Skip to content

Commit

Permalink
cert-allowed-cn support (#2061)
Browse files Browse the repository at this point in the history
* cert-allowed-cn support

* cert-allowed-cn for drainer

* tiny fix

* fix ci

Co-authored-by: DanielZhangQD <36026334+DanielZhangQD@users.noreply.github.com>
Co-authored-by: pingcap-github-bot <sre-bot@pingcap.com>
  • Loading branch information
3 people authored Mar 31, 2020
1 parent 046eee1 commit d158953
Show file tree
Hide file tree
Showing 12 changed files with 87 additions and 29 deletions.
3 changes: 3 additions & 0 deletions charts/tidb-drainer/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ config-file: |-
ssl-ca = "/var/lib/drainer-tls/ca.crt"
ssl-cert = "/var/lib/drainer-tls/tls.crt"
ssl-key = "/var/lib/drainer-tls/tls.key"
{{- if .Values.tlsCluster.certAllowedCN }}
cert-allowed-cn = {{ .Values.tlsCluster.certAllowedCN | toJson }}
{{- end -}}
{{- end -}}
{{- end -}}

Expand Down
4 changes: 4 additions & 0 deletions charts/tidb-drainer/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@ tlsCluster:
# 3. Then create the Drainer cluster with `tlsCluster.enabled` set to `true`.
enabled: false

# certAllowedCN is the Common Name that allowed
certAllowedCN: []
# - TiDB

# Refer to https://github.com/pingcap/tidb-binlog/blob/master/cmd/drainer/drainer.toml
# [security] section will be generated automatically if tlsCluster.enabled is set to true so users do not need to configure it.
config: |
Expand Down
25 changes: 25 additions & 0 deletions docs/api-references/docs.html
Original file line number Diff line number Diff line change
Expand Up @@ -5107,6 +5107,18 @@ <h3 id="pingcap.com/v1alpha1.PDSecurityConfig">PDSecurityConfig
<p>KeyPath is the path of file that contains X509 key in PEM format.</p>
</td>
</tr>
<tr>
<td>
<code>cert-allowed-cn</code></br>
<em>
[]string
</em>
</td>
<td>
<em>(Optional)</em>
<p>CertAllowedCN is the Common Name that allowed</p>
</td>
</tr>
</tbody>
</table>
<h3 id="pingcap.com/v1alpha1.PDServerConfig">PDServerConfig
Expand Down Expand Up @@ -6657,6 +6669,7 @@ <h3 id="pingcap.com/v1alpha1.Security">Security
</td>
<td>
<em>(Optional)</em>
<p>ClusterVerifyCN is the Common Name that allowed</p>
</td>
</tr>
</tbody>
Expand Down Expand Up @@ -10844,6 +10857,18 @@ <h3 id="pingcap.com/v1alpha1.TiKVSecurityConfig">TiKVSecurityConfig
</tr>
<tr>
<td>
<code>cert-allowed-cn</code></br>
<em>
[]string
</em>
</td>
<td>
<em>(Optional)</em>
<p>CertAllowedCN is the Common Name that allowed</p>
</td>
</tr>
<tr>
<td>
<code>override-ssl-target</code></br>
<em>
string
Expand Down
4 changes: 0 additions & 4 deletions manifests/crd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3924,10 +3924,6 @@ spec:
type: string
cluster-ssl-key:
type: string
cluster-verify-cn:
items:
type: string
type: array
skip-grant-table:
type: boolean
ssl-ca:
Expand Down
13 changes: 0 additions & 13 deletions pkg/apis/pingcap/v1alpha1/openapi_generated.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions pkg/apis/pingcap/v1alpha1/pd_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -395,6 +395,10 @@ type PDSecurityConfig struct {
// KeyPath is the path of file that contains X509 key in PEM format.
// +optional
KeyPath string `toml:"key-path,omitempty" json:"key-path,omitempty"`
// CertAllowedCN is the Common Name that allowed
// +optional
// +k8s:openapi-gen=false
CertAllowedCN []string `toml:"cert-allowed-cn,omitempty" json:"cert-allowed-cn,omitempty"`
}

// PDServerConfig is the configuration for pd server.
Expand Down
4 changes: 3 additions & 1 deletion pkg/apis/pingcap/v1alpha1/tidb_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -192,8 +192,10 @@ type Security struct {
ClusterSSLCert *string `toml:"cluster-ssl-cert,omitempty" json:"cluster-ssl-cert,omitempty"`
// +optional
ClusterSSLKey *string `toml:"cluster-ssl-key,omitempty" json:"cluster-ssl-key,omitempty"`
// ClusterVerifyCN is the Common Name that allowed
// +optional
ClusterVerifyCN []string `toml:"cluster-verify-cn" json:"cluster-verify-cn,omitempty"`
// +k8s:openapi-gen=false
ClusterVerifyCN []string `toml:"cluster-verify-cn,omitempty" json:"cluster-verify-cn,omitempty"`
}

// Status is the status section of the config.
Expand Down
4 changes: 4 additions & 0 deletions pkg/apis/pingcap/v1alpha1/tikv_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,10 @@ type TiKVSecurityConfig struct {
CertPath string `json:"cert-path,omitempty" toml:"cert-path,omitempty"`
// +optional
KeyPath string `json:"key-path,omitempty" toml:"key-path,omitempty"`
// CertAllowedCN is the Common Name that allowed
// +optional
// +k8s:openapi-gen=false
CertAllowedCN []string `json:"cert-allowed-cn,omitempty" toml:"cert-allowed-cn,omitempty"`
// +optional
OverrideSslTarget string `json:"override-ssl-target,omitempty" toml:"override-ssl-target,omitempty"`
// +optional
Expand Down
6 changes: 6 additions & 0 deletions pkg/apis/pingcap/v1alpha1/validation/validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,12 @@ func validateUpdatePDConfig(old, conf *v1alpha1.PDConfig, path *field.Path) fiel
if old == nil || conf == nil {
return allErrs
}

if conf.Security != nil && len(conf.Security.CertAllowedCN) > 1 {
allErrs = append(allErrs, field.Invalid(path.Child("security.cert-allowed-cn"), conf.Security.CertAllowedCN,
"Only one CN is currently supported"))
}

if !reflect.DeepEqual(old.Schedule, conf.Schedule) {
allErrs = append(allErrs, field.Invalid(path.Child("schedule"), conf.Schedule,
"PD Schedule Config is immutable through CRD, please modify with pd-ctl instead."))
Expand Down
14 changes: 12 additions & 2 deletions pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 13 additions & 1 deletion pkg/controller/tidb_control.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,10 +75,22 @@ func (tdc *defaultTiDBControl) useTLSHTTPClient(tc *v1alpha1.TidbCluster) error
return err
}

clientCert, certExists := secret.Data[v1.TLSCertKey]
clientKey, keyExists := secret.Data[v1.TLSPrivateKeyKey]
if !certExists || !keyExists {
return fmt.Errorf("cert or key does not exist in secret %s/%s", ns, secretName)
}

tlsCert, err := tls.X509KeyPair(clientCert, clientKey)
if err != nil {
return fmt.Errorf("unable to load certificates from secret %s/%s: %v", ns, secretName, err)
}

rootCAs := x509.NewCertPool()
rootCAs.AppendCertsFromPEM(secret.Data[v1.ServiceAccountRootCAKey])
config := &tls.Config{
RootCAs: rootCAs,
RootCAs: rootCAs,
Certificates: []tls.Certificate{tlsCert},
}
tdc.httpClient.Transport = &http.Transport{TLSClientConfig: config}
return nil
Expand Down
21 changes: 13 additions & 8 deletions pkg/manager/member/pump_member_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,19 @@ func getNewPumpConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
spec := tc.Spec.Pump
objMeta, _ := getPumpMeta(tc, controller.PumpMemberName)

if tc.IsTLSClusterEnabled() {
securityMap := spec.Config["security"]
security := map[string]interface{}{}
if securityMap != nil {
security = securityMap.(map[string]interface{})
}

security["ssl-ca"] = path.Join(pumpCertPath, corev1.ServiceAccountRootCAKey)
security["ssl-cert"] = path.Join(pumpCertPath, corev1.TLSCertKey)
security["ssl-key"] = path.Join(pumpCertPath, corev1.TLSPrivateKeyKey)
spec.Config["security"] = security
}

confText, err := MarshalTOML(spec.Config)
if err != nil {
return nil, err
Expand All @@ -263,14 +276,6 @@ func getNewPumpConfigMap(tc *v1alpha1.TidbCluster) (*corev1.ConfigMap, error) {
name := controller.PumpMemberName(tc.Name)
confTextStr := string(confText)

if tc.IsTLSClusterEnabled() {
confTextStr = strings.Join([]string{
confTextStr,
"[security]",
fmt.Sprintf("ssl-ca = \"%s\"", path.Join(pumpCertPath, corev1.ServiceAccountRootCAKey)),
fmt.Sprintf("ssl-cert = \"%s\"", path.Join(pumpCertPath, corev1.TLSCertKey)),
fmt.Sprintf("ssl-key = \"%s\"", path.Join(pumpCertPath, corev1.TLSPrivateKeyKey))}, "\n")
}
data := map[string]string{
"pump-config": confTextStr,
}
Expand Down

0 comments on commit d158953

Please sign in to comment.