support TLS for components #904
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
suzaku
reviewed
Feb 18, 2020
pump/server.go
Outdated
| @@ -968,14 +966,21 @@ func (s *Server) waitUntilCommitTSSaved(ctx context.Context, ts int64, checkInte | |||
| } | |||
| } | |||
|
|
|||
| func listen(network, addr string) (net.Listener, error) { | |||
| func listen(network, addr string, tlsConfig *tls.Config) (listener net.Listener, err error) { | |||
There was a problem hiding this comment.
It seems we may need to update similar code in both pump and drainer, maybe it's time to extract this to the util package?
There was a problem hiding this comment.
extract by 4762c05
|
rest LGTM |
|
@GregoryIan PTAL |
|
/run-all-tests @GregoryIan PTAL |
|
/run-all-tests |
|
/run-all-tests |
|
/run-all-tests |
|
/run-all-tests |
|
/run-all-tests |
shenli
reviewed
Feb 20, 2020
IANTHEREAL
reviewed
Feb 21, 2020
| switch cfg.Command { | ||
| case ctl.GenerateMeta: | ||
| err = ctl.GenerateMetaInfo(cfg) | ||
| case ctl.QueryPumps: | ||
| err = ctl.QueryNodesByKind(cfg.EtcdURLs, node.PumpNode, cfg.ShowOfflineNodes) | ||
| err = ctl.QueryNodesByKind(cfg.EtcdURLs, node.PumpNode, cfg.ShowOfflineNodes, cfg.TLS) |
There was a problem hiding this comment.
I think we should initial all clients (like registry, dial Client) together, the reason is to ensure that TLS are processed correctly and uniformly, here implementation is a weird example:
- we provide
TLSconfig in interface ofgithub.com/pingcap/tidb-binlog/binlogctl, likeQueryNodesByKind - we do
binlogctl.InitHTTPSClientseparately
IANTHEREAL
reviewed
Feb 21, 2020
| @@ -72,6 +72,8 @@ func (c *Config) ToTiDBSecurityConfig() config.Security { | |||
| ClusterSSLKey: c.SSLKey, | |||
| } | |||
|
|
|||
| // The TiKV client(kvstore.New) we use will use this global var as the TLS config. | |||
| // TODO avoid such magic implicit change when call this func. | |||
IANTHEREAL
reviewed
Feb 21, 2020
tests/run.sh
Outdated
| sleep 1 | ||
| done | ||
|
|
||
|
|
||
| # on CI curl's version is too old: curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY))) |
|
/run-all-tests |
|
cherry pick to release-3.0 failed |
july2993
added a commit
that referenced
this pull request
Mar 15, 2020
truely support TLS for components. before this pr if enable TLS for components - `tidb` will fail to connect to `pump` - no TLS between drainer and pump - no enable TLS for tikv client in `drainer` - `binlogctl` can't work actually ... [relate docs](https://pingcap.com/docs/stable/how-to/secure/enable-tls-between-components/) ([Chinese version](https://pingcap.com/docs-cn/stable/how-to/secure/enable-tls-between-components/)) This Commit: - properly handle things about TLS when enabling TLS - enable TLS in the integration tests - log pump config at startup time
IANTHEREAL
pushed a commit
that referenced
this pull request
Mar 17, 2020
* support TLS for components (#904) [relate docs](https://pingcap.com/docs/stable/how-to/secure/enable-tls-between-components/) ([Chinese version](https://pingcap.com/docs-cn/stable/how-to/secure/enable-tls-between-components/)) This Commit: - properly handle things about TLS when enabling TLS - enable TLS in the integration tests - log pump config at startup time
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What problem does this PR solve?
truely support TLS for components.
before this pr if enable TLS for components
tidbwill fail to connect topumpdrainerbinlogctlcan't work actually...
relate docs (Chinese version)
What is changed and how it works?
Check List
Tests
enable TLS for all components and check replication works, include tidb/tikv/pd/pump/drainer/binlogctl
Code changes
Side effects
Related changes
tidb-ansiblerepository ???having not tried using ansible to deploy.