Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separate TLS certificates for TiDB clients. #2384

Closed
kolbe opened this issue May 6, 2020 · 1 comment · Fixed by #2403
Closed

Separate TLS certificates for TiDB clients. #2384

kolbe opened this issue May 6, 2020 · 1 comment · Fixed by #2403
Assignees
@weekface
Milestone
v1.1.0-rc.4

Comments

@kolbe
Copy link
Contributor

kolbe commented May 6, 2020

Feature Request

Is your feature request related to a problem? Please describe:

Right now, we have a single TiDBClientTLSSecretName in the cluster, which is shared between BR and PD and TidbInitializer:

$ grep -r TiDBClientTLSSecretName
tests/e2e/tidbcluster/tls.go:           secretName := util.TiDBClientTLSSecretName(tcName)
pkg/util/util.go:func TiDBClientTLSSecretName(tcName string) string {
pkg/manager/member/tidb_init_manager.go:                                        SecretName: util.TiDBClientTLSSecretName(tcName),
pkg/manager/member/pd_member_manager.go:                                        SecretName: util.TiDBClientTLSSecretName(tc.Name),
pkg/backup/backup/backup_manager.go:            clientSecretName := util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster)
pkg/backup/restore/restore_manager.go:          clientSecretName := util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster)

For security/compliance purposes, some customers prefer to have separate user accounts that are authenticated using specific certificate Subjects, so we should provide a mechanism to use separate client certificates (and usernames, where that's configurable) for each client role.
@kolbe
Copy link
Contributor Author

kolbe commented May 6, 2020

Oops, looks like backup and restore actually do support their own client certificate configurations, so perhaps this issue only affects PD (just the Dashboard?) and TidbInitializer.

@mightyguava mightyguava mentioned this issue May 7, 2020
Closed
@weekface weekface mentioned this issue May 8, 2020
Merged
@DanielZhangQD DanielZhangQD added this to the v1.1.0-rc.4 milestone May 9, 2020
@sre-bot sre-bot mentioned this issue May 13, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@weekface weekface

Labels
None yet
Projects
None yet
Milestone
v1.1.0-rc.4
Development

Successfully merging a pull request may close this issue.

Separate TiDB client certificate can be used for each component weekface/tidb-operator
3 participants
@weekface @kolbe @DanielZhangQD