add tls support between drainer and downstream database server

charts/tidb-drainer/templates/_helpers.tpl

@@ -27,6 +27,26 @@ config-file: |-
   cert-allowed-cn = {{ .Values.tlsCluster.certAllowedCN | toJson }}
   {{- end -}}
     {{- end -}}
+  {{- if .Values.tlsSyncer }}
+    {{- if .Values.tlsSyncer.tlsClientSecretName }}
+  [syncer.to.security]
+  ssl-ca = "/var/lib/drainer-syncer-tls/ca.crt"
+  ssl-cert = "/var/lib/drainer-syncer-tls/tls.crt"
+  ssl-key = "/var/lib/drainer-syncer-tls/tls.key"
+  {{- if .Values.tlsSyncer.certAllowedCN }}
+  cert-allowed-cn = {{ .Values.tlsSyncer.certAllowedCN | toJson }}
+  {{- end -}}
+    {{- end -}}
+    {{- if and .Values.tlsSyncer.checkpoint .Values.tlsSyncer.checkpoint.tlsClientSecretName }}
+  [syncer.to.checkpoint.security]
+  ssl-ca = "/var/lib/drainer-syncer-checkpoint-tls/ca.crt"
+  ssl-cert = "/var/lib/drainer-syncer-checkpoint-tls/tls.crt"
+  ssl-key = "/var/lib/drainer-syncer-checkpoint-tls/tls.key"
+  {{- if .Values.tlsSyncer.checkpoint.certAllowedCN }}
+  cert-allowed-cn = {{ .Values.tlsSyncer.checkpoint.certAllowedCN | toJson }}
+  {{- end -}}
+    {{- end -}}
+  {{- end -}}
 {{- end -}}
 
 {{- define "drainer-configmap.name" -}}

charts/tidb-drainer/templates/drainer-statefulset.yaml

@@ -55,6 +55,18 @@ spec:
           mountPath: /var/lib/drainer-tls
           readOnly: true
       {{- end }}
+      {{- if .Values.tlsSyncer }}
+      {{- if .Values.tlsSyncer.tlsClientSecretName }}
+        - name: drainer-syncer-tls
+          mountPath: /var/lib/drainer-syncer-tls
+          readOnly: true
+      {{- end }}
+      {{- if and .Values.tlsSyncer.checkpoint .Values.tlsSyncer.checkpoint.tlsClientSecretName }}
+        - name: drainer-syncer-checkpoint-tls
+          mountPath: /var/lib/drainer-syncer-checkpoint-tls
+          readOnly: true
+      {{- end }}
+      {{- end }}
       {{- if and (ne .Values.timezone "UTC") (ne .Values.timezone "") }}
         env:
         - name: TZ
@@ -74,6 +86,18 @@ spec:
         secret:
           secretName: {{ include "drainer.tlsSecretName" . }}
     {{- end }}
+    {{- if .Values.tlsSyncer }}
+    {{- if .Values.tlsSyncer.tlsClientSecretName }}
+      - name: drainer-syncer-tls
+        secret:
+          secretName: {{ .Values.tlsSyncer.tlsClientSecretName }}
+    {{- end }}
+    {{- if and .Values.tlsSyncer.checkpoint .Values.tlsSyncer.checkpoint.tlsClientSecretName }}
+      - name: drainer-syncer-checkpoint-tls
+        secret:
+          secretName: {{ .Values.tlsSyncer.checkpoint.tlsClientSecretName }}
+    {{- end }}
+    {{- end }}
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

charts/tidb-drainer/values.yaml

@@ -48,6 +48,22 @@ tlsCluster:
   certAllowedCN: []
   #  - TiDB
 
+# The tls config between drainer and the downstream database server (MySQL/TiDB)
+tlsSyncer:
+  tlsClientSecretName:
+
+  # certAllowedCN is the Common Name that allowed
+  certAllowedCN: []
+  #  - TiDB
+
+  # checkpoint is the tls config for the database we save binlog checkpoint
+  # Omit this part if you just want to save checkpoint in downstream database
+  checkpoint:
+    tlsClientSecretName:
+  # certAllowedCN is the Common Name that allowed
+    certAllowedCN: []
+  #  - TiDB
+
 # Refer to https://github.com/pingcap/tidb-binlog/blob/master/cmd/drainer/drainer.toml
 # [security] section will be generated automatically if tlsCluster.enabled is set to true so users do not need to configure it.
 config: |