Skip to content

Commit

Permalink
opt(ticdc): support to overwrite the default cluster TLS cert secret …
Browse files Browse the repository at this point in the history
…name (pingcap#5778)
  • Loading branch information
ideascf authored Oct 29, 2024
1 parent 83a044f commit 8cb0848
Show file tree
Hide file tree
Showing 5 changed files with 78 additions and 2 deletions.
28 changes: 28 additions & 0 deletions docs/api-references/docs.md
Original file line number Diff line number Diff line change
Expand Up @@ -16586,6 +16586,34 @@ client certificates for the downstream.</p>
</tr>
<tr>
<td>
<code>clusterTLSSecretName</code></br>
<em>
string
</em>
</td>
<td>
<em>(Optional)</em>
<p>ClusterTLSSecretName is used for overwriting the default mTLS cert secret name (see also: pkg/util/util.go:ClusterTLSSecretName)
This field is useful for sharing the same mTLS cert secret for multiple ticdc clusters connecting to the same upstream tidb cluster.</p>
</td>
</tr>
<tr>
<td>
<code>clusterClientTLSSecretName</code></br>
<em>
string
</em>
</td>
<td>
<em>(Optional)</em>
<p>ClusterTLSSecretName is used for overwriting the default <strong>cluster client</strong> cert secret name (see also: pkg/util/util.go:ClusterClientTLSSecretName)
This field is useful for sharing the same cluster client cert secret for multiple ticdc clusters connecting to the same upstream tidb cluster.
The ClusterClientTLSSecret is actually not directly used by ticdc, but it is useful for executing some commands via <code>ticdc-ctl</code>
by <code>kubectl exec -it ticdc-0 -- /cdc cli --ca /var/lib/cluster-client-tls/ca.crt --cert /var/lib/cluster-client-tls/tls.crt --key /var/lib/cluster-client-tls/tls.key ...</code>.</p>
</td>
</tr>
<tr>
<td>
<code>baseImage</code></br>
<em>
string
Expand Down
4 changes: 4 additions & 0 deletions manifests/crd/v1/pingcap.com_tidbclusters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13152,6 +13152,10 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
clusterClientTLSSecretName:
type: string
clusterTLSSecretName:
type: string
config:
x-kubernetes-preserve-unknown-fields: true
configUpdateStrategy:
Expand Down
14 changes: 14 additions & 0 deletions pkg/apis/pingcap/v1alpha1/openapi_generated.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 12 additions & 0 deletions pkg/apis/pingcap/v1alpha1/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -859,6 +859,18 @@ type TiCDCSpec struct {
// +optional
TLSClientSecretNames []string `json:"tlsClientSecretNames,omitempty"`

// ClusterTLSSecretName is used for overwriting the default mTLS cert secret name (see also: pkg/util/util.go:ClusterTLSSecretName)
// This field is useful for sharing the same mTLS cert secret for multiple ticdc clusters connecting to the same upstream tidb cluster.
// +optional
ClusterTLSSecretName string `json:"clusterTLSSecretName,omitempty"`

// ClusterTLSSecretName is used for overwriting the default **cluster client** cert secret name (see also: pkg/util/util.go:ClusterClientTLSSecretName)
// This field is useful for sharing the same cluster client cert secret for multiple ticdc clusters connecting to the same upstream tidb cluster.
// The ClusterClientTLSSecret is actually not directly used by ticdc, but it is useful for executing some commands via `ticdc-ctl`
// by `kubectl exec -it ticdc-0 -- /cdc cli --ca /var/lib/cluster-client-tls/ca.crt --cert /var/lib/cluster-client-tls/tls.crt --key /var/lib/cluster-client-tls/tls.key ...`.
// +optional
ClusterClientTLSSecretName string `json:"clusterClientTLSSecretName,omitempty"`

// Base image of the component, image tag is now allowed during validation
// +kubebuilder:default=pingcap/ticdc
// +optional
Expand Down
22 changes: 20 additions & 2 deletions pkg/manager/member/ticdc_member_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -405,13 +405,13 @@ func getNewTiCDCStatefulSet(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (*ap
vols = append(vols, corev1.Volume{
Name: ticdcCertVolumeMount, VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: util.ClusterTLSSecretName(tc.Name, label.TiCDCLabelVal),
SecretName: getTiCDCClusterTLSCertSecretName(tc),
},
},
}, corev1.Volume{
Name: util.ClusterClientVolName, VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: util.ClusterClientTLSSecretName(tc.Name),
SecretName: getTiCDCClusterClientTLSCertSecretName(tc),
},
},
})
Expand Down Expand Up @@ -566,6 +566,24 @@ func getNewTiCDCStatefulSet(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (*ap
return ticdcSts, nil
}

func getTiCDCClusterTLSCertSecretName(tc *v1alpha1.TidbCluster) string {
clusterTLSSecretName := util.ClusterTLSSecretName(tc.Name, label.TiCDCLabelVal)
if tc.Spec.TiCDC.ClusterTLSSecretName != "" {
clusterTLSSecretName = tc.Spec.TiCDC.ClusterTLSSecretName
}

return clusterTLSSecretName
}

func getTiCDCClusterClientTLSCertSecretName(tc *v1alpha1.TidbCluster) string {
clusterClientTLSSecretName := util.ClusterClientTLSSecretName(tc.Name)
if tc.Spec.TiCDC.ClusterClientTLSSecretName != "" {
clusterClientTLSSecretName = tc.Spec.TiCDC.ClusterClientTLSSecretName
}

return clusterClientTLSSecretName
}

func labelTiCDC(tc *v1alpha1.TidbCluster) label.Label {
instanceName := tc.GetInstanceName()
return label.New().Instance(instanceName).TiCDC()
Expand Down

0 comments on commit 8cb0848

Please sign in to comment.