add tls support between drainer and downstream database server (#2993)

* add tls support between drainer and downstream database server
pingcap · Jul 22, 2020 · 741b18e · 741b18e
1 parent 64ee732
commit 741b18e
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 0 deletions.
diff --git a/charts/tidb-drainer/templates/_helpers.tpl b/charts/tidb-drainer/templates/_helpers.tpl
@@ -27,6 +27,28 @@ config-file: |-
   cert-allowed-cn = {{ .Values.tlsCluster.certAllowedCN | toJson }}
   {{- end -}}
     {{- end -}}
+  {{- if .Values.tlsSyncer }}
+    {{- if .Values.tlsSyncer.tlsClientSecretName }}
+  [syncer.to.security]
+  ssl-ca = "/var/lib/drainer-syncer-tls/ca.crt"
+  ssl-cert = "/var/lib/drainer-syncer-tls/tls.crt"
+  ssl-key = "/var/lib/drainer-syncer-tls/tls.key"
+  {{- if .Values.tlsSyncer.certAllowedCN }}
+  cert-allowed-cn = {{ .Values.tlsSyncer.certAllowedCN | toJson }}
+  {{- end -}}
+    {{- end -}}
+    {{- if .Values.tlsSyncer.checkpoint }}
+  {{- if .Values.tlsSyncer.checkpoint.tlsClientSecretName }}
+  [syncer.to.checkpoint.security]
+  ssl-ca = "/var/lib/drainer-syncer-checkpoint-tls/ca.crt"
+  ssl-cert = "/var/lib/drainer-syncer-checkpoint-tls/tls.crt"
+  ssl-key = "/var/lib/drainer-syncer-checkpoint-tls/tls.key"
+  {{- end -}}
+  {{- if .Values.tlsSyncer.checkpoint.certAllowedCN }}
+  cert-allowed-cn = {{ .Values.tlsSyncer.checkpoint.certAllowedCN | toJson }}
+  {{- end -}}
+    {{- end -}}
+  {{- end -}}
 {{- end -}}
 
 {{- define "drainer-configmap.name" -}}

diff --git a/charts/tidb-drainer/templates/drainer-statefulset.yaml b/charts/tidb-drainer/templates/drainer-statefulset.yaml
@@ -55,6 +55,20 @@ spec:
           mountPath: /var/lib/drainer-tls
           readOnly: true
       {{- end }}
+      {{- if .Values.tlsSyncer }}
+      {{- if .Values.tlsSyncer.tlsClientSecretName }}
+        - name: drainer-syncer-tls
+          mountPath: /var/lib/drainer-syncer-tls
+          readOnly: true
+      {{- end }}
+      {{- if .Values.tlsSyncer.checkpoint }}
+        {{- if .Values.tlsSyncer.checkpoint.tlsClientSecretName }}
+        - name: drainer-syncer-checkpoint-tls
+          mountPath: /var/lib/drainer-syncer-checkpoint-tls
+          readOnly: true
+        {{- end }}
+      {{- end }}
+      {{- end }}
       {{- if and (ne .Values.timezone "UTC") (ne .Values.timezone "") }}
         env:
         - name: TZ
@@ -74,6 +88,20 @@ spec:
         secret:
           secretName: {{ include "drainer.tlsSecretName" . }}
     {{- end }}
+    {{- if .Values.tlsSyncer }}
+    {{- if .Values.tlsSyncer.tlsClientSecretName }}
+      - name: drainer-syncer-tls
+        secret:
+          secretName: {{ .Values.tlsSyncer.tlsClientSecretName }}
+    {{- end }}
+    {{- if .Values.tlsSyncer.checkpoint }}
+      {{- if .Values.tlsSyncer.checkpoint.tlsClientSecretName }}
+      - name: drainer-syncer-checkpoint-tls
+        secret:
+          secretName: {{ .Values.tlsSyncer.checkpoint.tlsClientSecretName }}
+      {{- end }}
+    {{- end }}
+    {{- end }}
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

diff --git a/charts/tidb-drainer/values.yaml b/charts/tidb-drainer/values.yaml
@@ -48,6 +48,32 @@ tlsCluster:
   certAllowedCN: []
   #  - TiDB
 
+# The TLS config between drainer and the downstream database server (MySQL/TiDB)
+tlsSyncer: {}
+  # The steps to enable this feature:
+  #   1. Create one secret object which contains the certificates for the downstream database server.
+  #      For example: kubectl create secret generic ${downstream_database_secret_name} --namespace=${namespace} --from-file=tls.crt=client.pem --from-file=tls.key=client-key.pem --from-file=ca.crt=ca.pem
+  #   2. Then set `tlsSyncer.tlsClientSecretName` to `${downstream_database_secret_name}`.
+  # tlsClientSecretName: ${downstream_database_secret_name}
+  # certAllowedCN is the Common Name that allowed
+  # certAllowedCN:
+  #  - TiDB
+
+  # checkpoint is the TLS config for the database you save binlog checkpoint.
+  # By default, Drainer will use downstream to save binlog checkpoint,
+  # so you do not need to configure [syncer.to.checkpoint.type] and
+  # you do not need to configure the `checkpoint` below.
+  # You have to configure this field only if you want to save binlog checkpoint
+  # to ** another database which has enabled TLS **.
+  # The steps to enable this feature is similar with those to enable tlsSyncer.tlsClientSecretName,
+  # which means you need to create one secret object containing the certificates for
+  # the checkpoint database and then set `checkpoint.tlsClientSecretName`.
+  # checkpoint:
+  #   tlsClientSecretName: ${checkpoint_tidb_client_secret}
+  # certAllowedCN is the Common Name that allowed
+  # certAllowedCN:
+  #  - TiDB
+
 # Refer to https://github.com/pingcap/tidb-binlog/blob/master/cmd/drainer/drainer.toml
 # [security] section will be generated automatically if tlsCluster.enabled is set to true so users do not need to configure it.
 config: |