Tidb support setting a random password.

cmd/backup-manager/app/backup/manager.go

@@ -27,6 +27,7 @@ import (
 	bkconstants "github.com/pingcap/tidb-operator/pkg/backup/constants"
 	listers "github.com/pingcap/tidb-operator/pkg/client/listers/pingcap/v1alpha1"
 	"github.com/pingcap/tidb-operator/pkg/controller"
+	pkgutil "github.com/pingcap/tidb-operator/pkg/util"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	errorutils "k8s.io/apimachinery/pkg/util/errors"
@@ -110,7 +111,7 @@ func (bm *Manager) ProcessBackup() error {
 			klog.Errorf("can't get dsn of tidb cluster %s, err: %s", bm, err)
 			return false, err
 		}
-		db, err = util.OpenDB(ctx, dsn)
+		db, err = pkgutil.OpenDB(ctx, dsn)
 		if err != nil {
 			klog.Warningf("can't connect to tidb cluster %s, err: %s", bm, err)
 			if ctx.Err() != nil {

cmd/backup-manager/app/export/manager.go

@@ -28,6 +28,7 @@ import (
 	backuputil "github.com/pingcap/tidb-operator/pkg/backup/util"
 	listers "github.com/pingcap/tidb-operator/pkg/client/listers/pingcap/v1alpha1"
 	"github.com/pingcap/tidb-operator/pkg/controller"
+	pkgutil "github.com/pingcap/tidb-operator/pkg/util"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	errorutils "k8s.io/apimachinery/pkg/util/errors"
@@ -121,7 +122,7 @@ func (bm *BackupManager) ProcessBackup() error {
 			return false, err
 		}
 
-		db, err = util.OpenDB(ctx, dsn)
+		db, err = pkgutil.OpenDB(ctx, dsn)
 		if err != nil {
 			klog.Warningf("can't connect to tidb cluster %s, err: %s", bm, err)
 			if ctx.Err() != nil {

cmd/backup-manager/app/restore/manager.go

@@ -26,6 +26,7 @@ import (
 	bkconstants "github.com/pingcap/tidb-operator/pkg/backup/constants"
 	listers "github.com/pingcap/tidb-operator/pkg/client/listers/pingcap/v1alpha1"
 	"github.com/pingcap/tidb-operator/pkg/controller"
+	pkgutil "github.com/pingcap/tidb-operator/pkg/util"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	errorutils "k8s.io/apimachinery/pkg/util/errors"
@@ -107,7 +108,7 @@ func (rm *Manager) ProcessRestore() error {
 			return false, err
 		}
 
-		db, err = util.OpenDB(ctx, dsn)
+		db, err = pkgutil.OpenDB(ctx, dsn)
 		if err != nil {
 			klog.Warningf("can't connect to tidb cluster %s, err: %s", rm, err)
 			if ctx.Err() != nil {

cmd/backup-manager/app/util/util.go

@@ -15,7 +15,6 @@ package util
 
 import (
 	"context"
-	"database/sql"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -113,19 +112,6 @@ func GetStoragePath(backup *v1alpha1.Backup) (string, error) {
 	}
 }
 
-// OpenDB opens db
-func OpenDB(ctx context.Context, dsn string) (*sql.DB, error) {
-	db, err := sql.Open("mysql", dsn)
-	if err != nil {
-		return nil, fmt.Errorf("open datasource failed, err: %v", err)
-	}
-	if err := db.PingContext(ctx); err != nil {
-		db.Close()
-		return nil, fmt.Errorf("cannot connect to mysql, err: %v", err)
-	}
-	return db, nil
-}
-
 // IsFileExist return true if file exist and is a regular file, other cases return false
 func IsFileExist(file string) bool {
 	fi, err := os.Stat(file)

docs/api-references/docs.md

@@ -14624,6 +14624,33 @@ Kubernetes meta/v1.Time
 </tr>
 </tbody>
 </table>
+<h3 id="tidbinitializer">TiDBInitializer</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#tidbspec">TiDBSpec</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>createPassword</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="tidbmember">TiDBMember</h3>
 <p>
 (<em>Appears on:</em>
@@ -15140,6 +15167,20 @@ TiDBProbe
 the default behavior is like setting type as &ldquo;tcp&rdquo;</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>initializer</code></br>
+<em>
+<a href="#tidbinitializer">
+TiDBInitializer
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Initializer is the init configurations of TiDB</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="tidbstatus">TiDBStatus</h3>
@@ -15226,6 +15267,16 @@ string
 <td>
 </td>
 </tr>
+<tr>
+<td>
+<code>passwordInitialized</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="tidbtlsclient">TiDBTLSClient</h3>

examples/basic-random-password/README.md

@@ -0,0 +1,55 @@
+# A Basic TiDB cluster with random password initialized
+
+> **Note:**
+>
+> This setup is for test or demo purpose only and **IS NOT** applicable for critical environment.
+
+The following steps will create a TiDB cluster with random password initialized.
+
+## Install
+
+The following commands is assumed to be executed in this directory.
+
+Install the cluster:
+
+```bash
+kubectl -n <namespace> apply -f ./
+```
+
+Wait for cluster Pods ready:
+
+```bash
+watch kubectl -n <namespace> get pod
+```
+
+## Explore
+
+Get the password from secret:
+
+```bash
+kubectl get secret basic-init -o=jsonpath='{.data.root}' -n <namespace>  | base64 --decode
+```
+
+Explore the TiDB SQL interface:
+
+```bash
+kubectl -n <namespace> port-forward svc/basic-tidb 4000:4000
+```
+
+Test connection successfully:
+
+```bash
+mysql -h 127.0.0.1 -P 4000 -u root -p <password> --comments
+```
+
+## Destroy
+
+```bash
+kubectl -n <namespace> delete -f ./
+```
+
+The PVCs used by TiDB cluster will not be deleted in the above process, therefore, the PVs will be not be released neither. You can delete PVCs and release the PVs by the following command:
+
+```bash
+kubectl -n <namespace> delete pvc -l app.kubernetes.io/instance=basic,app.kubernetes.io/managed-by=tidb-operator
+```

examples/basic-random-password/tidb-cluster.yaml

@@ -0,0 +1,56 @@
+# IT IS NOT SUITABLE FOR PRODUCTION USE.
+# This YAML describes a basic TiDB cluster with minimum resource requirements,
+# which should be able to run in any Kubernetes cluster with storage support.
+apiVersion: pingcap.com/v1alpha1
+kind: TidbCluster
+metadata:
+  name: basic
+spec:
+  version: v5.3.0
+  timezone: UTC
+  pvReclaimPolicy: Retain
+  enableDynamicConfiguration: true
+  configUpdateStrategy: RollingUpdate
+  discovery: {}
+  helper:
+    image: busybox:1.34.1
+  pd:
+    baseImage: pingcap/pd
+    maxFailoverCount: 0
+    replicas: 1
+    # if storageClassName is not set, the default Storage Class of the Kubernetes cluster will be used
+    # storageClassName: local-storage
+    requests:
+      storage: "1Gi"
+    config: {}
+  tikv:
+    baseImage: pingcap/tikv
+    maxFailoverCount: 0
+    # If only 1 TiKV is deployed, the TiKV region leader 
+    # cannot be transferred during upgrade, so we have
+    # to configure a short timeout
+    evictLeaderTimeout: 1m
+    replicas: 1
+    # if storageClassName is not set, the default Storage Class of the Kubernetes cluster will be used
+    # storageClassName: local-storage
+    requests:
+      storage: "1Gi"
+    config:
+      storage:
+        # In basic examples, we set this to avoid using too much storage.
+        reserve-space: "0MB"
+      rocksdb:
+        # In basic examples, we set this to avoid the following error in some Kubernetes clusters:
+        # "the maximum number of open file descriptors is too small, got 1024, expect greater or equal to 82920"
+        max-open-files: 256
+      raftdb:
+        max-open-files: 256
+  tidb:
+    initializer:
+      createPassword: true
+    baseImage: pingcap/tidb
+    maxFailoverCount: 0
+    replicas: 1
+    service:
+      type: ClusterIP
+    config: {}

go.mod

@@ -57,6 +57,7 @@ require (
 	github.com/prometheus/prom2json v1.3.0
 	github.com/prometheus/prometheus v1.8.2
 	github.com/robfig/cron v1.1.0
+	github.com/sethvargo/go-password v0.2.0
 	github.com/sirupsen/logrus v1.6.0
 	github.com/spf13/cobra v1.0.0
 	github.com/spf13/pflag v1.0.5

go.sum

@@ -801,6 +801,8 @@ github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdh
 github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
 github.com/serenize/snaker v0.0.0-20171204205717-a683aaf2d516/go.mod h1:Yow6lPLSAXx2ifx470yD/nUe22Dv5vBvxK/UK9UUTVs=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sethvargo/go-password v0.2.0 h1:BTDl4CC/gjf/axHMaDQtw507ogrXLci6XRiLc7i/UHI=
+github.com/sethvargo/go-password v0.2.0/go.mod h1:Ym4Mr9JXLBycr02MFuVQ/0JHidNetSgbzutTr3zsYXE=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
 github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=

manifests/crd.yaml

@@ -23710,6 +23710,11 @@ spec:
                       - name
                       type: object
                     type: array
+                  initializer:
+                    properties:
+                      createPassword:
+                        type: boolean
+                    type: object
                   labels:
                     additionalProperties:
                       type: string
@@ -29163,6 +29168,8 @@ spec:
                       - name
                       type: object
                     type: object
+                  passwordInitialized:
+                    type: boolean
                   phase:
                     type: string
                   resignDDLOwnerRetryCount:

manifests/crd/v1/pingcap.com_tidbclusters.yaml

@@ -11764,6 +11764,11 @@ spec:
                       - name
                       type: object
                     type: array
+                  initializer:
+                    properties:
+                      createPassword:
+                        type: boolean
+                    type: object
                   labels:
                     additionalProperties:
                       type: string
@@ -17217,6 +17222,8 @@ spec:
                       - name
                       type: object
                     type: object
+                  passwordInitialized:
+                    type: boolean
                   phase:
                     type: string
                   resignDDLOwnerRetryCount:

manifests/crd/v1beta1/pingcap.com_tidbclusters.yaml

@@ -11748,6 +11748,11 @@ spec:
                     - name
                     type: object
                   type: array
+                initializer:
+                  properties:
+                    createPassword:
+                      type: boolean
+                  type: object
                 labels:
                   additionalProperties:
                     type: string
@@ -17194,6 +17199,8 @@ spec:
                     - name
                     type: object
                   type: object
+                passwordInitialized:
+                  type: boolean
                 phase:
                   type: string
                 resignDDLOwnerRetryCount:

manifests/crd_v1beta1.yaml

@@ -23694,6 +23694,11 @@ spec:
                     - name
                     type: object
                   type: array
+                initializer:
+                  properties:
+                    createPassword:
+                      type: boolean
+                  type: object
                 labels:
                   additionalProperties:
                     type: string
@@ -29140,6 +29145,8 @@ spec:
                     - name
                     type: object
                   type: object
+                passwordInitialized:
+                  type: boolean
                 phase:
                   type: string
                 resignDDLOwnerRetryCount:

pkg/apis/pingcap/v1alpha1/tidbcluster.go

@@ -732,6 +732,10 @@ func (tc *TidbCluster) IsTLSClusterEnabled() bool {
 	return tc.Spec.TLSCluster != nil && tc.Spec.TLSCluster.Enabled
 }
 
+func (tc *TidbCluster) NeedToSyncTiDBInitializer() bool {
+	return tc.Spec.TiDB != nil && tc.Spec.TiDB.Initializer != nil && tc.Spec.TiDB.Initializer.CreatePassword && tc.Status.TiDB.PasswordInitialized == nil
+}
+
 func (tc *TidbCluster) Scheme() string {
 	if tc.IsTLSClusterEnabled() {
 		return "https"