cluster: support enable or disable TLS for an exiting cluster

[srstack]

What problem does this PR solve?

close #1598

Only supports single PD node cluster

What is changed and how it works?

add a new tiup-cluster sub cmd

tiup-cluster tls -h
Enable/Disable TLS between TiDB components

Usage:
  tiup-cluster tls <cluster-name> <enable/disable> [flags]

Flags:
      --clean-certificate    Cleanup the certificate file if it already exists when tls disable
      --force                Force enable/disable tls regardless of the current state
  -h, --help                 help for tls
      --reload-certificate   Load the certificate file whether it exists or not when tls enable

1. First check whether the number of PD nodes is 1
2. Generate/Delete certificate key and push it to the TiDB components
3. Refresh components configuration file
4. Restart cluster
5. Update PD-Etcd memberList

Check List

Tests

• Manual test (add detailed scripts or steps below)
  It is best to run tpcc during the manual test

enable

 ./tiup-cluster tls cluster-name enable --reload-certificate 
 ./tiup-cluster display cluster-name
./tiup-cluster scale-out cluster-name scale-out.yaml 

disable

 ./tiup-cluster tls cluster-name disable --clean-certificate 
 ./tiup-cluster display cluster-name
./tiup-cluster scale-out cluster-name scale-out.yaml 

Code changes

• Has exported function/method change
• Has exported variable/fields change
• Has interface methods change
• Has persistent data change

Side effects

• Possible performance regression
• Increased code complexity

Related changes

• Need to cherry-pick to the release branch
• Need to update the documentation

Release notes:

NONE

[ti-chi-bot]

[REVIEW NOTIFICATION]

This pull request has been approved by:

• AstroProfundis

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

[codecov-commenter]

Codecov Report

Merging #1657 (770dd3b) into master (c3ecda7) will decrease coverage by 0.91%.
The diff coverage is 64.40%.

❗ Current head 770dd3b differs from pull request most recent head 1ec1562. Consider uploading reports for the commit 1ec1562 to get more accurate results

@@            Coverage Diff             @@
##           master    #1657      +/-   ##
==========================================
- Coverage   48.22%   47.31%   -0.91%     
==========================================
  Files         298      298              
  Lines       33496    34137     +641     
==========================================
  Hits        16151    16151              
- Misses      15258    15899     +641     
  Partials     2087     2087              

Flag	Coverage Δ
tiup	14.66% <0.00%> (-0.14%)	⬇️
unittest	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/cluster/manager/cacert.go	45.00% <ø> (ø)
pkg/cluster/operation/operation.go	80.65% <ø> (ø)
pkg/cluster/spec/profile.go	55.26% <ø> (-10.36%)	⬇️
pkg/cluster/spec/alertmanager.go	58.59% <16.67%> (-9.65%)	⬇️
pkg/cluster/spec/instance.go	50.00% <21.43%> (-16.37%)	⬇️
pkg/cluster/spec/spec.go	57.74% <33.33%> (-18.27%)	⬇️
pkg/cluster/spec/grafana.go	54.46% <40.00%> (-11.08%)	⬇️
pkg/cluster/spec/drainer.go	47.97% <41.18%> (-9.75%)	⬇️
pkg/cluster/spec/pump.go	55.24% <45.16%> (-12.28%)	⬇️
pkg/cluster/spec/tikv.go	48.29% <47.06%> (-10.81%)	⬇️
... and 40 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c3ecda7...1ec1562. Read the comment docs.

[AstroProfundis]

I did some manual tests and seems all functions are working.

[AstroProfundis]

Suggested change

	m.logger.Infof("cluster `%s` TLS status is already enable\n", name)
	m.logger.Infof("cluster `%s` TLS status is already enabled\n", name)

[AstroProfundis]

Suggested change

	m.logger.Infof("cluster `%s` TLS status is already disable\n", name)
	m.logger.Infof("cluster `%s` TLS status is already disabled\n", name)

[AstroProfundis]

Suggested change

	m.logger.Infof("Enable cluster `%s` TLS between TiDB components successfully", name)
	m.logger.Infof("Enabled TLS between TiDB components for cluster `%s` successfully", name)

[AstroProfundis]

Suggested change

	m.logger.Infof("Disable cluster `%s` TLS between TiDB components successfully", name)
	m.logger.Infof("Disabled TLS between TiDB components for cluster `%s` successfully", name)

[AstroProfundis]

Suggested change

	return errorx.EnsureStackTrace(fmt.Errorf("Multiple PD nodes is not supported enable/disable TLS")).
	return errorx.EnsureStackTrace(fmt.Errorf("Having multiple PD nodes is not supported when enable/disable TLS")).

[AstroProfundis]

Suggested change

	color.HiYellowString("restart"),
	color.HiYellowString("stop and restart"),

It would be better if we make it clear that the cluster will be unavailable during the process.

[AstroProfundis]

/merge

[ti-chi-bot]

This pull request has been accepted and is ready to merge.

Commit hash: 1ec1562