From 652df2be1e23c319ee3e46310738a84d01776b9f Mon Sep 17 00:00:00 2001 From: Bo Liu Date: Thu, 19 Dec 2024 15:23:42 +0800 Subject: [PATCH] feat(instance): remove all group dep from instance controllers Signed-off-by: liubo02 --- apis/core/v1alpha1/common_types.go | 25 ++- apis/core/v1alpha1/pd_types.go | 18 +-- apis/core/v1alpha1/tidb_types.go | 109 +++++++------ apis/core/v1alpha1/tiflash_types.go | 12 +- apis/core/v1alpha1/tikv_types.go | 16 +- apis/core/v1alpha1/zz_generated.deepcopy.go | 111 ++++++++++---- manifests/crd/core.pingcap.com_pdgroups.yaml | 25 ++- manifests/crd/core.pingcap.com_pds.yaml | 12 ++ .../crd/core.pingcap.com_tidbgroups.yaml | 143 ++++++++++-------- manifests/crd/core.pingcap.com_tidbs.yaml | 82 ++++++++++ manifests/crd/core.pingcap.com_tiflashes.yaml | 12 ++ .../crd/core.pingcap.com_tiflashgroups.yaml | 21 +-- .../crd/core.pingcap.com_tikvgroups.yaml | 25 ++- manifests/crd/core.pingcap.com_tikvs.yaml | 12 ++ pkg/configs/tidb/config.go | 14 +- pkg/controllers/pd/tasks/ctx.go | 14 -- pkg/controllers/pd/tasks/pod.go | 22 +-- pkg/controllers/tidb/builder.go | 1 - pkg/controllers/tidb/tasks/cm.go | 2 +- pkg/controllers/tidb/tasks/cm_test.go | 8 - pkg/controllers/tidb/tasks/ctx.go | 27 +--- pkg/controllers/tidb/tasks/pod.go | 24 +-- pkg/controllers/tiflash/builder.go | 1 - pkg/controllers/tiflash/tasks/ctx.go | 27 +--- pkg/controllers/tiflash/tasks/pod.go | 6 +- pkg/controllers/tikv/builder.go | 1 - pkg/controllers/tikv/tasks/ctx.go | 27 +--- pkg/controllers/tikv/tasks/pod.go | 22 +-- tests/e2e/cluster/cluster.go | 80 +++++----- 29 files changed, 481 insertions(+), 418 deletions(-) diff --git a/apis/core/v1alpha1/common_types.go b/apis/core/v1alpha1/common_types.go index 8b0b318fc6..11d1bfd4d3 100644 --- a/apis/core/v1alpha1/common_types.go +++ b/apis/core/v1alpha1/common_types.go @@ -57,7 +57,7 @@ const ( // Since the tidb operator will overlay the user-specified config with some operator-managed fields, // if we hash the overlayed config, with the evolving TiDB Operator, the hash may change, // potentially triggering an unexpected rolling update. - // Instead, we choose to hash the user-specified config, + // Instead, we choose to hash the user-specified config, // and the worst case is that users expect a reboot but it doesn't happen. LabelKeyConfigHash = LabelKeyPrefix + "config-hash" ) @@ -112,11 +112,11 @@ const ( type ConfigUpdateStrategy string const ( - // ConfigUpdateStrategyInPlace updates config without restarting. - ConfigUpdateStrategyInPlace ConfigUpdateStrategy = "InPlace" + // ConfigUpdateStrategyHotReload updates config without restarting. + ConfigUpdateStrategyHotReload ConfigUpdateStrategy = "HotReload" - // ConfigUpdateStrategyRollingUpdate performs a rolling-update to apply changed configs. - ConfigUpdateStrategyRollingUpdate ConfigUpdateStrategy = "RollingUpdate" + // ConfigUpdateStrategyRestart performs a restart to apply changed configs. + ConfigUpdateStrategyRestart ConfigUpdateStrategy = "Restart" ) // ObjectMeta is defined for replacing the embedded metav1.ObjectMeta @@ -300,6 +300,21 @@ type GroupStatus struct { UpdatedReplicas int32 `json:"updatedReplicas,omitempty"` } +type UpdateStrategy struct { + // Config determines how the configuration change is applied to the cluster. + // Valid values are "Restart" (by default) and "HotReload". + // +kubebuilder:validation:Enum=Restart;HotReload + // +kubebuilder:default="Restart" + Config ConfigUpdateStrategy `json:"config,omitempty"` +} + +// TLS defines a common tls config for all components +// Now it only support enable or disable. +// TODO(liubo02): add more tls configs +type TLS struct { + Enabled bool `json:"enabled,omitempty"` +} + // ComponentAccessor is the interface to access details of instances/groups managed by TiDB Operator. type ComponentAccessor interface { GetName() string diff --git a/apis/core/v1alpha1/pd_types.go b/apis/core/v1alpha1/pd_types.go index 0bd9d47ed4..c4f872898d 100644 --- a/apis/core/v1alpha1/pd_types.go +++ b/apis/core/v1alpha1/pd_types.go @@ -153,10 +153,6 @@ func (in *PDGroup) IsHealthy() bool { return true } -func (in *PDGroup) MountClusterClientSecret() bool { - return in.Spec.MountClusterClientSecret != nil && *in.Spec.MountClusterClientSecret -} - func (in *PDGroup) GetClientPort() int32 { if in.Spec.Template.Spec.Server.Ports.Client != nil { return in.Spec.Template.Spec.Server.Ports.Client.Port @@ -287,17 +283,8 @@ type PDGroupSpec struct { // If it's true, it cannot be set to false for security Bootstrapped bool `json:"bootstrapped,omitempty"` - // MountClusterClientSecret indicates whether to mount `cluster-client-secret` to the Pod. - MountClusterClientSecret *bool `json:"mountClusterClientSecret,omitempty"` - SchedulePolicies []SchedulePolicy `json:"schedulePolicies,omitempty"` - // ConfigUpdateStrategy determines how the configuration change is applied to the cluster. - // Valid values are "RollingUpdate" (by default) and "InPlace". - // +kubebuilder:validation:Enum=RollingUpdate;InPlace - // +kubebuilder:default="RollingUpdate" - ConfigUpdateStrategy ConfigUpdateStrategy `json:"configUpdateStrategy,omitempty"` - Template PDTemplate `json:"template"` } @@ -314,8 +301,9 @@ type PDTemplateSpec struct { // Default is pingcap/pd Image *string `json:"image,omitempty"` // Server defines server config for PD - Server PDServer `json:"server,omitempty"` - Resources ResourceRequirements `json:"resources,omitempty"` + Server PDServer `json:"server,omitempty"` + Resources ResourceRequirements `json:"resources,omitempty"` + UpdateStrategy UpdateStrategy `json:"updateStrategy,omitempty"` // Config defines config file of PD Config ConfigFile `json:"config"` // Volumes defines persistent volumes of PD diff --git a/apis/core/v1alpha1/tidb_types.go b/apis/core/v1alpha1/tidb_types.go index aebd8619f5..08ea696c43 100644 --- a/apis/core/v1alpha1/tidb_types.go +++ b/apis/core/v1alpha1/tidb_types.go @@ -15,7 +15,6 @@ package v1alpha1 import ( - "fmt" "strings" corev1 "k8s.io/api/core/v1" @@ -46,10 +45,10 @@ const ( ) const ( - // TiDBServerTLSVolumeName is the volume name for the TLS secret used by TLS communication between TiDB server and MySQL client. - TiDBServerTLSVolumeName = NamePrefix + "tidb-server-tls" - // TiDBServerTLSMountPath is the volume mount path for the TLS secret used by TLS communication between TiDB server and MySQL client. - TiDBServerTLSMountPath = "/var/lib/tidb-server-tls" + // TiDBSQLTLSVolumeName is the volume name for the TLS secret used by TLS communication between TiDB server and MySQL client. + TiDBSQLTLSVolumeName = NamePrefix + "tidb-sql-tls" + // TiDBSQLTLSMountPath is the volume mount path for the TLS secret used by TLS communication between TiDB server and MySQL client. + TiDBSQLTLSMountPath = "/var/lib/tidb-sql-tls" ) const ( @@ -313,29 +312,8 @@ type TiDBGroupSpec struct { // Service defines some fields used to override the default service. Service *TiDBService `json:"service,omitempty"` - // Whether enable the TLS connection between the TiDB server and MySQL client. - TLSClient *TiDBTLSClient `json:"tlsClient,omitempty"` - - // BootstrapSQLConfigMapName is the name of the ConfigMap which contains the bootstrap SQL file with the key `bootstrap-sql`, - // which will only be executed when a TiDB cluster bootstrap on the first time. - // The field should be set ONLY when create the first TiDB group for a cluster, since it only take effect on the first time bootstrap. - // Only v6.5.1+ supports this feature. - BootstrapSQLConfigMapName *string `json:"bootstrapSQLConfigMapName,omitempty"` - - // Whether enable `tidb_auth_token` authentication method. - // To enable this feature, a K8s secret named `-tidb-auth-token-jwks-secret` must be created to store the JWKs. - // ref: https://docs.pingcap.com/tidb/stable/security-compatibility-with-mysql#tidb_auth_token - // Defaults to false. - TiDBAuthToken *TiDBAuthToken `json:"tidbAuthToken,omitempty"` - SchedulePolicies []SchedulePolicy `json:"schedulePolicies,omitempty"` - // ConfigUpdateStrategy determines how the configuration change is applied to the cluster. - // Valid values are "RollingUpdate" (by default) and "InPlace". - // +kubebuilder:validation:Enum=RollingUpdate;InPlace - // +kubebuilder:default="RollingUpdate" - ConfigUpdateStrategy ConfigUpdateStrategy `json:"configUpdateStrategy,omitempty"` - Template TiDBTemplate `json:"template"` } @@ -357,7 +335,10 @@ type TiDBTemplateSpec struct { // Resources defines resource required by TiDB. Resources ResourceRequirements `json:"resources,omitempty"` // Config defines config file of TiDB. - Config ConfigFile `json:"config"` + Config ConfigFile `json:"config"` + UpdateStrategy UpdateStrategy `json:"updateStrategy,omitempty"` + + Security *TiDBSecurity `json:"security,omitempty"` // Volumes defines data volume of TiDB, it is optional. Volumes []Volume `json:"volumes,omitempty"` @@ -372,6 +353,25 @@ type TiDBTemplateSpec struct { Overlay *Overlay `json:"overlay,omitempty"` } +type TiDBSecurity struct { + // Whether enable the TLS connection between the TiDB server and MySQL client. + // TODO(liubo02): rename the TiDBTLSClient struct, + TLS *TiDBTLS `json:"tls,omitempty"` + + // BootstrapSQL refer to a configmap which contains the bootstrap SQL file with the key `bootstrap-sql`, + // which will only be executed when a TiDB cluster bootstrap on the first time. + // The field should be set ONLY when create the first TiDB group for a cluster, since it only take effect on the first time bootstrap. + // Only v6.5.1+ supports this feature. + // TODO(liubo02): move to cluster spec + BootstrapSQL *corev1.LocalObjectReference `json:"bootstrapSQL,omitempty"` + + // Whether enable `tidb_auth_token` authentication method. + // To enable this feature, a K8s secret named `-tidb-auth-token-jwks-secret` must be created to store the JWKs. + // ref: https://docs.pingcap.com/tidb/stable/security-compatibility-with-mysql#tidb_auth_token + // Defaults to false. + AuthToken *TiDBAuthToken `json:"authToken,omitempty"` +} + type TiDBServer struct { // Port defines all ports listened by TiDB. Ports TiDBPorts `json:"ports,omitempty"` @@ -437,7 +437,7 @@ type TiDBService struct { Type corev1.ServiceType `json:"type,omitempty"` } -type TiDBTLSClient struct { +type TiDBTLS struct { // When enabled, TiDB will accept TLS encrypted connections from MySQL clients. // The steps to enable this feature: // 1. Generate a TiDB server-side certificate and a client-side certifiacete for the TiDB cluster. @@ -446,29 +446,29 @@ type TiDBTLSClient struct { // - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ // - or use cert-manager signed certificates: https://cert-manager.io/ // 2. Create a K8s Secret object which contains the TiDB server-side certificate created above. - // The name of this Secret must be: --server-secret. - // kubectl create secret generic --server-secret --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= + // The name of this Secret must be: -tidb-server-secret. + // kubectl create secret generic -tidb-server-secret --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= // 3. Create a K8s Secret object which contains the TiDB client-side certificate created above which will be used by TiDB Operator. - // The name of this Secret must be: --client-secret. - // kubectl create secret generic --client-secret --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= + // The name of this Secret must be: -tidb-client-secret. + // kubectl create secret generic -tidb-client-secret --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= // 4. Set Enabled to `true`. - Enabled bool `json:"enabled,omitempty"` + MySQL *TLS `json:"mysql,omitempty"` // TODO(csuzhangxc): usage of the following fields + // TODO(liubo02): uncomment them after it's worked // DisableClientAuthn will skip client's certificate validation from the TiDB server. // Optional: defaults to false - DisableClientAuthn bool `json:"disableClientAuthn,omitempty"` + // DisableClientAuthn bool `json:"disableClientAuthn,omitempty"` // SkipInternalClientCA will skip TiDB server's certificate validation for internal components like Initializer, Dashboard, etc. // Optional: defaults to false - SkipInternalClientCA bool `json:"skipInternalClientCA,omitempty"` + // SkipInternalClientCA bool `json:"skipInternalClientCA,omitempty"` } type TiDBAuthToken struct { - // Enabled indicates whether the `tidb_auth_token` authentication method is enabled. - // Defaults to false. - Enabled bool `json:"enabled,omitempty"` + // Secret name of jwks + JWKs corev1.LocalObjectReference `json:"jwks"` } type TiDBGroupStatus struct { @@ -499,29 +499,28 @@ type TiDBStatus struct { CommonStatus `json:",inline"` } -// IsTLSClientEnabled returns whether the TLS between TiDB server and MySQL client is enabled. -func (in *TiDBGroup) IsTLSClientEnabled() bool { - return in.Spec.TLSClient != nil && in.Spec.TLSClient.Enabled +// IsMySQLTLSEnabled returns whether the TLS between TiDB server and MySQL client is enabled. +func (in *TiDB) IsMySQLTLSEnabled() bool { + return in.Spec.Security != nil && in.Spec.Security.TLS != nil && in.Spec.Security.TLS.MySQL != nil && in.Spec.Security.TLS.MySQL.Enabled } -// TiDBServerTLSSecretName returns the secret name used in TiDB server for the TLS between TiDB server and MySQL client. -func (in *TiDBGroup) TiDBServerTLSSecretName() string { - return fmt.Sprintf("%s-tidb-server-secret", in.Name) -} - -// TiDBClientTLSSecretName returns the secret name used in MySQL client for the TLS between TiDB server and MySQL client. -func (in *TiDBGroup) TiDBClientTLSSecretName() string { - return fmt.Sprintf("%s-tidb-client-secret", in.Name) +// MySQLTLSSecretName returns the secret name used in TiDB server for the TLS between TiDB server and MySQL client. +func (in *TiDB) MySQLTLSSecretName() string { + prefix, _ := in.NamePrefixAndSuffix() + return prefix + "-tidb-server-secret" } -func (in *TiDBGroup) IsBootstrapSQLEnabled() bool { - return in.Spec.BootstrapSQLConfigMapName != nil && *in.Spec.BootstrapSQLConfigMapName != "" +func (in *TiDB) IsBootstrapSQLEnabled() bool { + return in.Spec.Security != nil && in.Spec.Security.BootstrapSQL != nil } -func (dbg *TiDBGroup) IsTokenBasedAuthEnabled() bool { - return dbg.Spec.TiDBAuthToken != nil && dbg.Spec.TiDBAuthToken.Enabled +func (in *TiDB) IsTokenBasedAuthEnabled() bool { + return in.Spec.Security != nil && in.Spec.Security.AuthToken != nil } -func (dbg *TiDBGroup) TiDBAuthTokenJWKSSecretName() string { - return fmt.Sprintf("%s-tidb-auth-token-jwks-secret", dbg.Spec.Cluster.Name) +func (in *TiDB) AuthTokenJWKSSecretName() string { + if in.IsTokenBasedAuthEnabled() { + return in.Spec.Security.AuthToken.JWKs.Name + } + return "" } diff --git a/apis/core/v1alpha1/tiflash_types.go b/apis/core/v1alpha1/tiflash_types.go index 9f4b2ad723..fe09572cab 100644 --- a/apis/core/v1alpha1/tiflash_types.go +++ b/apis/core/v1alpha1/tiflash_types.go @@ -300,13 +300,8 @@ type TiFlashGroupSpec struct { Replicas *int32 `json:"replicas"` Version string `json:"version"` - // ConfigUpdateStrategy determines how the configuration change is applied to the cluster. - // Valid values are "RollingUpdate" (by default) and "InPlace". - // +kubebuilder:validation:Enum=RollingUpdate;InPlace - // +kubebuilder:default="RollingUpdate" - ConfigUpdateStrategy ConfigUpdateStrategy `json:"configUpdateStrategy,omitempty"` - SchedulePolicies []SchedulePolicy `json:"schedulePolicies,omitempty"` - Template TiFlashTemplate `json:"template"` + SchedulePolicies []SchedulePolicy `json:"schedulePolicies,omitempty"` + Template TiFlashTemplate `json:"template"` } type TiFlashTemplate struct { @@ -326,6 +321,9 @@ type TiFlashTemplateSpec struct { // Config defines config file of TiFlash Config ConfigFile `json:"config"` + + UpdateStrategy UpdateStrategy `json:"updateStrategy,omitempty"` + // ProxyConfig defines config file of TiFlash proxy ProxyConfig ConfigFile `json:"proxyConfig,omitempty"` diff --git a/apis/core/v1alpha1/tikv_types.go b/apis/core/v1alpha1/tikv_types.go index f043e2211a..1c78ada093 100644 --- a/apis/core/v1alpha1/tikv_types.go +++ b/apis/core/v1alpha1/tikv_types.go @@ -151,10 +151,6 @@ func (in *TiKVGroup) GetDesiredReplicas() int32 { return *in.Spec.Replicas } -func (in *TiKVGroup) MountClusterClientSecret() bool { - return in.Spec.MountClusterClientSecret != nil && *in.Spec.MountClusterClientSecret -} - func (in *TiKVGroup) GetDesiredVersion() string { return in.Spec.Version } @@ -291,19 +287,10 @@ type TiKVGroupSpec struct { Replicas *int32 `json:"replicas"` Version string `json:"version"` - // MountClusterClientSecret indicates whether to mount `cluster-client-secret` to the Pod. - MountClusterClientSecret *bool `json:"mountClusterClientSecret,omitempty"` - // +listType=map // +listMapKey=type SchedulePolicies []SchedulePolicy `json:"schedulePolicies,omitempty"` - // ConfigUpdateStrategy determines how the configuration change is applied to the cluster. - // Valid values are "RollingUpdate" (by default) and "InPlace". - // +kubebuilder:validation:Enum=RollingUpdate;InPlace - // +kubebuilder:default="RollingUpdate" - ConfigUpdateStrategy ConfigUpdateStrategy `json:"configUpdateStrategy,omitempty"` - Template TiKVTemplate `json:"template"` } @@ -324,7 +311,8 @@ type TiKVTemplateSpec struct { // Resources defines resource required by TiKV Resources ResourceRequirements `json:"resources,omitempty"` // Config defines config file of TiKV - Config ConfigFile `json:"config"` + Config ConfigFile `json:"config"` + UpdateStrategy UpdateStrategy `json:"updateStrategy,omitempty"` // Volumes defines data volume of TiKV Volumes []Volume `json:"volumes"` diff --git a/apis/core/v1alpha1/zz_generated.deepcopy.go b/apis/core/v1alpha1/zz_generated.deepcopy.go index d70d246891..c04a73bf8a 100644 --- a/apis/core/v1alpha1/zz_generated.deepcopy.go +++ b/apis/core/v1alpha1/zz_generated.deepcopy.go @@ -399,11 +399,6 @@ func (in *PDGroupSpec) DeepCopyInto(out *PDGroupSpec) { *out = new(int32) **out = **in } - if in.MountClusterClientSecret != nil { - in, out := &in.MountClusterClientSecret, &out.MountClusterClientSecret - *out = new(bool) - **out = **in - } if in.SchedulePolicies != nil { in, out := &in.SchedulePolicies, &out.SchedulePolicies *out = make([]SchedulePolicy, len(*in)) @@ -589,6 +584,7 @@ func (in *PDTemplateSpec) DeepCopyInto(out *PDTemplateSpec) { } in.Server.DeepCopyInto(&out.Server) in.Resources.DeepCopyInto(&out.Resources) + out.UpdateStrategy = in.UpdateStrategy if in.Volumes != nil { in, out := &in.Volumes, &out.Volumes *out = make([]Volume, len(*in)) @@ -788,6 +784,22 @@ func (in *SuspendAction) DeepCopy() *SuspendAction { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLS) DeepCopyInto(out *TLS) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLS. +func (in *TLS) DeepCopy() *TLS { + if in == nil { + return nil + } + out := new(TLS) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSCluster) DeepCopyInto(out *TLSCluster) { *out = *in @@ -835,6 +847,7 @@ func (in *TiDB) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TiDBAuthToken) DeepCopyInto(out *TiDBAuthToken) { *out = *in + out.JWKs = in.JWKs return } @@ -923,21 +936,6 @@ func (in *TiDBGroupSpec) DeepCopyInto(out *TiDBGroupSpec) { *out = new(TiDBService) **out = **in } - if in.TLSClient != nil { - in, out := &in.TLSClient, &out.TLSClient - *out = new(TiDBTLSClient) - **out = **in - } - if in.BootstrapSQLConfigMapName != nil { - in, out := &in.BootstrapSQLConfigMapName, &out.BootstrapSQLConfigMapName - *out = new(string) - **out = **in - } - if in.TiDBAuthToken != nil { - in, out := &in.TiDBAuthToken, &out.TiDBAuthToken - *out = new(TiDBAuthToken) - **out = **in - } if in.SchedulePolicies != nil { in, out := &in.SchedulePolicies, &out.SchedulePolicies *out = make([]SchedulePolicy, len(*in)) @@ -1078,6 +1076,37 @@ func (in *TiDBProbes) DeepCopy() *TiDBProbes { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TiDBSecurity) DeepCopyInto(out *TiDBSecurity) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TiDBTLS) + (*in).DeepCopyInto(*out) + } + if in.BootstrapSQL != nil { + in, out := &in.BootstrapSQL, &out.BootstrapSQL + *out = new(corev1.LocalObjectReference) + **out = **in + } + if in.AuthToken != nil { + in, out := &in.AuthToken, &out.AuthToken + *out = new(TiDBAuthToken) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TiDBSecurity. +func (in *TiDBSecurity) DeepCopy() *TiDBSecurity { + if in == nil { + return nil + } + out := new(TiDBSecurity) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TiDBServer) DeepCopyInto(out *TiDBServer) { *out = *in @@ -1176,17 +1205,22 @@ func (in *TiDBStatus) DeepCopy() *TiDBStatus { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TiDBTLSClient) DeepCopyInto(out *TiDBTLSClient) { +func (in *TiDBTLS) DeepCopyInto(out *TiDBTLS) { *out = *in + if in.MySQL != nil { + in, out := &in.MySQL, &out.MySQL + *out = new(TLS) + **out = **in + } return } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TiDBTLSClient. -func (in *TiDBTLSClient) DeepCopy() *TiDBTLSClient { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TiDBTLS. +func (in *TiDBTLS) DeepCopy() *TiDBTLS { if in == nil { return nil } - out := new(TiDBTLSClient) + out := new(TiDBTLS) in.DeepCopyInto(out) return out } @@ -1220,6 +1254,12 @@ func (in *TiDBTemplateSpec) DeepCopyInto(out *TiDBTemplateSpec) { in.Server.DeepCopyInto(&out.Server) in.Probes.DeepCopyInto(&out.Probes) in.Resources.DeepCopyInto(&out.Resources) + out.UpdateStrategy = in.UpdateStrategy + if in.Security != nil { + in, out := &in.Security, &out.Security + *out = new(TiDBSecurity) + (*in).DeepCopyInto(*out) + } if in.Volumes != nil { in, out := &in.Volumes, &out.Volumes *out = make([]Volume, len(*in)) @@ -1565,6 +1605,7 @@ func (in *TiFlashTemplateSpec) DeepCopyInto(out *TiFlashTemplateSpec) { } in.Server.DeepCopyInto(&out.Server) in.Resources.DeepCopyInto(&out.Resources) + out.UpdateStrategy = in.UpdateStrategy if in.Volumes != nil { in, out := &in.Volumes, &out.Volumes *out = make([]Volume, len(*in)) @@ -1693,11 +1734,6 @@ func (in *TiKVGroupSpec) DeepCopyInto(out *TiKVGroupSpec) { *out = new(int32) **out = **in } - if in.MountClusterClientSecret != nil { - in, out := &in.MountClusterClientSecret, &out.MountClusterClientSecret - *out = new(bool) - **out = **in - } if in.SchedulePolicies != nil { in, out := &in.SchedulePolicies, &out.SchedulePolicies *out = make([]SchedulePolicy, len(*in)) @@ -1904,6 +1940,7 @@ func (in *TiKVTemplateSpec) DeepCopyInto(out *TiKVTemplateSpec) { } in.Server.DeepCopyInto(&out.Server) in.Resources.DeepCopyInto(&out.Resources) + out.UpdateStrategy = in.UpdateStrategy if in.Volumes != nil { in, out := &in.Volumes, &out.Volumes *out = make([]Volume, len(*in)) @@ -1956,6 +1993,22 @@ func (in Topology) DeepCopy() Topology { return *out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpdateStrategy) DeepCopyInto(out *UpdateStrategy) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateStrategy. +func (in *UpdateStrategy) DeepCopy() *UpdateStrategy { + if in == nil { + return nil + } + out := new(UpdateStrategy) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Volume) DeepCopyInto(out *Volume) { *out = *in diff --git a/manifests/crd/core.pingcap.com_pdgroups.yaml b/manifests/crd/core.pingcap.com_pdgroups.yaml index c50a575bfc..4668d56867 100644 --- a/manifests/crd/core.pingcap.com_pdgroups.yaml +++ b/manifests/crd/core.pingcap.com_pdgroups.yaml @@ -65,19 +65,6 @@ spec: required: - name type: object - configUpdateStrategy: - default: RollingUpdate - description: |- - ConfigUpdateStrategy determines how the configuration change is applied to the cluster. - Valid values are "RollingUpdate" (by default) and "InPlace". - enum: - - RollingUpdate - - InPlace - type: string - mountClusterClientSecret: - description: MountClusterClientSecret indicates whether to mount `cluster-client-secret` - to the Pod. - type: boolean replicas: format: int32 type: integer @@ -215,6 +202,18 @@ spec: type: object type: object type: object + updateStrategy: + properties: + config: + default: Restart + description: |- + Config determines how the configuration change is applied to the cluster. + Valid values are "Restart" (by default) and "HotReload". + enum: + - Restart + - HotReload + type: string + type: object volumes: description: Volumes defines persistent volumes of PD items: diff --git a/manifests/crd/core.pingcap.com_pds.yaml b/manifests/crd/core.pingcap.com_pds.yaml index b4830e3f35..371cc6ed50 100644 --- a/manifests/crd/core.pingcap.com_pds.yaml +++ b/manifests/crd/core.pingcap.com_pds.yaml @@ -138,6 +138,18 @@ spec: It will be translated into a node affinity config Topology cannot be changed type: object + updateStrategy: + properties: + config: + default: Restart + description: |- + Config determines how the configuration change is applied to the cluster. + Valid values are "Restart" (by default) and "HotReload". + enum: + - Restart + - HotReload + type: string + type: object version: description: Version specifies the PD version type: string diff --git a/manifests/crd/core.pingcap.com_tidbgroups.yaml b/manifests/crd/core.pingcap.com_tidbgroups.yaml index f4bcc915d4..00c8afea73 100644 --- a/manifests/crd/core.pingcap.com_tidbgroups.yaml +++ b/manifests/crd/core.pingcap.com_tidbgroups.yaml @@ -51,13 +51,6 @@ spec: spec: description: TiDBGroupSpec describes the common attributes of a TiDBGroup. properties: - bootstrapSQLConfigMapName: - description: |- - BootstrapSQLConfigMapName is the name of the ConfigMap which contains the bootstrap SQL file with the key `bootstrap-sql`, - which will only be executed when a TiDB cluster bootstrap on the first time. - The field should be set ONLY when create the first TiDB group for a cluster, since it only take effect on the first time bootstrap. - Only v6.5.1+ supports this feature. - type: string cluster: properties: name: @@ -65,15 +58,6 @@ spec: required: - name type: object - configUpdateStrategy: - default: RollingUpdate - description: |- - ConfigUpdateStrategy determines how the configuration change is applied to the cluster. - Valid values are "RollingUpdate" (by default) and "InPlace". - enum: - - RollingUpdate - - InPlace - type: string replicas: format: int32 type: integer @@ -223,6 +207,76 @@ spec: pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object + security: + properties: + authToken: + description: |- + Whether enable `tidb_auth_token` authentication method. + To enable this feature, a K8s secret named `-tidb-auth-token-jwks-secret` must be created to store the JWKs. + ref: https://docs.pingcap.com/tidb/stable/security-compatibility-with-mysql#tidb_auth_token + Defaults to false. + properties: + jwks: + description: Secret name of jwks + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - jwks + type: object + bootstrapSQL: + description: |- + BootstrapSQL refer to a configmap which contains the bootstrap SQL file with the key `bootstrap-sql`, + which will only be executed when a TiDB cluster bootstrap on the first time. + The field should be set ONLY when create the first TiDB group for a cluster, since it only take effect on the first time bootstrap. + Only v6.5.1+ supports this feature. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + tls: + description: Whether enable the TLS connection between + the TiDB server and MySQL client. + properties: + mysql: + description: |- + When enabled, TiDB will accept TLS encrypted connections from MySQL clients. + The steps to enable this feature: + 1. Generate a TiDB server-side certificate and a client-side certifiacete for the TiDB cluster. + There are multiple ways to generate certificates: + - user-provided certificates: https://docs.pingcap.com/tidb/stable/generate-self-signed-certificates + - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ + - or use cert-manager signed certificates: https://cert-manager.io/ + 2. Create a K8s Secret object which contains the TiDB server-side certificate created above. + The name of this Secret must be: -tidb-server-secret. + kubectl create secret generic -tidb-server-secret --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= + 3. Create a K8s Secret object which contains the TiDB client-side certificate created above which will be used by TiDB Operator. + The name of this Secret must be: -tidb-client-secret. + kubectl create secret generic -tidb-client-secret --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= + 4. Set Enabled to `true`. + properties: + enabled: + type: boolean + type: object + type: object + type: object server: description: Server defines the server configuration of TiDB. properties: @@ -288,6 +342,18 @@ spec: Otherwise, it should be a name of a volume defined in the `volumes` field of the TiDBTemplateSpec. type: string type: object + updateStrategy: + properties: + config: + default: Restart + description: |- + Config determines how the configuration change is applied to the cluster. + Valid values are "Restart" (by default) and "HotReload". + enum: + - Restart + - HotReload + type: string + type: object volumes: description: Volumes defines data volume of TiDB, it is optional. items: @@ -358,51 +424,6 @@ spec: required: - spec type: object - tidbAuthToken: - description: |- - Whether enable `tidb_auth_token` authentication method. - To enable this feature, a K8s secret named `-tidb-auth-token-jwks-secret` must be created to store the JWKs. - ref: https://docs.pingcap.com/tidb/stable/security-compatibility-with-mysql#tidb_auth_token - Defaults to false. - properties: - enabled: - description: |- - Enabled indicates whether the `tidb_auth_token` authentication method is enabled. - Defaults to false. - type: boolean - type: object - tlsClient: - description: Whether enable the TLS connection between the TiDB server - and MySQL client. - properties: - disableClientAuthn: - description: |- - DisableClientAuthn will skip client's certificate validation from the TiDB server. - Optional: defaults to false - type: boolean - enabled: - description: |- - When enabled, TiDB will accept TLS encrypted connections from MySQL clients. - The steps to enable this feature: - 1. Generate a TiDB server-side certificate and a client-side certifiacete for the TiDB cluster. - There are multiple ways to generate certificates: - - user-provided certificates: https://docs.pingcap.com/tidb/stable/generate-self-signed-certificates - - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ - - or use cert-manager signed certificates: https://cert-manager.io/ - 2. Create a K8s Secret object which contains the TiDB server-side certificate created above. - The name of this Secret must be: --server-secret. - kubectl create secret generic --server-secret --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= - 3. Create a K8s Secret object which contains the TiDB client-side certificate created above which will be used by TiDB Operator. - The name of this Secret must be: --client-secret. - kubectl create secret generic --client-secret --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= - 4. Set Enabled to `true`. - type: boolean - skipInternalClientCA: - description: |- - SkipInternalClientCA will skip TiDB server's certificate validation for internal components like Initializer, Dashboard, etc. - Optional: defaults to false - type: boolean - type: object version: type: string required: diff --git a/manifests/crd/core.pingcap.com_tidbs.yaml b/manifests/crd/core.pingcap.com_tidbs.yaml index bc07949027..99648a1931 100644 --- a/manifests/crd/core.pingcap.com_tidbs.yaml +++ b/manifests/crd/core.pingcap.com_tidbs.yaml @@ -105,6 +105,76 @@ spec: pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object + security: + properties: + authToken: + description: |- + Whether enable `tidb_auth_token` authentication method. + To enable this feature, a K8s secret named `-tidb-auth-token-jwks-secret` must be created to store the JWKs. + ref: https://docs.pingcap.com/tidb/stable/security-compatibility-with-mysql#tidb_auth_token + Defaults to false. + properties: + jwks: + description: Secret name of jwks + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - jwks + type: object + bootstrapSQL: + description: |- + BootstrapSQL refer to a configmap which contains the bootstrap SQL file with the key `bootstrap-sql`, + which will only be executed when a TiDB cluster bootstrap on the first time. + The field should be set ONLY when create the first TiDB group for a cluster, since it only take effect on the first time bootstrap. + Only v6.5.1+ supports this feature. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + tls: + description: Whether enable the TLS connection between the TiDB + server and MySQL client. + properties: + mysql: + description: |- + When enabled, TiDB will accept TLS encrypted connections from MySQL clients. + The steps to enable this feature: + 1. Generate a TiDB server-side certificate and a client-side certifiacete for the TiDB cluster. + There are multiple ways to generate certificates: + - user-provided certificates: https://docs.pingcap.com/tidb/stable/generate-self-signed-certificates + - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ + - or use cert-manager signed certificates: https://cert-manager.io/ + 2. Create a K8s Secret object which contains the TiDB server-side certificate created above. + The name of this Secret must be: -tidb-server-secret. + kubectl create secret generic -tidb-server-secret --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= + 3. Create a K8s Secret object which contains the TiDB client-side certificate created above which will be used by TiDB Operator. + The name of this Secret must be: -tidb-client-secret. + kubectl create secret generic -tidb-client-secret --namespace= --from-file=tls.crt= --from-file=tls.key= --from-file=ca.crt= + 4. Set Enabled to `true`. + properties: + enabled: + type: boolean + type: object + type: object + type: object server: description: Server defines the server configuration of TiDB. properties: @@ -183,6 +253,18 @@ spec: It will be translated into a node affnity config. Topology cannot be changed. type: object + updateStrategy: + properties: + config: + default: Restart + description: |- + Config determines how the configuration change is applied to the cluster. + Valid values are "Restart" (by default) and "HotReload". + enum: + - Restart + - HotReload + type: string + type: object version: description: Version specifies the TiDB version. type: string diff --git a/manifests/crd/core.pingcap.com_tiflashes.yaml b/manifests/crd/core.pingcap.com_tiflashes.yaml index 16ccdfdad5..456b339012 100644 --- a/manifests/crd/core.pingcap.com_tiflashes.yaml +++ b/manifests/crd/core.pingcap.com_tiflashes.yaml @@ -182,6 +182,18 @@ spec: It will be translated into a node affinity config Topology cannot be changed type: object + updateStrategy: + properties: + config: + default: Restart + description: |- + Config determines how the configuration change is applied to the cluster. + Valid values are "Restart" (by default) and "HotReload". + enum: + - Restart + - HotReload + type: string + type: object version: description: Version specifies the TiFlash version type: string diff --git a/manifests/crd/core.pingcap.com_tiflashgroups.yaml b/manifests/crd/core.pingcap.com_tiflashgroups.yaml index 73d1bd21db..10b4423f66 100644 --- a/manifests/crd/core.pingcap.com_tiflashgroups.yaml +++ b/manifests/crd/core.pingcap.com_tiflashgroups.yaml @@ -57,15 +57,6 @@ spec: required: - name type: object - configUpdateStrategy: - default: RollingUpdate - description: |- - ConfigUpdateStrategy determines how the configuration change is applied to the cluster. - Valid values are "RollingUpdate" (by default) and "InPlace". - enum: - - RollingUpdate - - InPlace - type: string replicas: format: int32 type: integer @@ -247,6 +238,18 @@ spec: type: object type: object type: object + updateStrategy: + properties: + config: + default: Restart + description: |- + Config determines how the configuration change is applied to the cluster. + Valid values are "Restart" (by default) and "HotReload". + enum: + - Restart + - HotReload + type: string + type: object volumes: description: Volumes defines data volume of TiFlash items: diff --git a/manifests/crd/core.pingcap.com_tikvgroups.yaml b/manifests/crd/core.pingcap.com_tikvgroups.yaml index facd86b086..c95e5db7f2 100644 --- a/manifests/crd/core.pingcap.com_tikvgroups.yaml +++ b/manifests/crd/core.pingcap.com_tikvgroups.yaml @@ -58,19 +58,6 @@ spec: required: - name type: object - configUpdateStrategy: - default: RollingUpdate - description: |- - ConfigUpdateStrategy determines how the configuration change is applied to the cluster. - Valid values are "RollingUpdate" (by default) and "InPlace". - enum: - - RollingUpdate - - InPlace - type: string - mountClusterClientSecret: - description: MountClusterClientSecret indicates whether to mount `cluster-client-secret` - to the Pod. - type: boolean replicas: format: int32 type: integer @@ -216,6 +203,18 @@ spec: type: object type: object type: object + updateStrategy: + properties: + config: + default: Restart + description: |- + Config determines how the configuration change is applied to the cluster. + Valid values are "Restart" (by default) and "HotReload". + enum: + - Restart + - HotReload + type: string + type: object volumes: description: Volumes defines data volume of TiKV items: diff --git a/manifests/crd/core.pingcap.com_tikvs.yaml b/manifests/crd/core.pingcap.com_tikvs.yaml index 6e0e7089a8..bf2b404b8e 100644 --- a/manifests/crd/core.pingcap.com_tikvs.yaml +++ b/manifests/crd/core.pingcap.com_tikvs.yaml @@ -142,6 +142,18 @@ spec: It will be translated into a node affinity config Topology cannot be changed type: object + updateStrategy: + properties: + config: + default: Restart + description: |- + Config determines how the configuration change is applied to the cluster. + Valid values are "Restart" (by default) and "HotReload". + enum: + - Restart + - HotReload + type: string + type: object version: description: Version specifies the TiKV version type: string diff --git a/pkg/configs/tidb/config.go b/pkg/configs/tidb/config.go index 7ca488aee4..0e6c3f2c7a 100644 --- a/pkg/configs/tidb/config.go +++ b/pkg/configs/tidb/config.go @@ -67,7 +67,7 @@ type Log struct { SlowQueryFile string `toml:"slow-query-file"` } -func (c *Config) Overlay(cluster *v1alpha1.Cluster, dbg *v1alpha1.TiDBGroup, tidb *v1alpha1.TiDB) error { +func (c *Config) Overlay(cluster *v1alpha1.Cluster, tidb *v1alpha1.TiDB) error { if err := c.Validate(); err != nil { return err } @@ -77,11 +77,11 @@ func (c *Config) Overlay(cluster *v1alpha1.Cluster, dbg *v1alpha1.TiDBGroup, tid c.Host = "::" c.Path = removeHTTPPrefix(cluster.Status.PD) - if dbg.IsTLSClientEnabled() { + if tidb.IsMySQLTLSEnabled() { // TODO(csuzhangxc): disable Client Authn - c.Security.SSLCA = path.Join(v1alpha1.TiDBServerTLSMountPath, corev1.ServiceAccountRootCAKey) - c.Security.SSLCert = path.Join(v1alpha1.TiDBServerTLSMountPath, corev1.TLSCertKey) - c.Security.SSLKey = path.Join(v1alpha1.TiDBServerTLSMountPath, corev1.TLSPrivateKeyKey) + c.Security.SSLCA = path.Join(v1alpha1.TiDBSQLTLSMountPath, corev1.ServiceAccountRootCAKey) + c.Security.SSLCert = path.Join(v1alpha1.TiDBSQLTLSMountPath, corev1.TLSCertKey) + c.Security.SSLKey = path.Join(v1alpha1.TiDBSQLTLSMountPath, corev1.TLSPrivateKeyKey) } if cluster.IsTLSClusterEnabled() { @@ -92,11 +92,11 @@ func (c *Config) Overlay(cluster *v1alpha1.Cluster, dbg *v1alpha1.TiDBGroup, tid c.Log.SlowQueryFile = getSlowQueryFile(tidb) - if dbg.IsBootstrapSQLEnabled() { + if tidb.IsBootstrapSQLEnabled() { c.InitializeSQLFile = path.Join(v1alpha1.BootstrapSQLFilePath, v1alpha1.BootstrapSQLFileName) } - if dbg.IsTokenBasedAuthEnabled() { + if tidb.IsTokenBasedAuthEnabled() { c.Security.AuthTokenJwks = path.Join(v1alpha1.TiDBAuthTokenPath, v1alpha1.TiDBAuthTokenJWKS) } diff --git a/pkg/controllers/pd/tasks/ctx.go b/pkg/controllers/pd/tasks/ctx.go index f486e7e6ba..b6f620761d 100644 --- a/pkg/controllers/pd/tasks/ctx.go +++ b/pkg/controllers/pd/tasks/ctx.go @@ -43,7 +43,6 @@ type ReconcileContext struct { IsLeader bool PD *v1alpha1.PD - PDGroup *v1alpha1.PDGroup Peers []*v1alpha1.PD Cluster *v1alpha1.Cluster Pod *corev1.Pod @@ -142,19 +141,6 @@ func TaskContextInfoFromPD(ctx *ReconcileContext, cm pdm.PDClientManager) task.T func TaskContextPeers(ctx *ReconcileContext, c client.Client) task.Task { return task.NameTaskFunc("ContextPeers", func() task.Result { - // TODO: don't get pdg in pd task, move MountClusterClientSecret opt to pd spec - if len(ctx.PD.OwnerReferences) == 0 { - return task.Fail().With("pd instance has no owner, this should not happen") - } - var pdg v1alpha1.PDGroup - if err := c.Get(ctx, client.ObjectKey{ - Name: ctx.PD.OwnerReferences[0].Name, // only one owner now - Namespace: ctx.PD.Namespace, - }, &pdg); err != nil { - return task.Fail().With("cannot find pd group %s: %v", ctx.PD.OwnerReferences[0].Name, err) - } - ctx.PDGroup = &pdg - var pdl v1alpha1.PDList if err := c.List(ctx, &pdl, client.InNamespace(ctx.PD.Namespace), client.MatchingLabels{ v1alpha1.LabelKeyManagedBy: v1alpha1.LabelValManagedByOperator, diff --git a/pkg/controllers/pd/tasks/pod.go b/pkg/controllers/pd/tasks/pod.go index 6ab993ad93..922465e227 100644 --- a/pkg/controllers/pd/tasks/pod.go +++ b/pkg/controllers/pd/tasks/pod.go @@ -41,7 +41,7 @@ const ( func TaskPod(ctx *ReconcileContext, logger logr.Logger, c client.Client) task.Task { return task.NameTaskFunc("Pod", func() task.Result { - expected := newPod(ctx.Cluster, ctx.PDGroup, ctx.PD, ctx.ConfigHash) + expected := newPod(ctx.Cluster, ctx.PD, ctx.ConfigHash) if ctx.Pod == nil { // We have to refresh cache of members to make sure a pd without pod is unhealthy. // If the healthy info is out of date, the operator may mark this pd up-to-date unexpectedly @@ -63,7 +63,7 @@ func TaskPod(ctx *ReconcileContext, logger logr.Logger, c client.Client) task.Ta logger.Info("compare pod", "result", res, "configChanged", configChanged, "currentConfigHash", curHash, "expectConfigHash", expectHash) if res == k8s.CompareResultRecreate || - (configChanged && ctx.PDGroup.Spec.ConfigUpdateStrategy == v1alpha1.ConfigUpdateStrategyRollingUpdate) { + (configChanged && ctx.PD.Spec.UpdateStrategy.Config == v1alpha1.ConfigUpdateStrategyRestart) { // NOTE: both rtx.Healthy and rtx.Pod are not always newest // So pre delete check may also be skipped in some cases, for example, // the PD is just started. @@ -127,7 +127,7 @@ func preDeleteCheck( return false, nil } -func newPod(cluster *v1alpha1.Cluster, pdg *v1alpha1.PDGroup, pd *v1alpha1.PD, configHash string) *corev1.Pod { +func newPod(cluster *v1alpha1.Cluster, pd *v1alpha1.PD, configHash string) *corev1.Pod { vols := []corev1.Volume{ { Name: v1alpha1.VolumeNameConfig, @@ -182,22 +182,6 @@ func newPod(cluster *v1alpha1.Cluster, pdg *v1alpha1.PDGroup, pd *v1alpha1.PD, c MountPath: v1alpha1.PDClusterTLSMountPath, ReadOnly: true, }) - - if pdg.MountClusterClientSecret() { - vols = append(vols, corev1.Volume{ - Name: v1alpha1.ClusterTLSClientVolumeName, - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: cluster.ClusterClientTLSSecretName(), - }, - }, - }) - mounts = append(mounts, corev1.VolumeMount{ - Name: v1alpha1.ClusterTLSClientVolumeName, - MountPath: v1alpha1.ClusterTLSClientMountPath, - ReadOnly: true, - }) - } } anno := maputil.Copy(pd.GetAnnotations()) diff --git a/pkg/controllers/tidb/builder.go b/pkg/controllers/tidb/builder.go index 92ac3df954..8a4de8c949 100644 --- a/pkg/controllers/tidb/builder.go +++ b/pkg/controllers/tidb/builder.go @@ -46,7 +46,6 @@ func (r *Reconciler) NewRunner(reporter task.TaskReporter) task.TaskRunner[tasks ), // normal process - tasks.TaskContextTiDBGroup(r.Client), tasks.TaskContextInfoFromPDAndTiDB(r.Client), tasks.TaskFinalizerAdd(r.Client), tasks.NewTaskConfigMap(r.Logger, r.Client), diff --git a/pkg/controllers/tidb/tasks/cm.go b/pkg/controllers/tidb/tasks/cm.go index c570c498ca..6f881c78a7 100644 --- a/pkg/controllers/tidb/tasks/cm.go +++ b/pkg/controllers/tidb/tasks/cm.go @@ -51,7 +51,7 @@ func (t *TaskConfigMap) Sync(ctx task.Context[ReconcileContext]) task.Result { if err := decoder.Decode([]byte(rtx.TiDB.Spec.Config), &c); err != nil { return task.Fail().With("tidb config cannot be decoded: %w", err) } - if err := c.Overlay(rtx.Cluster, rtx.TiDBGroup, rtx.TiDB); err != nil { + if err := c.Overlay(rtx.Cluster, rtx.TiDB); err != nil { return task.Fail().With("cannot generate tidb config: %w", err) } rtx.GracefulWaitTimeInSeconds = int64(c.GracefulWaitBeforeShutdown) diff --git a/pkg/controllers/tidb/tasks/cm_test.go b/pkg/controllers/tidb/tasks/cm_test.go index 887e354fbc..98955ed7a2 100644 --- a/pkg/controllers/tidb/tasks/cm_test.go +++ b/pkg/controllers/tidb/tasks/cm_test.go @@ -80,7 +80,6 @@ func TestConfigMap(t *testing.T) { key types.NamespacedName objs []client.Object tidb *v1alpha1.TiDB - tidbGroup *v1alpha1.TiDBGroup cluster *v1alpha1.Cluster expected task.Result expectedCM *corev1.ConfigMap @@ -100,7 +99,6 @@ func TestConfigMap(t *testing.T) { fake.UID[v1alpha1.TiDB]("test-uid"), fake.Label[v1alpha1.TiDB](v1alpha1.LabelKeyInstanceRevisionHash, "foo"), ), - tidbGroup: fake.FakeObj[v1alpha1.TiDBGroup]("test-tidb-group"), cluster: fake.FakeObj("test-cluster", withStatusPDURL("http://test-pd.default:2379"), ), @@ -158,7 +156,6 @@ graceful-wait-before-shutdown = 60`), fake.UID[v1alpha1.TiDB]("test-uid"), fake.Label[v1alpha1.TiDB](v1alpha1.LabelKeyInstanceRevisionHash, "foo"), ), - tidbGroup: fake.FakeObj[v1alpha1.TiDBGroup]("test-tidb-group"), cluster: fake.FakeObj("test-cluster", withStatusPDURL("http://test-pd.default:2379"), ), @@ -204,16 +201,11 @@ slow-query-file = '/var/log/tidb/slowlog' t.Run(c.desc, func(tt *testing.T) { tt.Parallel() - c.tidb.OwnerReferences = []metav1.OwnerReference{ - *metav1.NewControllerRef(c.tidbGroup, v1alpha1.SchemeGroupVersion.WithKind("TiDBGroup")), - } - // append TiDB into store objs := c.objs objs = append(objs, c.tidb) ctx := FakeContext(c.key, WithTiDB(c.tidb)) - ctx.TiDBGroup = c.tidbGroup ctx.Cluster = c.cluster fc := client.NewFakeClient(objs...) tk := NewTaskConfigMap(logr.Discard(), fc) diff --git a/pkg/controllers/tidb/tasks/ctx.go b/pkg/controllers/tidb/tasks/ctx.go index 4b5da308a2..daae7aa937 100644 --- a/pkg/controllers/tidb/tasks/ctx.go +++ b/pkg/controllers/tidb/tasks/ctx.go @@ -48,10 +48,9 @@ type ReconcileContext struct { Healthy bool Suspended bool - Cluster *v1alpha1.Cluster - TiDB *v1alpha1.TiDB - TiDBGroup *v1alpha1.TiDBGroup // the owner of the tidb instance - Pod *corev1.Pod + Cluster *v1alpha1.Cluster + TiDB *v1alpha1.TiDB + Pod *corev1.Pod GracefulWaitTimeInSeconds int64 @@ -153,26 +152,6 @@ func TaskContextInfoFromPDAndTiDB(c client.Client) task.Task[ReconcileContext] { }) } -func TaskContextTiDBGroup(c client.Client) task.Task[ReconcileContext] { - return task.NameTaskFunc("ContextTiDBGroup", func(ctx task.Context[ReconcileContext]) task.Result { - rtx := ctx.Self() - - if len(rtx.TiDB.OwnerReferences) == 0 { - return task.Fail().With("tidb instance has no owner, this should not happen") - } - - var tidbGroup v1alpha1.TiDBGroup - if err := c.Get(ctx, client.ObjectKey{ - Name: rtx.TiDB.OwnerReferences[0].Name, // only one owner now - Namespace: rtx.TiDB.Namespace, - }, &tidbGroup); err != nil { - return task.Fail().With("cannot find tidb group %s: %w", rtx.TiDB.OwnerReferences[0].Name, err) - } - rtx.TiDBGroup = &tidbGroup - return task.Complete().With("tidb group is set") - }) -} - func CondTiDBHasBeenDeleted() task.Condition[ReconcileContext] { return task.CondFunc[ReconcileContext](func(ctx task.Context[ReconcileContext]) bool { return ctx.Self().TiDB == nil diff --git a/pkg/controllers/tidb/tasks/pod.go b/pkg/controllers/tidb/tasks/pod.go index 1d3403f1ab..d0cef3b45e 100644 --- a/pkg/controllers/tidb/tasks/pod.go +++ b/pkg/controllers/tidb/tasks/pod.go @@ -78,7 +78,7 @@ func (*TaskPod) Name() string { func (t *TaskPod) Sync(ctx task.Context[ReconcileContext]) task.Result { rtx := ctx.Self() - expected := t.newPod(rtx.Cluster, rtx.TiDBGroup, rtx.TiDB, rtx.GracefulWaitTimeInSeconds, rtx.ConfigHash) + expected := t.newPod(rtx.Cluster, rtx.TiDB, rtx.GracefulWaitTimeInSeconds, rtx.ConfigHash) if rtx.Pod == nil { if err := t.Client.Apply(rtx, expected); err != nil { return task.Fail().With("can't create pod of tidb: %w", err) @@ -94,7 +94,7 @@ func (t *TaskPod) Sync(ctx task.Context[ReconcileContext]) task.Result { t.Logger.Info("compare pod", "result", res, "configChanged", configChanged, "currentConfigHash", curHash, "expectConfigHash", expectHash) if res == k8s.CompareResultRecreate || (configChanged && - rtx.TiDBGroup.Spec.ConfigUpdateStrategy == v1alpha1.ConfigUpdateStrategyRollingUpdate) { + rtx.TiDB.Spec.UpdateStrategy.Config == v1alpha1.ConfigUpdateStrategyRestart) { t.Logger.Info("will recreate the pod") if err := t.Client.Delete(rtx, rtx.Pod); err != nil { return task.Fail().With("can't delete pod of tidb: %w", err) @@ -114,7 +114,7 @@ func (t *TaskPod) Sync(ctx task.Context[ReconcileContext]) task.Result { return task.Complete().With("pod is synced") } -func (*TaskPod) newPod(cluster *v1alpha1.Cluster, dbg *v1alpha1.TiDBGroup, +func (*TaskPod) newPod(cluster *v1alpha1.Cluster, tidb *v1alpha1.TiDB, gracePeriod int64, configHash string, ) *corev1.Pod { vols := []corev1.Volume{ @@ -154,18 +154,18 @@ func (*TaskPod) newPod(cluster *v1alpha1.Cluster, dbg *v1alpha1.TiDBGroup, }) } - if dbg.IsTLSClientEnabled() { + if tidb.IsMySQLTLSEnabled() { vols = append(vols, corev1.Volume{ - Name: v1alpha1.TiDBServerTLSVolumeName, + Name: v1alpha1.TiDBSQLTLSVolumeName, VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: dbg.TiDBServerTLSSecretName(), + SecretName: tidb.MySQLTLSSecretName(), }, }, }) mounts = append(mounts, corev1.VolumeMount{ - Name: v1alpha1.TiDBServerTLSVolumeName, - MountPath: v1alpha1.TiDBServerTLSMountPath, + Name: v1alpha1.TiDBSQLTLSVolumeName, + MountPath: v1alpha1.TiDBSQLTLSMountPath, ReadOnly: true, }) } @@ -186,13 +186,13 @@ func (*TaskPod) newPod(cluster *v1alpha1.Cluster, dbg *v1alpha1.TiDBGroup, }) } - if dbg.IsBootstrapSQLEnabled() { + if tidb.IsBootstrapSQLEnabled() { vols = append(vols, corev1.Volume{ Name: v1alpha1.BootstrapSQLVolumeName, VolumeSource: corev1.VolumeSource{ ConfigMap: &corev1.ConfigMapVolumeSource{ LocalObjectReference: corev1.LocalObjectReference{ - Name: *dbg.Spec.BootstrapSQLConfigMapName, + Name: tidb.Spec.Security.BootstrapSQL.Name, }, Items: []corev1.KeyToPath{ { @@ -210,12 +210,12 @@ func (*TaskPod) newPod(cluster *v1alpha1.Cluster, dbg *v1alpha1.TiDBGroup, }) } - if dbg.IsTokenBasedAuthEnabled() { + if tidb.IsTokenBasedAuthEnabled() { vols = append(vols, corev1.Volume{ Name: v1alpha1.TiDBAuthTokenVolumeName, VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: dbg.TiDBAuthTokenJWKSSecretName(), + SecretName: tidb.AuthTokenJWKSSecretName(), }, }, }) diff --git a/pkg/controllers/tiflash/builder.go b/pkg/controllers/tiflash/builder.go index ade0c8851f..9cfa2d6297 100644 --- a/pkg/controllers/tiflash/builder.go +++ b/pkg/controllers/tiflash/builder.go @@ -47,7 +47,6 @@ func (r *Reconciler) NewRunner(reporter task.TaskReporter) task.TaskRunner[tasks ), // normal process - tasks.TaskContextTiFlashGroup(r.Client), tasks.TaskFinalizerAdd(r.Client), tasks.NewTaskConfigMap(r.Logger, r.Client), tasks.NewTaskPVC(r.Logger, r.Client, r.VolumeModifier), diff --git a/pkg/controllers/tiflash/tasks/ctx.go b/pkg/controllers/tiflash/tasks/ctx.go index d923f39f79..0cb1d26148 100644 --- a/pkg/controllers/tiflash/tasks/ctx.go +++ b/pkg/controllers/tiflash/tasks/ctx.go @@ -46,10 +46,9 @@ type ReconcileContext struct { StoreState string StoreLabels []*metapb.StoreLabel - Cluster *v1alpha1.Cluster - TiFlash *v1alpha1.TiFlash - TiFlashGroup *v1alpha1.TiFlashGroup - Pod *corev1.Pod + Cluster *v1alpha1.Cluster + TiFlash *v1alpha1.TiFlash + Pod *corev1.Pod // ConfigHash stores the hash of **user-specified** config (i.e.`.Spec.Config`), // which will be used to determine whether the config has changed. @@ -82,26 +81,6 @@ func TaskContextTiFlash(c client.Client) task.Task[ReconcileContext] { }) } -func TaskContextTiFlashGroup(c client.Client) task.Task[ReconcileContext] { - return task.NameTaskFunc("ContextTiFlashGroup", func(ctx task.Context[ReconcileContext]) task.Result { - rtx := ctx.Self() - - if len(rtx.TiFlash.OwnerReferences) == 0 { - return task.Fail().With("tiflash instance has no owner, this should not happen") - } - - var tiflashGroup v1alpha1.TiFlashGroup - if err := c.Get(ctx, client.ObjectKey{ - Name: rtx.TiFlash.OwnerReferences[0].Name, // only one owner now - Namespace: rtx.TiFlash.Namespace, - }, &tiflashGroup); err != nil { - return task.Fail().With("cannot find tiflash group %s: %w", rtx.TiFlash.OwnerReferences[0].Name, err) - } - rtx.TiFlashGroup = &tiflashGroup - return task.Complete().With("tiflash group is set") - }) -} - func CondTiFlashHasBeenDeleted() task.Condition[ReconcileContext] { return task.CondFunc[ReconcileContext](func(ctx task.Context[ReconcileContext]) bool { return ctx.Self().TiFlash == nil diff --git a/pkg/controllers/tiflash/tasks/pod.go b/pkg/controllers/tiflash/tasks/pod.go index 24e20e6a21..92c14ef408 100644 --- a/pkg/controllers/tiflash/tasks/pod.go +++ b/pkg/controllers/tiflash/tasks/pod.go @@ -65,7 +65,7 @@ func (*TaskPod) Name() string { func (t *TaskPod) Sync(ctx task.Context[ReconcileContext]) task.Result { rtx := ctx.Self() - expected := t.newPod(rtx.Cluster, rtx.TiFlashGroup, rtx.TiFlash, rtx.ConfigHash) + expected := t.newPod(rtx.Cluster, rtx.TiFlash, rtx.ConfigHash) if rtx.Pod == nil { if err := t.Client.Apply(rtx, expected); err != nil { return task.Fail().With("can't apply pod of tiflash: %w", err) @@ -81,7 +81,7 @@ func (t *TaskPod) Sync(ctx task.Context[ReconcileContext]) task.Result { t.Logger.Info("compare pod", "result", res, "configChanged", configChanged, "currentConfigHash", curHash, "expectConfigHash", expectHash) if res == k8s.CompareResultRecreate || (configChanged && - rtx.TiFlashGroup.Spec.ConfigUpdateStrategy == v1alpha1.ConfigUpdateStrategyRollingUpdate) { + rtx.TiFlash.Spec.UpdateStrategy.Config == v1alpha1.ConfigUpdateStrategyRestart) { t.Logger.Info("will recreate the pod") if err := t.Client.Delete(rtx, rtx.Pod); err != nil { return task.Fail().With("can't delete pod of tiflash: %w", err) @@ -100,7 +100,7 @@ func (t *TaskPod) Sync(ctx task.Context[ReconcileContext]) task.Result { return task.Complete().With("pod is synced") } -func (*TaskPod) newPod(cluster *v1alpha1.Cluster, _ *v1alpha1.TiFlashGroup, tiflash *v1alpha1.TiFlash, configHash string) *corev1.Pod { +func (*TaskPod) newPod(cluster *v1alpha1.Cluster, tiflash *v1alpha1.TiFlash, configHash string) *corev1.Pod { vols := []corev1.Volume{ { Name: v1alpha1.VolumeNameConfig, diff --git a/pkg/controllers/tikv/builder.go b/pkg/controllers/tikv/builder.go index 49a5b00f32..8d8616641f 100644 --- a/pkg/controllers/tikv/builder.go +++ b/pkg/controllers/tikv/builder.go @@ -47,7 +47,6 @@ func (r *Reconciler) NewRunner(reporter task.TaskReporter) task.TaskRunner[tasks ), // normal process - tasks.TaskContextTiKVGroup(r.Client), tasks.TaskFinalizerAdd(r.Client), tasks.NewTaskConfigMap(r.Logger, r.Client), tasks.NewTaskPVC(r.Logger, r.Client, r.VolumeModifier), diff --git a/pkg/controllers/tikv/tasks/ctx.go b/pkg/controllers/tikv/tasks/ctx.go index 963e296d8a..3bb66282b6 100644 --- a/pkg/controllers/tikv/tasks/ctx.go +++ b/pkg/controllers/tikv/tasks/ctx.go @@ -46,10 +46,9 @@ type ReconcileContext struct { Suspended bool - Cluster *v1alpha1.Cluster - TiKV *v1alpha1.TiKV - TiKVGroup *v1alpha1.TiKVGroup - Pod *corev1.Pod + Cluster *v1alpha1.Cluster + TiKV *v1alpha1.TiKV + Pod *corev1.Pod Store *pdv1.Store @@ -158,26 +157,6 @@ func TaskContextPod(c client.Client) task.Task[ReconcileContext] { }) } -func TaskContextTiKVGroup(c client.Client) task.Task[ReconcileContext] { - return task.NameTaskFunc("ContextTiKVGroup", func(ctx task.Context[ReconcileContext]) task.Result { - rtx := ctx.Self() - - if len(rtx.TiKV.OwnerReferences) == 0 { - return task.Fail().With("tikv instance has no owner, this should not happen") - } - - var tikvGroup v1alpha1.TiKVGroup - if err := c.Get(ctx, client.ObjectKey{ - Name: rtx.TiKV.OwnerReferences[0].Name, // only one owner now - Namespace: rtx.TiKV.Namespace, - }, &tikvGroup); err != nil { - return task.Fail().With("cannot find tikv group %s: %w", rtx.TiKV.OwnerReferences[0].Name, err) - } - rtx.TiKVGroup = &tikvGroup - return task.Complete().With("tikv group is set") - }) -} - func CondTiKVHasBeenDeleted() task.Condition[ReconcileContext] { return task.CondFunc[ReconcileContext](func(ctx task.Context[ReconcileContext]) bool { return ctx.Self().TiKV == nil diff --git a/pkg/controllers/tikv/tasks/pod.go b/pkg/controllers/tikv/tasks/pod.go index 041e0875ba..4fa27d5d62 100644 --- a/pkg/controllers/tikv/tasks/pod.go +++ b/pkg/controllers/tikv/tasks/pod.go @@ -76,7 +76,7 @@ func (*TaskPod) Name() string { func (t *TaskPod) Sync(ctx task.Context[ReconcileContext]) task.Result { rtx := ctx.Self() - expected := t.newPod(rtx.Cluster, rtx.TiKVGroup, rtx.TiKV, rtx.ConfigHash) + expected := t.newPod(rtx.Cluster, rtx.TiKV, rtx.ConfigHash) if rtx.Pod == nil { if err := t.Client.Apply(rtx, expected); err != nil { return task.Fail().With("can't apply pod of tikv: %w", err) @@ -106,7 +106,7 @@ func (t *TaskPod) Sync(ctx task.Context[ReconcileContext]) task.Result { t.Logger.Info("compare pod", "result", res, "configChanged", configChanged, "currentConfigHash", curHash, "expectConfigHash", expectHash) if res == k8s.CompareResultRecreate || (configChanged && - rtx.TiKVGroup.Spec.ConfigUpdateStrategy == v1alpha1.ConfigUpdateStrategyRollingUpdate) { + rtx.TiKV.Spec.UpdateStrategy.Config == v1alpha1.ConfigUpdateStrategyRestart) { t.Logger.Info("will recreate the pod") regionCount := 0 if rtx.Store != nil { @@ -131,7 +131,7 @@ func (t *TaskPod) Sync(ctx task.Context[ReconcileContext]) task.Result { return task.Complete().With("pod is synced") } -func (t *TaskPod) newPod(cluster *v1alpha1.Cluster, kvg *v1alpha1.TiKVGroup, tikv *v1alpha1.TiKV, configHash string) *corev1.Pod { +func (t *TaskPod) newPod(cluster *v1alpha1.Cluster, tikv *v1alpha1.TiKV, configHash string) *corev1.Pod { vols := []corev1.Volume{ { Name: v1alpha1.VolumeNameConfig, @@ -196,22 +196,6 @@ func (t *TaskPod) newPod(cluster *v1alpha1.Cluster, kvg *v1alpha1.TiKVGroup, tik MountPath: v1alpha1.TiKVClusterTLSMountPath, ReadOnly: true, }) - - if kvg.MountClusterClientSecret() { - vols = append(vols, corev1.Volume{ - Name: v1alpha1.ClusterTLSClientVolumeName, - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: cluster.ClusterClientTLSSecretName(), - }, - }, - }) - mounts = append(mounts, corev1.VolumeMount{ - Name: v1alpha1.ClusterTLSClientVolumeName, - MountPath: v1alpha1.ClusterTLSClientMountPath, - ReadOnly: true, - }) - } } var preStopImage *string diff --git a/tests/e2e/cluster/cluster.go b/tests/e2e/cluster/cluster.go index b3d4389929..9a9b32291e 100644 --- a/tests/e2e/cluster/cluster.go +++ b/tests/e2e/cluster/cluster.go @@ -914,10 +914,10 @@ var _ = Describe("TiDB Cluster", func() { Expect(infos[4].name).To(Equal(infos[5].name)) }) - It("tikv: should not perform a rolling update when ConfigUpdateStrategy is InPlace", func() { + It("tikv: should not perform a rolling update when ConfigUpdateStrategy is HotReload", func() { pdg := data.NewPDGroup(ns.Name, "pdg", tc.Name, ptr.To(int32(1)), nil) kvg := data.NewTiKVGroup(ns.Name, "kvg", tc.Name, ptr.To(int32(3)), func(tk *v1alpha1.TiKVGroup) { - tk.Spec.ConfigUpdateStrategy = v1alpha1.ConfigUpdateStrategyInPlace + tk.Spec.Template.Spec.UpdateStrategy.Config = v1alpha1.ConfigUpdateStrategyHotReload }) dbg := data.NewTiDBGroup(ns.Name, "dbg", tc.Name, ptr.To(int32(1)), nil) Expect(k8sClient.Create(ctx, pdg)).To(Succeed()) @@ -1258,14 +1258,16 @@ var _ = Describe("TiDB Cluster", func() { Expect(k8sClient.Update(ctx, &tcGet)).To(Succeed()) By("Creating the components with TLS client enabled") - pdg := data.NewPDGroup(ns.Name, "pdg", tc.Name, ptr.To(int32(1)), func(group *v1alpha1.PDGroup) { - group.Spec.MountClusterClientSecret = ptr.To(true) - }) - kvg := data.NewTiKVGroup(ns.Name, "kvg", tc.Name, ptr.To(int32(1)), func(group *v1alpha1.TiKVGroup) { - group.Spec.MountClusterClientSecret = ptr.To(true) - }) + pdg := data.NewPDGroup(ns.Name, "pdg", tc.Name, ptr.To(int32(1)), func(_ *v1alpha1.PDGroup) {}) + kvg := data.NewTiKVGroup(ns.Name, "kvg", tc.Name, ptr.To(int32(1)), func(_ *v1alpha1.TiKVGroup) {}) dbg := data.NewTiDBGroup(ns.Name, "dbg", tc.Name, ptr.To(int32(1)), func(group *v1alpha1.TiDBGroup) { - group.Spec.TLSClient = &v1alpha1.TiDBTLSClient{Enabled: true} + group.Spec.Template.Spec.Security = &v1alpha1.TiDBSecurity{ + TLS: &v1alpha1.TiDBTLS{ + MySQL: &v1alpha1.TLS{ + Enabled: true, + }, + }, + } }) flashg := data.NewTiFlashGroup(ns.Name, "flashg", tc.Name, ptr.To(int32(1)), nil) Expect(k8sClient.Create(ctx, pdg)).To(Succeed()) @@ -1303,7 +1305,7 @@ var _ = Describe("TiDB Cluster", func() { Name: fmt.Sprintf("%s%s-tls", v1alpha1.NamePrefix, componentName), VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - // TODO: extract to a common utils + // TODO(liubo02): extract to a namer pkg SecretName: groupName + "-" + componentName + "-cluster-secret", //nolint:mnd // easy to understand DefaultMode: ptr.To(int32(420)), @@ -1317,38 +1319,22 @@ var _ = Describe("TiDB Cluster", func() { })) switch componentName { - case v1alpha1.LabelValComponentPD, v1alpha1.LabelValComponentTiKV: - // check for `mountClusterClientSecret` - g.Expect(pod.Spec.Volumes).To(ContainElement(corev1.Volume{ - Name: v1alpha1.ClusterTLSClientVolumeName, - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: tc.ClusterClientTLSSecretName(), - //nolint:mnd // easy to understand - DefaultMode: ptr.To(int32(420)), - }, - }, - })) - g.Expect(pod.Spec.Containers[0].VolumeMounts).To(ContainElement(corev1.VolumeMount{ - Name: v1alpha1.ClusterTLSClientVolumeName, - MountPath: v1alpha1.ClusterTLSClientMountPath, - ReadOnly: true, - })) case v1alpha1.LabelValComponentTiDB: // check for TiDB server & mysql client TLS g.Expect(pod.Spec.Volumes).To(ContainElement(corev1.Volume{ - Name: v1alpha1.TiDBServerTLSVolumeName, + Name: v1alpha1.TiDBSQLTLSVolumeName, VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: dbg.TiDBServerTLSSecretName(), + // TODO(liubo02): extract to a namer pkg + SecretName: dbg.Name + "-tidb-server-secret", //nolint:mnd // easy to understand DefaultMode: ptr.To(int32(420)), }, }, })) g.Expect(pod.Spec.Containers[0].VolumeMounts).To(ContainElement(corev1.VolumeMount{ - Name: v1alpha1.TiDBServerTLSVolumeName, - MountPath: v1alpha1.TiDBServerTLSMountPath, + Name: v1alpha1.TiDBSQLTLSVolumeName, + MountPath: v1alpha1.TiDBSQLTLSMountPath, ReadOnly: true, })) } @@ -1359,8 +1345,9 @@ var _ = Describe("TiDB Cluster", func() { checkComponent(dbg.Name, v1alpha1.LabelValComponentTiDB, dbg.Spec.Replicas) checkComponent(flashg.Name, v1alpha1.LabelValComponentTiFlash, flashg.Spec.Replicas) + // TODO(liubo02): extract to a common namer pkg g.Expect(utiltidb.IsTiDBConnectable(ctx, k8sClient, fw, - tc.Namespace, tc.Name, dbg.Name, "root", "", dbg.TiDBClientTLSSecretName())).To(Succeed()) + tc.Namespace, tc.Name, dbg.Name, "root", "", dbg.Name+"-tidb-client-secret")).To(Succeed()) }).WithTimeout(createClusterTimeout).WithPolling(createClusterPolling).Should(Succeed()) // TODO: version upgrade test @@ -1385,7 +1372,11 @@ var _ = Describe("TiDB Cluster", func() { pdg := data.NewPDGroup(ns.Name, "pdg", tc.Name, ptr.To(int32(1)), nil) kvg := data.NewTiKVGroup(ns.Name, "kvg", tc.Name, ptr.To(int32(1)), nil) dbg := data.NewTiDBGroup(ns.Name, "dbg", tc.Name, ptr.To(int32(1)), func(group *v1alpha1.TiDBGroup) { - group.Spec.BootstrapSQLConfigMapName = &bsqlCm.Name + group.Spec.Template.Spec.Security = &v1alpha1.TiDBSecurity{ + BootstrapSQL: &corev1.LocalObjectReference{ + Name: bsqlCm.Name, + }, + } }) Expect(k8sClient.Create(ctx, pdg)).To(Succeed()) Expect(k8sClient.Create(ctx, kvg)).To(Succeed()) @@ -1449,15 +1440,25 @@ GRANT ALL PRIVILEGES ON *.* TO '%s'@'%s';`, sub, iss, email, sub, "%"), pdg := data.NewPDGroup(ns.Name, "pdg", tc.Name, ptr.To(int32(1)), nil) kvg := data.NewTiKVGroup(ns.Name, "kvg", tc.Name, ptr.To(int32(1)), nil) dbg := data.NewTiDBGroup(ns.Name, "dbg", tc.Name, ptr.To(int32(1)), func(group *v1alpha1.TiDBGroup) { - group.Spec.TLSClient = &v1alpha1.TiDBTLSClient{Enabled: true} - group.Spec.BootstrapSQLConfigMapName = &bsqlCm.Name - group.Spec.TiDBAuthToken = &v1alpha1.TiDBAuthToken{ - Enabled: true, + group.Spec.Template.Spec.Security = &v1alpha1.TiDBSecurity{ + TLS: &v1alpha1.TiDBTLS{ + MySQL: &v1alpha1.TLS{ + Enabled: true, + }, + }, + BootstrapSQL: &corev1.LocalObjectReference{ + Name: bsqlCm.Name, + }, + AuthToken: &v1alpha1.TiDBAuthToken{ + JWKs: corev1.LocalObjectReference{ + Name: "jwks-secret", + }, + }, } }) By("Creating the JWKS secret") - jwksSecret := jwt.GenerateJWKSSecret(dbg.Namespace, dbg.TiDBAuthTokenJWKSSecretName()) + jwksSecret := jwt.GenerateJWKSSecret(dbg.Namespace, "jwks-secret") Expect(k8sClient.Create(ctx, &jwksSecret)).To(Succeed()) By("Creating the ConfigMap with a user created by Bootstrap SQL") @@ -1486,8 +1487,9 @@ GRANT ALL PRIVILEGES ON *.* TO '%s'@'%s';`, sub, iss, email, sub, "%"), []*v1alpha1.TiKVGroup{kvg}, []*v1alpha1.TiDBGroup{dbg}, nil)).To(Succeed()) // connect with the JWT token + // TODO(liubo02): extract to common namer pkg g.Expect(utiltidb.IsTiDBConnectable(ctx, k8sClient, fw, - tc.Namespace, tc.Name, dbg.Name, sub, token, dbg.TiDBClientTLSSecretName())).To(Succeed()) + tc.Namespace, tc.Name, dbg.Name, sub, token, dbg.Name+"-tidb-client-secret")).To(Succeed()) }).WithTimeout(createClusterTimeout).WithPolling(createClusterPolling).Should(Succeed()) })