Skip to content

Commit

Permalink
cluster: fix TLS configs for tiproxy (#2356)
Browse files Browse the repository at this point in the history
  • Loading branch information
@xhebox
xhebox authored Jan 11, 2024
1 parent 30d4413 commit 0c6dda9
Showing 1 changed file with 14 additions and 7 deletions.
21 changes: 14 additions & 7 deletions pkg/cluster/spec/tiproxy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,15 +220,14 @@ func (i *TiProxyInstance) checkConfig(
) map[string]any {
topo := i.topo.(*Specification)
spec := i.InstanceSpec.(*TiProxySpec)
enableTLS := topo.GlobalOptions.TLSEnabled

if cfg == nil {
cfg = make(map[string]any)
}

pds := []string{}
for _, pdspec := range topo.PDServers {
pds = append(pds, pdspec.GetAdvertiseClientURL(enableTLS))
pds = append(pds, utils.JoinHostPort(pdspec.Host, pdspec.ClientPort))
}
cfg["proxy.pd-addrs"] = strings.Join(pds, ",")
cfg["proxy.addr"] = utils.JoinHostPort(i.GetListenHost(), i.GetPort())
Expand Down Expand Up @@ -275,7 +274,7 @@ func (i *TiProxyInstance) InitConfig(
}

var err error
instanceConfig, err = i.setTLSConfig(ctx, false, instanceConfig, paths)
instanceConfig, err = i.setTLSConfig(ctx, topo.GlobalOptions.TLSEnabled, instanceConfig, paths)
if err != nil {
return err
}
Expand All @@ -293,12 +292,14 @@ func (i *TiProxyInstance) setTLSConfig(ctx context.Context, enableTLS bool, conf
configs["security.cluster-tls.cert"] = fmt.Sprintf("%s/tls/%s.crt", paths.Deploy, i.Role())
configs["security.cluster-tls.key"] = fmt.Sprintf("%s/tls/%s.pem", paths.Deploy, i.Role())

configs["security.server-tls.ca"] = fmt.Sprintf("%s/tls/%s", paths.Deploy, TLSCACert)
configs["security.server-tls.cert"] = fmt.Sprintf("%s/tls/%s.crt", paths.Deploy, i.Role())
configs["security.server-tls.key"] = fmt.Sprintf("%s/tls/%s.pem", paths.Deploy, i.Role())
configs["security.server-tls.skip-ca"] = true
configs["security.server-http-tls.ca"] = fmt.Sprintf("%s/tls/%s", paths.Deploy, TLSCACert)
configs["security.server-http-tls.cert"] = fmt.Sprintf("%s/tls/%s.crt", paths.Deploy, i.Role())
configs["security.server-http-tls.key"] = fmt.Sprintf("%s/tls/%s.pem", paths.Deploy, i.Role())
configs["security.server-http-tls.skip-ca"] = true

configs["security.sql-tls.ca"] = fmt.Sprintf("%s/tls/%s", paths.Deploy, TLSCACert)
configs["security.sql-tls.cert"] = fmt.Sprintf("%s/tls/%s.crt", paths.Deploy, i.Role())
configs["security.sql-tls.key"] = fmt.Sprintf("%s/tls/%s.pem", paths.Deploy, i.Role())
} else {
// drainer tls config list
tlsConfigs := []string{
Expand All @@ -309,7 +310,13 @@ func (i *TiProxyInstance) setTLSConfig(ctx context.Context, enableTLS bool, conf
"security.server-tls.cert",
"security.server-tls.key",
"security.server-tls.skip-ca",
"security.server-http-tls.ca",
"security.server-http-tls.cert",
"security.server-http-tls.key",
"security.server-http-tls.skip-ca",
"security.sql-tls.ca",
"security.sql-tls.cert",
"security.sql-tls.key",
}
// delete TLS configs
for _, config := range tlsConfigs {
Expand Down

0 comments on commit 0c6dda9

Please sign in to comment.