Tidb support setting a random password.

docs/api-references/docs.md

@@ -14552,6 +14552,33 @@ Kubernetes meta/v1.Time
 </tr>
 </tbody>
 </table>
+<h3 id="tidbinitializer">TiDBInitializer</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#tidbspec">TiDBSpec</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>createPassword</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="tidbmember">TiDBMember</h3>
 <p>
 (<em>Appears on:</em>
@@ -15068,6 +15095,20 @@ TiDBProbe
 the default behavior is like setting type as &ldquo;tcp&rdquo;</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>initializer</code></br>
+<em>
+<a href="#tidbinitializer">
+TiDBInitializer
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Initializer is the init configurations of TiDB</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="tidbstatus">TiDBStatus</h3>
@@ -15154,6 +15195,16 @@ string
 <td>
 </td>
 </tr>
+<tr>
+<td>
+<code>initPassword</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="tidbtlsclient">TiDBTLSClient</h3>

go.mod

@@ -57,6 +57,7 @@ require (
 	github.com/prometheus/prom2json v1.3.0
 	github.com/prometheus/prometheus v1.8.2
 	github.com/robfig/cron v1.1.0
+	github.com/sethvargo/go-password v0.2.0
 	github.com/sirupsen/logrus v1.6.0
 	github.com/spf13/cobra v1.0.0
 	github.com/spf13/pflag v1.0.5

go.sum

@@ -801,6 +801,8 @@ github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdh
 github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
 github.com/serenize/snaker v0.0.0-20171204205717-a683aaf2d516/go.mod h1:Yow6lPLSAXx2ifx470yD/nUe22Dv5vBvxK/UK9UUTVs=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sethvargo/go-password v0.2.0 h1:BTDl4CC/gjf/axHMaDQtw507ogrXLci6XRiLc7i/UHI=
+github.com/sethvargo/go-password v0.2.0/go.mod h1:Ym4Mr9JXLBycr02MFuVQ/0JHidNetSgbzutTr3zsYXE=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
 github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=

manifests/crd.yaml

@@ -23746,6 +23746,13 @@ spec:
                       - name
                       type: object
                     type: array
+                  initializer:
+                    properties:
+                      createPassword:
+                        type: boolean
+                    required:
+                    - createPassword
+                    type: object
                   labels:
                     additionalProperties:
                       type: string
@@ -29171,6 +29178,8 @@ spec:
                     type: object
                   image:
                     type: string
+                  initPassword:
+                    type: boolean
                   members:
                     additionalProperties:
                       properties:

manifests/crd/v1/pingcap.com_tidbclusters.yaml

@@ -11759,6 +11759,13 @@ spec:
                       - name
                       type: object
                     type: array
+                  initializer:
+                    properties:
+                      createPassword:
+                        type: boolean
+                    required:
+                    - createPassword
+                    type: object
                   labels:
                     additionalProperties:
                       type: string
@@ -17184,6 +17191,8 @@ spec:
                     type: object
                   image:
                     type: string
+                  initPassword:
+                    type: boolean
                   members:
                     additionalProperties:
                       properties:

manifests/crd/v1beta1/pingcap.com_tidbclusters.yaml

@@ -11743,6 +11743,13 @@ spec:
                     - name
                     type: object
                   type: array
+                initializer:
+                  properties:
+                    createPassword:
+                      type: boolean
+                  required:
+                  - createPassword
+                  type: object
                 labels:
                   additionalProperties:
                     type: string
@@ -17161,6 +17168,8 @@ spec:
                   type: object
                 image:
                   type: string
+                initPassword:
+                  type: boolean
                 members:
                   additionalProperties:
                     properties:

manifests/crd_v1beta1.yaml

@@ -23730,6 +23730,13 @@ spec:
                     - name
                     type: object
                   type: array
+                initializer:
+                  properties:
+                    createPassword:
+                      type: boolean
+                  required:
+                  - createPassword
+                  type: object
                 labels:
                   additionalProperties:
                     type: string
@@ -29148,6 +29155,8 @@ spec:
                   type: object
                 image:
                   type: string
+                initPassword:
+                  type: boolean
                 members:
                   additionalProperties:
                     properties:

pkg/apis/pingcap/v1alpha1/types.go

@@ -764,6 +764,15 @@ type TiDBSpec struct {
 	// the default behavior is like setting type as "tcp"
 	// +optional
 	ReadinessProbe *TiDBProbe `json:"readinessProbe,omitempty"`
+
+	// Initializer is the init configurations of TiDB
+	//
+	// +optional
+	Initializer *TiDBInitializer `json:"initializer,omitempty"`
+}
+
+type TiDBInitializer struct {
+	CreatePassword bool `json:"createPassword"`
 }
 
 const (
@@ -1120,6 +1129,7 @@ type TiDBStatus struct {
 	FailureMembers           map[string]TiDBFailureMember `json:"failureMembers,omitempty"`
 	ResignDDLOwnerRetryCount int32                        `json:"resignDDLOwnerRetryCount,omitempty"`
 	Image                    string                       `json:"image,omitempty"`
+	InitPassword             bool                         `json:"initPassword,omitempty"`
 }
 
 // TiDBMember is TiDB member

pkg/controller/generic_control.go

@@ -19,6 +19,8 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
+
 	"github.com/pingcap/tidb-operator/pkg/scheme"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -62,6 +64,8 @@ type TypedControlInterface interface {
 	CreateOrUpdateIngress(controller client.Object, ingress *networkingv1.Ingress) (*networkingv1.Ingress, error)
 	// CreateOrUpdateIngressV1beta1 create the desired v1beta1 ingress or update the current one to desired state if already existed
 	CreateOrUpdateIngressV1beta1(controller client.Object, ingress *extensionsv1beta1.Ingress) (*extensionsv1beta1.Ingress, error)
+	// CreateOrUpdateTidbInitializer create the desired v1alpha1 TidbInitializer or update the current one to desired state if already existed
+	CreateOrUpdateTidbInitializer(controller client.Object, tidbInitializer *v1alpha1.TidbInitializer) (*v1alpha1.TidbInitializer, error)
 	// UpdateStatus update the /status subresource of the object
 	UpdateStatus(newStatus client.Object) error
 	// Delete delete the given object from the cluster
@@ -263,6 +267,23 @@ func (w *typedWrapper) CreateOrUpdateConfigMap(controller client.Object, cm *cor
 	return result.(*corev1.ConfigMap), nil
 }
 
+func (w *typedWrapper) CreateOrUpdateTidbInitializer(controller client.Object, tidbInitializer *v1alpha1.TidbInitializer) (*v1alpha1.TidbInitializer, error) {
+	result, err := w.GenericControlInterface.CreateOrUpdate(controller, tidbInitializer, func(existing, desired client.Object) error {
+		existingInitializer := existing.(*v1alpha1.TidbInitializer)
+		desiredInitializer := desired.(*v1alpha1.TidbInitializer)
+
+		existingInitializer.Labels = desiredInitializer.Labels
+		for k, v := range desiredInitializer.Annotations {
+			existingInitializer.Annotations[k] = v
+		}
+		return nil
+	}, true)
+	if err != nil {
+		return nil, err
+	}
+	return result.(*v1alpha1.TidbInitializer), nil
+}
+
 func (w *typedWrapper) CreateOrUpdateService(controller client.Object, svc *corev1.Service) (*corev1.Service, error) {
 	result, err := w.GenericControlInterface.CreateOrUpdate(controller, svc, func(existing, desired client.Object) error {
 		existingSvc := existing.(*corev1.Service)

pkg/manager/member/tidb_member_manager.go

@@ -20,6 +20,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/pingcap/tidb-operator/pkg/backup/constants"
+
 	"github.com/pingcap/tidb-operator/pkg/apis/label"
 	"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
 	"github.com/pingcap/tidb-operator/pkg/controller"
@@ -39,6 +41,7 @@ import (
 	"k8s.io/klog/v2"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/utils/pointer"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 const (
@@ -241,10 +244,74 @@ func (m *tidbMemberManager) syncTiDBStatefulSetForTidbCluster(tc *v1alpha1.TidbC
 			return err
 		}
 	}
+	// set random password
+	if tc.Spec.TiDB.Initializer != nil && tc.Spec.TiDB.Initializer.CreatePassword && !tc.Status.TiDB.InitPassword {
+		// sync password secret
+		secret := m.buildRandomPasswordSecret(tc)
+		secret, err := m.deps.TypedControl.CreateOrUpdateSecret(tc, secret)
+		if err != nil {
+			return err
+		}
+		tidbInitializer := &v1alpha1.TidbInitializer{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "TidbCluster",
+				APIVersion: "pingcap.com/v1alpha1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      fmt.Sprintf("%s-init", tc.Name),
+				Namespace: tc.Namespace,
+			},
+			Spec: v1alpha1.TidbInitializerSpec{
+				Clusters: v1alpha1.TidbClusterRef{
+					Name:      tc.Name,
+					Namespace: tc.Namespace,
+				},
+				PasswordSecret: pointer.StringPtr(secret.Name),
+			},
+		}
+
+		exist, err := m.deps.TypedControl.Exist(client.ObjectKey{
+			Namespace: tidbInitializer.Namespace,
+			Name:      tidbInitializer.Name,
+		}, tidbInitializer)
+		if err != nil {
+			return err
+		}
+		if !exist {
+			_, err = m.deps.TypedControl.CreateOrUpdateTidbInitializer(tc, tidbInitializer)
+			if err != nil {
+				return err
+			}
+
+		}
+
+		existInitializer, err := m.deps.TiDBInitializerLister.TidbInitializers(tidbInitializer.Namespace).Get(tidbInitializer.Name)
+		if err != nil {
+			return err
+		}
+		if existInitializer.Status.Phase == v1alpha1.InitializePhaseCompleted {
+			tc.Status.TiDB.InitPassword = true
+		}
+	}
 
 	return mngerutils.UpdateStatefulSet(m.deps.StatefulSetControl, tc, newTiDBSet, oldTiDBSet)
 }
 
+func (m *tidbMemberManager) buildRandomPasswordSecret(tc *v1alpha1.TidbCluster) *corev1.Secret {
+
+	s := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-secret", tc.Name),
+			Namespace: tc.Namespace,
+		},
+	}
+	password := util.FixedLengthRandomPasswordBytes()
+	s.Data = map[string][]byte{
+		constants.TidbPasswordKey: password,
+	}
+	return s
+}
+
 func (m *tidbMemberManager) shouldRecover(tc *v1alpha1.TidbCluster) bool {
 	if tc.Status.TiDB.FailureMembers == nil {
 		return false