diff --git a/docs/api-references/docs.md b/docs/api-references/docs.md
index f0e840e9a0..6686e50bd2 100644
--- a/docs/api-references/docs.md
+++ b/docs/api-references/docs.md
@@ -3034,6 +3034,30 @@ int64
 </tr>
 <tr>
 <td>
+<code>tcp_port_secure</code></br>
+<em>
+int32
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Optional: Defaults to 9000</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>https_port</code></br>
+<em>
+int32
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Optional: Defaults to 8123</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>logger</code></br>
 <em>
 <a href="#flashlogger">
@@ -3045,6 +3069,19 @@ FlashLogger
 <em>(Optional)</em>
 </td>
 </tr>
+<tr>
+<td>
+<code>security</code></br>
+<em>
+<a href="#flashsecurity">
+FlashSecurity
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="componentaccessor">ComponentAccessor</h3>
@@ -4185,6 +4222,56 @@ int32
 </tr>
 </tbody>
 </table>
+<h3 id="flashsecurity">FlashSecurity</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#commonconfig">CommonConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>ca_path</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
+<tr>
+<td>
+<code>cert_path</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
+<tr>
+<td>
+<code>key_path</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="gcsstorageprovider">GcsStorageProvider</h3>
 <p>
 (<em>Appears on:</em>
diff --git a/pkg/apis/pingcap/v1alpha1/tiflash_config.go b/pkg/apis/pingcap/v1alpha1/tiflash_config.go
index 4d07296787..ffa84f396b 100644
--- a/pkg/apis/pingcap/v1alpha1/tiflash_config.go
+++ b/pkg/apis/pingcap/v1alpha1/tiflash_config.go
@@ -124,6 +124,14 @@ type CommonConfig struct {
 	// +optional
 	// +k8s:openapi-gen=false
 	HTTPPort *int32 `json:"http_port,omitempty" toml:"http_port,omitempty"`
+	// Optional: Defaults to 9000
+	// +optional
+	// +k8s:openapi-gen=false
+	TCPPortSecure *int32 `json:"tcp_port_secure,omitempty" toml:"tcp_port_secure,omitempty"`
+	// Optional: Defaults to 8123
+	// +optional
+	// +k8s:openapi-gen=false
+	HTTPSPort *int32 `json:"https_port,omitempty" toml:"https_port,omitempty"`
 	// Optional: Defaults to 9009
 	// +optional
 	// +k8s:openapi-gen=false
@@ -150,6 +158,9 @@ type CommonConfig struct {
 	// +optional
 	// +k8s:openapi-gen=false
 	FlashProfile *FlashProfile `json:"profiles,omitempty" toml:"profiles,omitempty"`
+	// +optional
+	// +k8s:openapi-gen=false
+	Security *FlashSecurity `json:"security,omitempty" toml:"security,omitempty"`
 }
 
 // FlashProfile is the configuration of [profiles] section.
@@ -352,3 +363,13 @@ type FlashProxy struct {
 	// +optional
 	LogFile *string `json:"log-file,omitempty" toml:"log-file,omitempty"`
 }
+
+// +k8s:openapi-gen=false
+type FlashSecurity struct {
+	// +optional
+	CAPath *string `json:"ca_path,omitempty" toml:"ca_path,omitempty"`
+	// +optional
+	CertPath *string `json:"cert_path,omitempty" toml:"cert_path,omitempty"`
+	// +optional
+	KeyPath *string `json:"key_path,omitempty" toml:"key_path,omitempty"`
+}
diff --git a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
index 8b21c17004..1a165d95e1 100644
--- a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
@@ -518,6 +518,16 @@ func (in *CommonConfig) DeepCopyInto(out *CommonConfig) {
 		*out = new(int32)
 		**out = **in
 	}
+	if in.TCPPortSecure != nil {
+		in, out := &in.TCPPortSecure, &out.TCPPortSecure
+		*out = new(int32)
+		**out = **in
+	}
+	if in.HTTPSPort != nil {
+		in, out := &in.HTTPSPort, &out.HTTPSPort
+		*out = new(int32)
+		**out = **in
+	}
 	if in.InternalServerHTTPPort != nil {
 		in, out := &in.InternalServerHTTPPort, &out.InternalServerHTTPPort
 		*out = new(int32)
@@ -563,6 +573,11 @@ func (in *CommonConfig) DeepCopyInto(out *CommonConfig) {
 		*out = new(FlashProfile)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.Security != nil {
+		in, out := &in.Security, &out.Security
+		*out = new(FlashSecurity)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 
@@ -1333,6 +1348,37 @@ func (in *FlashRaft) DeepCopy() *FlashRaft {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FlashSecurity) DeepCopyInto(out *FlashSecurity) {
+	*out = *in
+	if in.CAPath != nil {
+		in, out := &in.CAPath, &out.CAPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.CertPath != nil {
+		in, out := &in.CertPath, &out.CertPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyPath != nil {
+		in, out := &in.KeyPath, &out.KeyPath
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FlashSecurity.
+func (in *FlashSecurity) DeepCopy() *FlashSecurity {
+	if in == nil {
+		return nil
+	}
+	out := new(FlashSecurity)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FlashServerConfig) DeepCopyInto(out *FlashServerConfig) {
 	*out = *in
diff --git a/pkg/manager/member/tiflash_member_manager.go b/pkg/manager/member/tiflash_member_manager.go
index f98f466892..df4be1656e 100644
--- a/pkg/manager/member/tiflash_member_manager.go
+++ b/pkg/manager/member/tiflash_member_manager.go
@@ -41,6 +41,8 @@ import (
 const (
 	//find a better way to manage store only managed by tiflash in Operator
 	tiflashStoreLimitPattern = `%s-tiflash-\d+\.%s-tiflash-peer\.%s\.svc\:\d+`
+	tiflashCertPath          = "/var/lib/tiflash-tls"
+	tiflashCertVolumeName    = "tiflash-tls"
 )
 
 // tiflashMemberManager implements manager.Manager.
@@ -332,12 +334,11 @@ func getNewStatefulSet(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (*apps.St
 			Name: fmt.Sprintf("data%d", k), MountPath: fmt.Sprintf("/data%d", k)})
 	}
 
-	// TiFlash does not support TLS yet
-	// if tc.IsTLSClusterEnabled() {
-	// 	volMounts = append(volMounts, corev1.VolumeMount{
-	// 		Name: "tiflash-tls", ReadOnly: true, MountPath: "/var/lib/tiflash-tls",
-	// 	})
-	// }
+	if tc.IsTLSClusterEnabled() {
+		volMounts = append(volMounts, corev1.VolumeMount{
+			Name: tiflashCertVolumeName, ReadOnly: true, MountPath: tiflashCertPath,
+		})
+	}
 
 	vols := []corev1.Volume{
 		annVolume,
@@ -350,15 +351,15 @@ func getNewStatefulSet(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (*apps.St
 		},
 	}
 
-	// if tc.IsTLSClusterEnabled() {
-	// 	vols = append(vols, corev1.Volume{
-	// 		Name: "tiflash-tls", VolumeSource: corev1.VolumeSource{
-	// 			Secret: &corev1.SecretVolumeSource{
-	// 				SecretName: util.ClusterTLSSecretName(tc.Name, label.TiFlashLabelVal),
-	// 			},
-	// 		},
-	// 	})
-	// }
+	if tc.IsTLSClusterEnabled() {
+		vols = append(vols, corev1.Volume{
+			Name: tiflashCertVolumeName, VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: util.ClusterTLSSecretName(tc.Name, label.TiFlashLabelVal),
+				},
+			},
+		})
+	}
 
 	sysctls := "sysctl -w"
 	var initContainers []corev1.Container
@@ -568,34 +569,7 @@ func flashVolumeClaimTemplate(storageClaims []v1alpha1.StorageClaim) ([]corev1.P
 }
 
 func getTiFlashConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
-	config := tc.Spec.TiFlash.Config.DeepCopy()
-	if config == nil {
-		config = &v1alpha1.TiFlashConfig{}
-	}
-	var paths []string
-	for k := range tc.Spec.TiFlash.StorageClaims {
-		paths = append(paths, fmt.Sprintf("/data%d/db", k))
-	}
-	if len(paths) > 0 {
-		dataPath := strings.Join(paths, ",")
-		if config.CommonConfig == nil {
-			config.CommonConfig = &v1alpha1.CommonConfig{}
-		}
-		if config.CommonConfig.FlashDataPath == nil {
-			config.CommonConfig.FlashDataPath = pointer.StringPtr(dataPath)
-		}
-	}
-	setTiFlashConfigDefault(config, tc.Name, tc.Namespace)
-
-	// override CA if tls enabled
-	// if tc.IsTLSClusterEnabled() {
-	// 	if config.Security == nil {
-	// 		config.Security = &v1alpha1.TiFlashSecurityConfig{}
-	// 	}
-	// 	config.Security.CAPath = path.Join(tiflashClusterCertPath, tlsSecretRootCAKey)
-	// 	config.Security.CertPath = path.Join(tiflashClusterCertPath, corev1.TLSCertKey)
-	// 	config.Security.KeyPath = path.Join(tiflashClusterCertPath, corev1.TLSPrivateKeyKey)
-	// }
+	config := getTiFlashConfig(tc)
 
 	configText, err := MarshalTOML(config.CommonConfig)
 	if err != nil {
diff --git a/pkg/manager/member/tiflash_util.go b/pkg/manager/member/tiflash_util.go
index 1907c0e474..4670881358 100644
--- a/pkg/manager/member/tiflash_util.go
+++ b/pkg/manager/member/tiflash_util.go
@@ -16,6 +16,7 @@ package member
 import (
 	"fmt"
 	"os"
+	"path"
 	"strings"
 
 	"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
@@ -88,6 +89,52 @@ func buildSidecarContainer(name, path, image string,
 	}
 }
 
+func getTiFlashConfig(tc *v1alpha1.TidbCluster) *v1alpha1.TiFlashConfig {
+	config := tc.Spec.TiFlash.Config.DeepCopy()
+	if config == nil {
+		config = &v1alpha1.TiFlashConfig{}
+	}
+
+	if config.CommonConfig == nil {
+		config.CommonConfig = &v1alpha1.CommonConfig{}
+	}
+	if config.CommonConfig.FlashDataPath == nil {
+		var paths []string
+		for k := range tc.Spec.TiFlash.StorageClaims {
+			paths = append(paths, fmt.Sprintf("/data%d/db", k))
+		}
+		if len(paths) > 0 {
+			dataPath := strings.Join(paths, ",")
+			config.CommonConfig.FlashDataPath = pointer.StringPtr(dataPath)
+		}
+	}
+
+	setTiFlashConfigDefault(config, tc.Name, tc.Namespace)
+
+	if tc.IsTLSClusterEnabled() {
+		if config.CommonConfig.Security == nil {
+			config.CommonConfig.Security = &v1alpha1.FlashSecurity{}
+		}
+		if config.ProxyConfig.Security == nil {
+			config.ProxyConfig.Security = &v1alpha1.TiKVSecurityConfig{}
+		}
+		config.ProxyConfig.Security.CAPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.ServiceAccountRootCAKey))
+		config.ProxyConfig.Security.CertPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSCertKey))
+		config.ProxyConfig.Security.KeyPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSPrivateKeyKey))
+		config.CommonConfig.Security.CAPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.ServiceAccountRootCAKey))
+		config.CommonConfig.Security.CertPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSCertKey))
+		config.CommonConfig.Security.KeyPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSPrivateKeyKey))
+		// unset the http ports
+		config.CommonConfig.HTTPPort = nil
+		config.CommonConfig.TCPPort = nil
+	} else {
+		// unset the https ports
+		config.CommonConfig.HTTPSPort = nil
+		config.CommonConfig.TCPPortSecure = nil
+	}
+	return config
+}
+
 func setTiFlashLogConfigDefault(config *v1alpha1.TiFlashConfig) {
 	if config.CommonConfig == nil {
 		config.CommonConfig = &v1alpha1.CommonConfig{}
@@ -178,6 +225,14 @@ func setTiFlashCommonConfigDefault(config *v1alpha1.CommonConfig, clusterName, n
 		var p int32 = 9000
 		config.TCPPort = &p
 	}
+	if config.TCPPortSecure == nil {
+		var p int32 = 9000
+		config.TCPPortSecure = &p
+	}
+	if config.HTTPSPort == nil {
+		var p int32 = 8123
+		config.HTTPSPort = &p
+	}
 	if config.HTTPPort == nil {
 		var p int32 = 8123
 		config.HTTPPort = &p
diff --git a/pkg/manager/member/tiflash_util_test.go b/pkg/manager/member/tiflash_util_test.go
index b3bcea22c7..26cf76e8ce 100644
--- a/pkg/manager/member/tiflash_util_test.go
+++ b/pkg/manager/member/tiflash_util_test.go
@@ -14,8 +14,10 @@
 package member
 
 import (
+	"path"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
 	. "github.com/onsi/gomega"
 	"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
 	corev1 "k8s.io/api/core/v1"
@@ -27,6 +29,106 @@ import (
 
 var (
 	defaultTiFlashConfig = v1alpha1.TiFlashConfig{
+		CommonConfig: &v1alpha1.CommonConfig{
+			FlashApplication: &v1alpha1.FlashApplication{
+				RunAsDaemon: pointer.BoolPtr(true),
+			},
+			DefaultProfile: pointer.StringPtr("default"),
+			DisplayName:    pointer.StringPtr("TiFlash"),
+			Flash: &v1alpha1.Flash{
+				CompactLogMinPeriod: pointer.Int32Ptr(200),
+				FlashCluster: &v1alpha1.FlashCluster{
+					ClusterManagerPath: pointer.StringPtr("/tiflash/flash_cluster_manager"),
+					ClusterLog:         pointer.StringPtr("/data0/logs/flash_cluster_manager.log"),
+					MasterTTL:          pointer.Int32Ptr(60),
+					RefreshInterval:    pointer.Int32Ptr(20),
+					UpdateRuleInterval: pointer.Int32Ptr(10),
+				},
+				OverlapThreshold: pointer.Float64Ptr(0.6),
+				FlashProxy: &v1alpha1.FlashProxy{
+					Addr:          pointer.StringPtr("0.0.0.0:20170"),
+					AdvertiseAddr: pointer.StringPtr("test-tiflash-POD_NUM.test-tiflash-peer.test.svc:20170"),
+					Config:        pointer.StringPtr("/data0/proxy.toml"),
+					DataDir:       pointer.StringPtr("/data0/proxy"),
+					LogFile:       pointer.StringPtr("/data0/logs/proxy.log"),
+				},
+				ServiceAddr:    pointer.StringPtr("test-tiflash-POD_NUM.test-tiflash-peer.test.svc:3930"),
+				TiDBStatusAddr: pointer.StringPtr("test-tidb.test.svc:10080"),
+			},
+			HTTPPort:               pointer.Int32Ptr(8123),
+			HTTPSPort:              pointer.Int32Ptr(8123),
+			InternalServerHTTPPort: pointer.Int32Ptr(9009),
+			ListenHost:             pointer.StringPtr("0.0.0.0"),
+			FlashLogger: &v1alpha1.FlashLogger{
+				Count:     pointer.Int32Ptr(10),
+				ErrorLog:  pointer.StringPtr("/data0/logs/error.log"),
+				Level:     pointer.StringPtr("information"),
+				ServerLog: pointer.StringPtr("/data0/logs/server.log"),
+				Size:      pointer.StringPtr("100M"),
+			},
+			MarkCacheSize:        pointer.Int64Ptr(5368709120),
+			MinmaxIndexCacheSize: pointer.Int64Ptr(5368709120),
+			FlashDataPath:        pointer.StringPtr("/data0/db"),
+			PathRealtimeMode:     pointer.BoolPtr(false),
+			FlashProfile: &v1alpha1.FlashProfile{
+				Default: &v1alpha1.Profile{
+					LoadBalancing:        pointer.StringPtr("random"),
+					MaxMemoryUsage:       pointer.Int64Ptr(10000000000),
+					UseUncompressedCache: pointer.Int32Ptr(0),
+				},
+				Readonly: &v1alpha1.Profile{
+					Readonly: pointer.Int32Ptr(1),
+				},
+			},
+			FlashQuota: &v1alpha1.FlashQuota{
+				Default: &v1alpha1.Quota{
+					Interval: &v1alpha1.Interval{
+						Duration:      pointer.Int32Ptr(3600),
+						Errors:        pointer.Int32Ptr(0),
+						ExecutionTime: pointer.Int32Ptr(0),
+						Queries:       pointer.Int32Ptr(0),
+						ReadRows:      pointer.Int32Ptr(0),
+						ResultRows:    pointer.Int32Ptr(0),
+					},
+				},
+			},
+			FlashRaft: &v1alpha1.FlashRaft{
+				KVStorePath:   pointer.StringPtr("/data0/kvstore"),
+				PDAddr:        pointer.StringPtr("test-pd.test.svc:2379"),
+				StorageEngine: pointer.StringPtr("dt"),
+			},
+			FlashStatus: &v1alpha1.FlashStatus{
+				MetricsPort: pointer.Int32Ptr(8234),
+			},
+			TCPPort:       pointer.Int32Ptr(9000),
+			TCPPortSecure: pointer.Int32Ptr(9000),
+			TmpPath:       pointer.StringPtr("/data0/tmp"),
+			FlashUser: &v1alpha1.FlashUser{
+				Default: &v1alpha1.User{
+					Networks: &v1alpha1.Networks{
+						IP: pointer.StringPtr("::/0"),
+					},
+					Profile: pointer.StringPtr("default"),
+					Quota:   pointer.StringPtr("default"),
+				},
+				Readonly: &v1alpha1.User{
+					Networks: &v1alpha1.Networks{
+						IP: pointer.StringPtr("::/0"),
+					},
+					Profile: pointer.StringPtr("readonly"),
+					Quota:   pointer.StringPtr("default"),
+				},
+			},
+		},
+		ProxyConfig: &v1alpha1.ProxyConfig{
+			LogLevel: pointer.StringPtr("info"),
+			Server: &v1alpha1.FlashServerConfig{
+				EngineAddr: pointer.StringPtr("test-tiflash-POD_NUM.test-tiflash-peer.test.svc:3930"),
+				StatusAddr: pointer.StringPtr("0.0.0.0:20292"),
+			},
+		},
+	}
+	defaultTiFlashNonTLSConfig = v1alpha1.TiFlashConfig{
 		CommonConfig: &v1alpha1.CommonConfig{
 			FlashApplication: &v1alpha1.FlashApplication{
 				RunAsDaemon: pointer.BoolPtr(true),
@@ -124,6 +226,114 @@ var (
 			},
 		},
 	}
+	defaultTiFlashTLSConfig = v1alpha1.TiFlashConfig{
+		CommonConfig: &v1alpha1.CommonConfig{
+			FlashApplication: &v1alpha1.FlashApplication{
+				RunAsDaemon: pointer.BoolPtr(true),
+			},
+			DefaultProfile: pointer.StringPtr("default"),
+			DisplayName:    pointer.StringPtr("TiFlash"),
+			Flash: &v1alpha1.Flash{
+				CompactLogMinPeriod: pointer.Int32Ptr(200),
+				FlashCluster: &v1alpha1.FlashCluster{
+					ClusterManagerPath: pointer.StringPtr("/tiflash/flash_cluster_manager"),
+					ClusterLog:         pointer.StringPtr("/data0/logs/flash_cluster_manager.log"),
+					MasterTTL:          pointer.Int32Ptr(60),
+					RefreshInterval:    pointer.Int32Ptr(20),
+					UpdateRuleInterval: pointer.Int32Ptr(10),
+				},
+				OverlapThreshold: pointer.Float64Ptr(0.6),
+				FlashProxy: &v1alpha1.FlashProxy{
+					Addr:          pointer.StringPtr("0.0.0.0:20170"),
+					AdvertiseAddr: pointer.StringPtr("test-tiflash-POD_NUM.test-tiflash-peer.test.svc:20170"),
+					Config:        pointer.StringPtr("/data0/proxy.toml"),
+					DataDir:       pointer.StringPtr("/data0/proxy"),
+					LogFile:       pointer.StringPtr("/data0/logs/proxy.log"),
+				},
+				ServiceAddr:    pointer.StringPtr("test-tiflash-POD_NUM.test-tiflash-peer.test.svc:3930"),
+				TiDBStatusAddr: pointer.StringPtr("test-tidb.test.svc:10080"),
+			},
+			HTTPSPort:              pointer.Int32Ptr(8123),
+			InternalServerHTTPPort: pointer.Int32Ptr(9009),
+			ListenHost:             pointer.StringPtr("0.0.0.0"),
+			FlashLogger: &v1alpha1.FlashLogger{
+				Count:     pointer.Int32Ptr(10),
+				ErrorLog:  pointer.StringPtr("/data0/logs/error.log"),
+				Level:     pointer.StringPtr("information"),
+				ServerLog: pointer.StringPtr("/data0/logs/server.log"),
+				Size:      pointer.StringPtr("100M"),
+			},
+			MarkCacheSize:        pointer.Int64Ptr(5368709120),
+			MinmaxIndexCacheSize: pointer.Int64Ptr(5368709120),
+			FlashDataPath:        pointer.StringPtr("/data0/db"),
+			PathRealtimeMode:     pointer.BoolPtr(false),
+			FlashProfile: &v1alpha1.FlashProfile{
+				Default: &v1alpha1.Profile{
+					LoadBalancing:        pointer.StringPtr("random"),
+					MaxMemoryUsage:       pointer.Int64Ptr(10000000000),
+					UseUncompressedCache: pointer.Int32Ptr(0),
+				},
+				Readonly: &v1alpha1.Profile{
+					Readonly: pointer.Int32Ptr(1),
+				},
+			},
+			FlashQuota: &v1alpha1.FlashQuota{
+				Default: &v1alpha1.Quota{
+					Interval: &v1alpha1.Interval{
+						Duration:      pointer.Int32Ptr(3600),
+						Errors:        pointer.Int32Ptr(0),
+						ExecutionTime: pointer.Int32Ptr(0),
+						Queries:       pointer.Int32Ptr(0),
+						ReadRows:      pointer.Int32Ptr(0),
+						ResultRows:    pointer.Int32Ptr(0),
+					},
+				},
+			},
+			FlashRaft: &v1alpha1.FlashRaft{
+				KVStorePath:   pointer.StringPtr("/data0/kvstore"),
+				PDAddr:        pointer.StringPtr("test-pd.test.svc:2379"),
+				StorageEngine: pointer.StringPtr("dt"),
+			},
+			FlashStatus: &v1alpha1.FlashStatus{
+				MetricsPort: pointer.Int32Ptr(8234),
+			},
+			Security: &v1alpha1.FlashSecurity{
+				CAPath:   pointer.StringPtr(path.Join(tiflashCertPath, corev1.ServiceAccountRootCAKey)),
+				CertPath: pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSCertKey)),
+				KeyPath:  pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSPrivateKeyKey)),
+			},
+			TCPPortSecure: pointer.Int32Ptr(9000),
+			TmpPath:       pointer.StringPtr("/data0/tmp"),
+			FlashUser: &v1alpha1.FlashUser{
+				Default: &v1alpha1.User{
+					Networks: &v1alpha1.Networks{
+						IP: pointer.StringPtr("::/0"),
+					},
+					Profile: pointer.StringPtr("default"),
+					Quota:   pointer.StringPtr("default"),
+				},
+				Readonly: &v1alpha1.User{
+					Networks: &v1alpha1.Networks{
+						IP: pointer.StringPtr("::/0"),
+					},
+					Profile: pointer.StringPtr("readonly"),
+					Quota:   pointer.StringPtr("default"),
+				},
+			},
+		},
+		ProxyConfig: &v1alpha1.ProxyConfig{
+			LogLevel: pointer.StringPtr("info"),
+			Server: &v1alpha1.FlashServerConfig{
+				EngineAddr: pointer.StringPtr("test-tiflash-POD_NUM.test-tiflash-peer.test.svc:3930"),
+				StatusAddr: pointer.StringPtr("0.0.0.0:20292"),
+			},
+			Security: &v1alpha1.TiKVSecurityConfig{
+				CAPath:   pointer.StringPtr(path.Join(tiflashCertPath, corev1.ServiceAccountRootCAKey)),
+				CertPath: pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSCertKey)),
+				KeyPath:  pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSPrivateKeyKey)),
+			},
+		},
+	}
 	customTiFlashConfig = v1alpha1.TiFlashConfig{
 		CommonConfig: &v1alpha1.CommonConfig{
 			FlashApplication: &v1alpha1.FlashApplication{
@@ -595,3 +805,69 @@ func TestSetTiFlashLogConfigDefault(t *testing.T) {
 		})
 	}
 }
+
+func TestGetTiFlashConfig(t *testing.T) {
+	testCases := []struct {
+		name     string
+		tc       v1alpha1.TidbCluster
+		expected *v1alpha1.TiFlashConfig
+	}{
+		{
+			name: "TiFlash config is nil with TLS disabled",
+			tc: v1alpha1.TidbCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "test",
+				},
+				Spec: v1alpha1.TidbClusterSpec{
+					TiFlash: &v1alpha1.TiFlashSpec{},
+					TLSCluster: &v1alpha1.TLSCluster{
+						Enabled: true,
+					},
+				},
+			},
+			expected: &defaultTiFlashTLSConfig,
+		},
+		{
+			name: "TiFlash config is nil with TLS enabled",
+			tc: v1alpha1.TidbCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "test",
+				},
+				Spec: v1alpha1.TidbClusterSpec{
+					TiFlash: &v1alpha1.TiFlashSpec{},
+				},
+			},
+			expected: &defaultTiFlashNonTLSConfig,
+		},
+		{
+			name: "TiFlash config is nil with storageClaim",
+			tc: v1alpha1.TidbCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "test",
+				},
+				Spec: v1alpha1.TidbClusterSpec{
+					TiFlash: &v1alpha1.TiFlashSpec{
+						StorageClaims: []v1alpha1.StorageClaim{
+							{
+								StorageClassName: pointer.StringPtr("local-storage"),
+							},
+						},
+					},
+				},
+			},
+			expected: &defaultTiFlashNonTLSConfig,
+		},
+	}
+
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			config := getTiFlashConfig(&tt.tc)
+			if diff := cmp.Diff(*tt.expected, *config); diff != "" {
+				t.Fatalf("unexpected configuration (-want, +got): %s", diff)
+			}
+		})
+	}
+}