feat: support mtls for discovery (#6781)

Author: liubog2008

cmd/discovery/main.go

@@ -93,6 +93,7 @@ func main() {
 	if tlsEnabled == strconv.FormatBool(true) {
 		tcTls = true
 	}
+	discoveryMTLS := os.Getenv("DISCOVERY_MTLS_ENABLED") == strconv.FormatBool(true)
 	// informers
 	options := []kubeinformers.SharedInformerOption{
 		kubeinformers.WithNamespace(os.Getenv("MY_POD_NAMESPACE")),
@@ -113,7 +114,16 @@ func main() {
 		klog.Infof("starting TiDB Discovery server, listening on %s", addr)
 		lister := kubeInformerFactory.Core().V1().Secrets().Lister()
 		discoveryServer := server.NewServer(pdapi.NewDefaultPDControl(lister), dmapi.NewDefaultMasterControl(lister), cli, kubeCli)
-		discoveryServer.ListenAndServe(addr)
+		if discoveryMTLS {
+			klog.Infof("mTLS enabled for discovery server")
+			discoveryServer.ListenAndServeTLS(addr,
+				"/var/lib/discovery-tls/tls.crt",
+				"/var/lib/discovery-tls/tls.key",
+				"/var/lib/discovery-tls/ca.crt",
+			)
+		} else {
+			discoveryServer.ListenAndServe(addr)
+		}
 	}, 5*time.Second)
 	go wait.Forever(func() {
 		addr := fmt.Sprintf("0.0.0.0:%d", proxyPort)

docs/api-references/docs.md

@@ -17020,6 +17020,23 @@ For Client: kubectl create secret generic <clusterName>-cluster-client-secret &n
 Same for other components.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>enableDiscoveryMTLS</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>EnableDiscoveryMTLS indicates whether to enable mutual TLS on the discovery server (port 10261).
+When enabled, the discovery server presents its own certificate, and all components must present
+a client certificate when calling the discovery service.
+A single secret named <clusterName>-discovery-cluster-secret must be created containing ca.crt,
+tls.crt and tls.key, and will be mounted to both the discovery server pod and all component pods.
+This field only takes effect when Enabled is true.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="tlsconfig">TLSConfig</h3>

manifests/crd.yaml

@@ -19118,6 +19118,8 @@ spec:
                 type: array
               tlsCluster:
                 properties:
+                  enableDiscoveryMTLS:
+                    type: boolean
                   enabled:
                     type: boolean
                 type: object
@@ -58528,6 +58530,8 @@ spec:
                 type: object
               tlsCluster:
                 properties:
+                  enableDiscoveryMTLS:
+                    type: boolean
                   enabled:
                     type: boolean
                 type: object

manifests/crd/v1/pingcap.com_dmclusters.yaml

@@ -6321,6 +6321,8 @@ spec:
                 type: array
               tlsCluster:
                 properties:
+                  enableDiscoveryMTLS:
+                    type: boolean
                   enabled:
                     type: boolean
                 type: object

manifests/crd/v1/pingcap.com_tidbclusters.yaml

@@ -32874,6 +32874,8 @@ spec:
                 type: object
               tlsCluster:
                 properties:
+                  enableDiscoveryMTLS:
+                    type: boolean
                   enabled:
                     type: boolean
                 type: object

pkg/apis/pingcap/v1alpha1/tidbcluster.go

@@ -1135,6 +1135,10 @@ func (tc *TidbCluster) IsTLSClusterEnabled() bool {
 	return tc.Spec.TLSCluster != nil && tc.Spec.TLSCluster.Enabled
 }
 
+func (tc *TidbCluster) IsDiscoveryMTLSEnabled() bool {
+	return tc.IsTLSClusterEnabled() && tc.Spec.TLSCluster.EnableDiscoveryMTLS
+}
+
 func (tc *TidbCluster) IsRecoveryMode() bool {
 	return tc.Spec.RecoveryMode
 }

pkg/apis/pingcap/v1alpha1/types.go

@@ -2212,6 +2212,15 @@ type TLSCluster struct {
 	//        Same for other components.
 	// +optional
 	Enabled bool `json:"enabled,omitempty"`
+
+	// EnableDiscoveryMTLS indicates whether to enable mutual TLS on the discovery server (port 10261).
+	// When enabled, the discovery server presents its own certificate, and all components must present
+	// a client certificate when calling the discovery service.
+	// A single secret named <clusterName>-discovery-cluster-secret must be created containing ca.crt,
+	// tls.crt and tls.key, and will be mounted to both the discovery server pod and all component pods.
+	// This field only takes effect when Enabled is true.
+	// +optional
+	EnableDiscoveryMTLS bool `json:"enableDiscoveryMTLS,omitempty"`
 }
 
 // +genclient

pkg/controller/tidbcluster/pod_control_test.go

@@ -93,13 +93,9 @@ func TestTiKVPodSyncForEviction(t *testing.T) {
 	})
 
 	stop := make(chan struct{})
-	go func() {
-		deps.KubeInformerFactory.Start(stop)
-	}()
+	deps.KubeInformerFactory.Start(stop)
 	deps.KubeInformerFactory.WaitForCacheSync(stop)
-	go func() {
-		deps.InformerFactory.Start(stop)
-	}()
+	deps.InformerFactory.Start(stop)
 	deps.InformerFactory.WaitForCacheSync(stop)
 
 	defer close(stop)
@@ -577,13 +573,9 @@ func TestPDPodSyncForLeaderTransfer(t *testing.T) {
 			podController.testPDClient = pdClient
 
 			stop := make(chan struct{})
-			go func() {
-				deps.KubeInformerFactory.Start(stop)
-			}()
+			deps.KubeInformerFactory.Start(stop)
 			deps.KubeInformerFactory.WaitForCacheSync(stop)
-			go func() {
-				deps.InformerFactory.Start(stop)
-			}()
+			deps.InformerFactory.Start(stop)
 			deps.InformerFactory.WaitForCacheSync(stop)
 
 			defer close(stop)
@@ -753,13 +745,9 @@ func TestTiDBPodSyncForGracefulShutdown(t *testing.T) {
 			podController := NewPodController(deps)
 
 			stop := make(chan struct{})
-			go func() {
-				deps.KubeInformerFactory.Start(stop)
-			}()
+			deps.KubeInformerFactory.Start(stop)
 			deps.KubeInformerFactory.WaitForCacheSync(stop)
-			go func() {
-				deps.InformerFactory.Start(stop)
-			}()
+			deps.InformerFactory.Start(stop)
 			deps.InformerFactory.WaitForCacheSync(stop)
 
 			defer close(stop)

pkg/discovery/server/interface.go

@@ -15,4 +15,5 @@ package server
 
 type Server interface {
 	ListenAndServe(addr string)
+	ListenAndServeTLS(addr, certFile, keyFile, caFile string)
 }

pkg/discovery/server/proxy.go

@@ -101,3 +101,7 @@ func (p *proxyServer) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 func (p *proxyServer) ListenAndServe(addr string) {
 	klog.Fatal(http.ListenAndServe(addr, p))
 }
+
+func (p *proxyServer) ListenAndServeTLS(addr, certFile, keyFile, caFile string) {
+	klog.Fatal("proxy server does not support mTLS")
+}