_host = '{{ .PermitHost }}'
 port = 4000
+{{- if .TLS }}
+conn = MySQLdb.connect(host=host, port=port, user='root', connect_timeout=5, ssl={'ca': '{{ .CAPath }}', 'cert': '{{ .CertPath }}', 'key': '{{ .KeyPath }}'})
+{{- else }}
 conn = MySQLdb.connect(host=host, port=port, user='root', connect_timeout=5)
+{{- end }}
 {{- if .PasswordSet }}
 password_dir = '/etc/tidb/password'
 for file in os.listdir(password_dir):
@@ -313,6 +317,10 @@ type TiDBInitStartScriptModel struct {
 	PermitHost  string
 	PasswordSet bool
 	InitSQL     bool
+	TLS         bool
+	CAPath      string
+	CertPath    string
+	KeyPath     string
 }
 
 func RenderTiDBInitStartScript(model *TiDBInitStartScriptModel) (string, error) {

diff --git a/pkg/manager/member/tidb_init_manager.go b/pkg/manager/member/tidb_init_manager.go
@@ -30,6 +30,7 @@ import (
 	listers "github.com/pingcap/tidb-operator/pkg/client/listers/pingcap/v1alpha1"
 	"github.com/pingcap/tidb-operator/pkg/controller"
 	"github.com/pingcap/tidb-operator/pkg/label"
+	"github.com/pingcap/tidb-operator/pkg/util"
 )
 
 const (
@@ -59,6 +60,7 @@ type tidbInitManager struct {
 	jobLister    batchlisters.JobLister
 	genericCli   client.Client
 	tiLister     listers.TidbInitializerLister
+	tcLister     listers.TidbClusterLister
 	typedControl controller.TypedControlInterface
 }
 
@@ -67,12 +69,14 @@ func NewTiDBInitManager(
 	jobLister batchlisters.JobLister,
 	genericCli client.Client,
 	tiLister listers.TidbInitializerLister,
+	tcLister listers.TidbClusterLister,
 	typedControl controller.TypedControlInterface,
 ) InitManager {
 	return &tidbInitManager{
 		jobLister,
 		genericCli,
 		tiLister,
+		tcLister,
 		typedControl,
 	}
 }
@@ -134,6 +138,7 @@ func (tm *tidbInitManager) syncTiDBInitConfigMap(ti *v1alpha1.TidbInitializer) e
 	name := controller.TiDBInitializerMemberName(ti.Spec.Clusters.Name)
 	ns := ti.Namespace
 	cm := &corev1.ConfigMap{}
+	tcName := ti.Spec.Clusters.Name
 
 	exist, err := tm.typedControl.Exist(client.ObjectKey{
 		Namespace: ns,
@@ -146,7 +151,12 @@ func (tm *tidbInitManager) syncTiDBInitConfigMap(ti *v1alpha1.TidbInitializer) e
 		return nil
 	}
 
-	newCm, err := getTiDBInitConfigMap(ti)
+	tc, err := tm.tcLister.TidbClusters(ns).Get(tcName)
+	if err != nil {
+		return err
+	}
+
+	newCm, err := getTiDBInitConfigMap(ti, tc.Spec.TiDB.IsTLSClientEnabled())
 	if err != nil {
 		return err
 	}
@@ -187,6 +197,13 @@ func (tm *tidbInitManager) syncTiDBInitJob(ti *v1alpha1.TidbInitializer) error {
 
 func (tm *tidbInitManager) makeTiDBInitJob(ti *v1alpha1.TidbInitializer) (*batchv1.Job, error) {
 	jobName := controller.TiDBInitializerMemberName(ti.Spec.Clusters.Name)
+	ns := ti.Namespace
+	tcName := ti.Spec.Clusters.Name
+
+	tc, err := tm.tcLister.TidbClusters(ns).Get(tcName)
+	if err != nil {
+		return nil, err
+	}
 
 	var envs []corev1.EnvVar
 	if ti.Spec.Timezone != "" {
@@ -207,6 +224,21 @@ func (tm *tidbInitManager) makeTiDBInitJob(ti *v1alpha1.TidbInitializer) (*batch
 
 	var vms []corev1.VolumeMount
 	var vs []corev1.Volume
+	if tc.Spec.TiDB.IsTLSClientEnabled() {
+		vms = append(vms, corev1.VolumeMount{
+			Name:      "tidb-client-tls",
+			ReadOnly:  true,
+			MountPath: util.TiDBClientTLSPath,
+		})
+		vs = append(vs, corev1.Volume{
+			Name: "tidb-client-tls",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: util.TiDBClientTLSSecretName(tcName),
+				},
+			},
+		})
+	}
 	vms = append(vms, corev1.VolumeMount{
 		Name:      startKey,
 		ReadOnly:  true,
@@ -335,7 +367,7 @@ func (tm *tidbInitManager) makeTiDBInitJob(ti *v1alpha1.TidbInitializer) (*batch
 	return job, nil
 }
 
-func getTiDBInitConfigMap(ti *v1alpha1.TidbInitializer) (*corev1.ConfigMap, error) {
+func getTiDBInitConfigMap(ti *v1alpha1.TidbInitializer, tlsClientEnabled bool) (*corev1.ConfigMap, error) {
 	var initSQL, passwdSet bool
 
 	permitHost := ti.GetPermitHost()
@@ -354,12 +386,19 @@ func getTiDBInitConfigMap(ti *v1alpha1.TidbInitializer) (*corev1.ConfigMap, erro
 		return nil, err
 	}
 
-	startScript, err := RenderTiDBInitStartScript(&TiDBInitStartScriptModel{
+	initModel := &TiDBInitStartScriptModel{
 		ClusterName: ti.Spec.Clusters.Name,
 		PermitHost:  permitHost,
 		InitSQL:     initSQL,
 		PasswordSet: passwdSet,
-	})
+	}
+	if tlsClientEnabled {
+		initModel.TLS = true
+		initModel.CAPath = path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey)
+		initModel.CertPath = path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey)
+		initModel.KeyPath = path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey)
+	}
+	startScript, err := RenderTiDBInitStartScript(initModel)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/util/util.go b/pkg/util/util.go
@@ -30,6 +30,7 @@ import (
 
 var (
 	ClusterClientTLSPath = "/var/lib/cluster-client-tls"
+	TiDBClientTLSPath    = "/var/lib/tidb-client-tls"
 )
 
 func GetOrdinalFromPodName(podName string) (int32, error) {
@@ -175,3 +176,7 @@ func ClusterClientTLSSecretName(tcName string) string {
 func ClusterTLSSecretName(tcName, component string) string {
 	return fmt.Sprintf("%s-%s-cluster-secret", tcName, component)
 }
+
+func TiDBClientTLSSecretName(tcName string) string {
+	return fmt.Sprintf("%s-tidb-client-secret", tcName)
+}