pingcap · DanielZhangQD · Aug 4, 2020 · Jul 31, 2020 · Aug 3, 2020 · Aug 3, 2020
diff --git a/docs/api-references/docs.md b/docs/api-references/docs.md
@@ -3034,6 +3034,30 @@ int64
 </tr>
 <tr>
 <td>
+<code>tcp_port_secure</code></br>
+<em>
+int32
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Optional: Defaults to 9000</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>https_port</code></br>
+<em>
+int32
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Optional: Defaults to 8123</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>logger</code></br>
 <em>
 <a href="#flashlogger">
@@ -3045,6 +3069,19 @@ FlashLogger
 <em>(Optional)</em>
 </td>
 </tr>
+<tr>
+<td>
+<code>security</code></br>
+<em>
+<a href="#flashsecurity">
+FlashSecurity
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="componentaccessor">ComponentAccessor</h3>
@@ -4185,6 +4222,56 @@ int32
 </tr>
 </tbody>
 </table>
+<h3 id="flashsecurity">FlashSecurity</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#commonconfig">CommonConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>ca_path</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
+<tr>
+<td>
+<code>cert_path</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
+<tr>
+<td>
+<code>key_path</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="gcsstorageprovider">GcsStorageProvider</h3>
 <p>
 (<em>Appears on:</em>

diff --git a/pkg/apis/pingcap/v1alpha1/tiflash_config.go b/pkg/apis/pingcap/v1alpha1/tiflash_config.go
@@ -124,6 +124,14 @@ type CommonConfig struct {
 	// +optional
 	// +k8s:openapi-gen=false
 	HTTPPort *int32 `json:"http_port,omitempty" toml:"http_port,omitempty"`
+	// Optional: Defaults to 9000
+	// +optional
+	// +k8s:openapi-gen=false
+	TCPPortSecure *int32 `json:"tcp_port_secure,omitempty" toml:"tcp_port_secure,omitempty"`
+	// Optional: Defaults to 8123
+	// +optional
+	// +k8s:openapi-gen=false
+	HTTPSPort *int32 `json:"https_port,omitempty" toml:"https_port,omitempty"`
 	// Optional: Defaults to 9009
 	// +optional
 	// +k8s:openapi-gen=false
@@ -150,6 +158,9 @@ type CommonConfig struct {
 	// +optional
 	// +k8s:openapi-gen=false
 	FlashProfile *FlashProfile `json:"profiles,omitempty" toml:"profiles,omitempty"`
+	// +optional
+	// +k8s:openapi-gen=false
+	Security *FlashSecurity `json:"security,omitempty" toml:"security,omitempty"`
 }
 
 // FlashProfile is the configuration of [profiles] section.
@@ -352,3 +363,13 @@ type FlashProxy struct {
 	// +optional
 	LogFile *string `json:"log-file,omitempty" toml:"log-file,omitempty"`
 }
+
+// +k8s:openapi-gen=false
+type FlashSecurity struct {
+	// +optional
+	CAPath *string `json:"ca_path,omitempty" toml:"ca_path,omitempty"`
+	// +optional
+	CertPath *string `json:"cert_path,omitempty" toml:"cert_path,omitempty"`
+	// +optional
+	KeyPath *string `json:"key_path,omitempty" toml:"key_path,omitempty"`
+}
diff --git a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/manager/member/tiflash_member_manager.go b/pkg/manager/member/tiflash_member_manager.go
@@ -41,6 +41,8 @@ import (
 const (
 	//find a better way to manage store only managed by tiflash in Operator
 	tiflashStoreLimitPattern = `%s-tiflash-\d+\.%s-tiflash-peer\.%s\.svc\:\d+`
+	tiflashCertPath          = "/var/lib/tiflash-tls"
+	tiflashCertVolumeName    = "tiflash-tls"
 )
 
 // tiflashMemberManager implements manager.Manager.
@@ -332,12 +334,11 @@ func getNewStatefulSet(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (*apps.St
 			Name: fmt.Sprintf("data%d", k), MountPath: fmt.Sprintf("/data%d", k)})
 	}
 
-	// TiFlash does not support TLS yet
-	// if tc.IsTLSClusterEnabled() {
-	// 	volMounts = append(volMounts, corev1.VolumeMount{
-	// 		Name: "tiflash-tls", ReadOnly: true, MountPath: "/var/lib/tiflash-tls",
-	// 	})
-	// }
+	if tc.IsTLSClusterEnabled() {
+		volMounts = append(volMounts, corev1.VolumeMount{
+			Name: tiflashCertVolumeName, ReadOnly: true, MountPath: tiflashCertPath,
+		})
+	}
 
 	vols := []corev1.Volume{
 		annVolume,
@@ -350,15 +351,15 @@ func getNewStatefulSet(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (*apps.St
 		},
 	}
 
-	// if tc.IsTLSClusterEnabled() {
-	// 	vols = append(vols, corev1.Volume{
-	// 		Name: "tiflash-tls", VolumeSource: corev1.VolumeSource{
-	// 			Secret: &corev1.SecretVolumeSource{
-	// 				SecretName: util.ClusterTLSSecretName(tc.Name, label.TiFlashLabelVal),
-	// 			},
-	// 		},
-	// 	})
-	// }
+	if tc.IsTLSClusterEnabled() {
+		vols = append(vols, corev1.Volume{
+			Name: tiflashCertVolumeName, VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: util.ClusterTLSSecretName(tc.Name, label.TiFlashLabelVal),
+				},
+			},
+		})
+	}
 
 	sysctls := "sysctl -w"
 	var initContainers []corev1.Container
@@ -568,34 +569,7 @@ func flashVolumeClaimTemplate(storageClaims []v1alpha1.StorageClaim) ([]corev1.P
 }
 
 func getTiFlashConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
-	config := tc.Spec.TiFlash.Config.DeepCopy()
-	if config == nil {
-		config = &v1alpha1.TiFlashConfig{}
-	}
-	var paths []string
-	for k := range tc.Spec.TiFlash.StorageClaims {
-		paths = append(paths, fmt.Sprintf("/data%d/db", k))
-	}
-	if len(paths) > 0 {
-		dataPath := strings.Join(paths, ",")
-		if config.CommonConfig == nil {
-			config.CommonConfig = &v1alpha1.CommonConfig{}
-		}
-		if config.CommonConfig.FlashDataPath == nil {
-			config.CommonConfig.FlashDataPath = pointer.StringPtr(dataPath)
-		}
-	}
-	setTiFlashConfigDefault(config, tc.Name, tc.Namespace)
-
-	// override CA if tls enabled
-	// if tc.IsTLSClusterEnabled() {
-	// 	if config.Security == nil {
-	// 		config.Security = &v1alpha1.TiFlashSecurityConfig{}
-	// 	}
-	// 	config.Security.CAPath = path.Join(tiflashClusterCertPath, tlsSecretRootCAKey)
-	// 	config.Security.CertPath = path.Join(tiflashClusterCertPath, corev1.TLSCertKey)
-	// 	config.Security.KeyPath = path.Join(tiflashClusterCertPath, corev1.TLSPrivateKeyKey)
-	// }
+	config := getTiFlashConfig(tc)
 
 	configText, err := MarshalTOML(config.CommonConfig)
 	if err != nil {

diff --git a/pkg/manager/member/tiflash_util.go b/pkg/manager/member/tiflash_util.go
@@ -16,6 +16,7 @@ package member
 import (
 	"fmt"
 	"os"
+	"path"
 	"strings"
 
 	"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
@@ -88,6 +89,52 @@ func buildSidecarContainer(name, path, image string,
 	}
 }
 
+func getTiFlashConfig(tc *v1alpha1.TidbCluster) *v1alpha1.TiFlashConfig {
+	config := tc.Spec.TiFlash.Config.DeepCopy()
+	if config == nil {
+		config = &v1alpha1.TiFlashConfig{}
+	}
+
+	if config.CommonConfig == nil {
+		config.CommonConfig = &v1alpha1.CommonConfig{}
+	}
+	if config.CommonConfig.FlashDataPath == nil {
+		var paths []string
+		for k := range tc.Spec.TiFlash.StorageClaims {
+			paths = append(paths, fmt.Sprintf("/data%d/db", k))
+		}
+		if len(paths) > 0 {
+			dataPath := strings.Join(paths, ",")
+			config.CommonConfig.FlashDataPath = pointer.StringPtr(dataPath)
+		}
+	}
+
+	setTiFlashConfigDefault(config, tc.Name, tc.Namespace)
+
+	if tc.IsTLSClusterEnabled() {
+		if config.CommonConfig.Security == nil {
+			config.CommonConfig.Security = &v1alpha1.FlashSecurity{}
+		}
+		if config.ProxyConfig.Security == nil {
+			config.ProxyConfig.Security = &v1alpha1.TiKVSecurityConfig{}
+		}
+		config.ProxyConfig.Security.CAPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.ServiceAccountRootCAKey))
+		config.ProxyConfig.Security.CertPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSCertKey))
+		config.ProxyConfig.Security.KeyPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSPrivateKeyKey))
+		config.CommonConfig.Security.CAPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.ServiceAccountRootCAKey))
+		config.CommonConfig.Security.CertPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSCertKey))
+		config.CommonConfig.Security.KeyPath = pointer.StringPtr(path.Join(tiflashCertPath, corev1.TLSPrivateKeyKey))
+		// unset the http ports
+		config.CommonConfig.HTTPPort = nil
+		config.CommonConfig.TCPPort = nil
+	} else {
+		// unset the https ports
+		config.CommonConfig.HTTPSPort = nil
+		config.CommonConfig.TCPPortSecure = nil
+	}
+	return config
+}
+
 func setTiFlashLogConfigDefault(config *v1alpha1.TiFlashConfig) {
 	if config.CommonConfig == nil {
 		config.CommonConfig = &v1alpha1.CommonConfig{}
@@ -178,6 +225,14 @@ func setTiFlashCommonConfigDefault(config *v1alpha1.CommonConfig, clusterName, n
 		var p int32 = 9000
 		config.TCPPort = &p
 	}
+	if config.TCPPortSecure == nil {
+		var p int32 = 9000
+		config.TCPPortSecure = &p
+	}
+	if config.HTTPSPort == nil {
+		var p int32 = 8123
+		config.HTTPSPort = &p
+	}
 	if config.HTTPPort == nil {
 		var p int32 = 8123
 		config.HTTPPort = &p