*: add TLS config and cert reload for starter mode

ChangRui-Ryan · ChangRui-Ryan · commit 68610cb78583 · 2026-05-11T14:11:27.000+08:00
diff --git a/cmd/tidb-server/main.go b/cmd/tidb-server/main.go
@@ -127,6 +127,12 @@ const (
 	nmRepairMode       = "repair-mode"
 	nmRepairList       = "repair-list"
 	nmTempDir          = "temp-dir"
+	nmClusterCa        = "cluster-ca"
+	nmClusterCert      = "cluster-cert"
+	nmClusterKey       = "cluster-key"
+	nmSQLCA            = "sql-ca"
+	nmSQLCert          = "sql-cert"
+	nmSQLKey           = "sql-key"
 
 	nmRedact = "redact"
 
@@ -177,6 +183,12 @@ var (
 	repairMode       *bool
 	repairList       *string
 	tempDir          *string
+	clusterCA        *string
+	clusterCert      *string
+	clusterKey       *string
+	sqlCA            *string
+	sqlCert          *string
+	sqlKey           *string
 
 	// Log
 	logLevel     *string
@@ -238,6 +250,12 @@ func initFlagSet() *flag.FlagSet {
 	repairMode = flagBoolean(fset, nmRepairMode, false, "enable admin repair mode")
 	repairList = fset.String(nmRepairList, "", "admin repair table list")
 	tempDir = fset.String(nmTempDir, config.DefTempDir, "tidb temporary directory")
+	clusterCA = fset.String(nmClusterCa, "", "cluster CA file path")
+	clusterCert = fset.String(nmClusterCert, "", "cluster cert file path")
+	clusterKey = fset.String(nmClusterKey, "", "cluster key file path")
+	sqlCA = fset.String(nmSQLCA, "", "SQL CA file path")
+	sqlCert = fset.String(nmSQLCert, "", "SQL cert file path")
+	sqlKey = fset.String(nmSQLKey, "", "SQL key file path")
 
 	// Log
 	logLevel = fset.String(nmLogLevel, "info", "log level: info, debug, warn, error, fatal")
@@ -304,6 +322,8 @@ func main() {
 	config.InitializeConfig(*configPath, *configCheck, *configStrict, overrideConfig, fset)
 	if kerneltype.IsNextGen() {
 		terror.MustNil(initDeployMode(config.GetGlobalConfig()))
+		terror.MustNil(config.GetGlobalConfig().AdjustStarterConfig(deploymode.IsStarter()))
+		config.StoreGlobalConfig(config.GetGlobalConfig())
 	}
 	if *version {
 		mustInitVersions()
@@ -683,6 +703,29 @@ func overrideConfig(cfg *config.Config, fset *flag.FlagSet) {
 	if actualFlags[nmTempDir] {
 		cfg.TempDir = *tempDir
 	}
+	if cfg.DeployMode == deploymode.Starter {
+		if actualFlags[nmClusterCa] {
+			if *clusterCA != "" && (*clusterCert == "" || *clusterKey == "") {
+				err = fmt.Errorf("cluster-ca requires both cluster-cert and cluster-key")
+				terror.MustNil(err)
+			}
+
+			cfg.Security.ClusterSSLCA = *clusterCA
+			cfg.Security.ClusterSSLCert = *clusterCert
+			cfg.Security.ClusterSSLKey = *clusterKey
+		}
+
+		if actualFlags[nmSQLCA] {
+			if *sqlCA != "" && (*sqlCert == "" || *sqlKey == "") {
+				err = fmt.Errorf("sql-ca requires both sql-cert and sql-key")
+				terror.MustNil(err)
+			}
+
+			cfg.Security.SSLCA = *sqlCA
+			cfg.Security.SSLCert = *sqlCert
+			cfg.Security.SSLKey = *sqlKey
+		}
+	}
 
 	// Log
 	if actualFlags[nmLogLevel] {
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -107,6 +107,22 @@ const (
 	DefAuthTokenRefreshInterval = time.Hour
 	// EnvVarKeyspaceName is the system env name for keyspace name.
 	EnvVarKeyspaceName = "KEYSPACE_NAME"
+	// EnvClusterCA is the system env name for cluster CA path.
+	EnvClusterCA = "CLUSTER_CA"
+	// EnvClusterCert is the system env name for cluster cert path.
+	EnvClusterCert = "CLUSTER_CERT"
+	// EnvClusterKey is the system env name for cluster key path.
+	EnvClusterKey = "CLUSTER_KEY"
+	// EnvSQLCA is the system env name for SQL CA path.
+	EnvSQLCA = "SQL_CA"
+	// EnvSQLCert is the system env name for SQL cert path.
+	EnvSQLCert = "SQL_CERT"
+	// EnvSQLKey is the system env name for SQL key path.
+	EnvSQLKey = "SQL_KEY"
+	// EnvPodIP is the system env name for pod IP.
+	EnvPodIP = "POD_IP"
+	// EnvNamespace is the system env name for namespace.
+	EnvNamespace = "NAMESPACE"
 	// MaxTokenLimit is the max token limit value.
 	MaxTokenLimit  = 1024 * 1024
 	DefSchemaLease = 45 * time.Second
@@ -203,6 +219,8 @@ type Config struct {
 	DeployMode                 deploymode.Mode         `toml:"deploy-mode" json:"deploy-mode"`
 	KeyspaceName               string                  `toml:"keyspace-name" json:"keyspace-name"`
 	TiKVWorkerURL              string                  `toml:"tikv-worker-url" json:"tikv-worker-url"`
+	TiKVAPIServiceAddr         string                  `toml:"tikv-api-service-addr" json:"tikv-api-service-addr"`
+	TiDBWorker                 tidbWorkerConfig        `toml:"tidb-worker" json:"tidb-worker"`
 	Log                        Log                     `toml:"log" json:"log"`
 	Instance                   Instance                `toml:"instance" json:"instance"`
 	Security                   Security                `toml:"security" json:"security"`
@@ -333,6 +351,10 @@ type Config struct {
 	MeteringStorageURI string `toml:"metering-storage-uri" json:"metering-storage-uri"`
 }
 
+type tidbWorkerConfig struct {
+	APIServerAddr string `toml:"api-server-addr" json:"api-server-addr"`
+}
+
 // RUV2Config is the configuration for RU v2 weight calculation.
 // The default values are experimentally fitted so they stay stable under the
 // same workload while remaining numerically aligned with RU v1.
@@ -1344,13 +1366,90 @@ func InitializeConfig(confPath string, configCheck, configStrict bool, enforceCm
 		fmt.Fprintln(os.Stderr, "invalid config", err)
 		os.Exit(1)
 	}
+	if err := cfg.AdjustStarterConfig(cfg.DeployMode == deploymode.Starter); err != nil {
+		fmt.Fprintln(os.Stderr, "invalid security env vars", err)
+		os.Exit(1)
+	}
 	if configCheck {
 		fmt.Println("config check successful")
 		os.Exit(0)
 	}
 	StoreGlobalConfig(cfg)
 }
 
+// AdjustStarterConfig applies starter-only security and service-address overrides.
+func (c *Config) AdjustStarterConfig(isStarter bool) error {
+	if !isStarter {
+		return nil
+	}
+	if err := c.adjustSecurityConfig(); err != nil {
+		return err
+	}
+	c.adjustServiceAddr()
+	return nil
+}
+
+func trimScheme(addr string) string {
+	addr = strings.TrimPrefix(addr, "http://")
+	addr = strings.TrimPrefix(addr, "https://")
+	return addr
+}
+
+func (c *Config) adjustServiceAddr() {
+	scheme := "http://"
+	if len(c.Security.ClusterSSLCA) > 0 {
+		scheme = "https://"
+	}
+	if len(c.TiKVAPIServiceAddr) > 0 {
+		c.TiKVAPIServiceAddr = scheme + trimScheme(c.TiKVAPIServiceAddr)
+	}
+	if len(c.TiDBWorker.APIServerAddr) > 0 {
+		c.TiDBWorker.APIServerAddr = scheme + trimScheme(c.TiDBWorker.APIServerAddr)
+	}
+}
+
+func (c *Config) adjustSecurityConfig() error {
+	clusterCAPath := os.Getenv(EnvClusterCA)
+	clusterCertPath := os.Getenv(EnvClusterCert)
+	clusterKeyPath := os.Getenv(EnvClusterKey)
+	if len(clusterCAPath) > 0 && (len(clusterCertPath) == 0 || len(clusterKeyPath) == 0) {
+		return errors.New("both CLUSTER_CERT and CLUSTER_KEY must be set when CLUSTER_CA is set")
+	}
+	if len(clusterCAPath) > 0 {
+		c.Security.ClusterSSLCA = clusterCAPath
+		c.Security.ClusterSSLCert = clusterCertPath
+		c.Security.ClusterSSLKey = clusterKeyPath
+	}
+
+	sqlCAPath := os.Getenv(EnvSQLCA)
+	sqlCertPath := os.Getenv(EnvSQLCert)
+	sqlKeyPath := os.Getenv(EnvSQLKey)
+	if len(sqlCAPath) > 0 && (len(sqlCertPath) == 0 || len(sqlKeyPath) == 0) {
+		return errors.New("both SQL_CERT and SQL_KEY must be set when SQL_CA is set")
+	}
+	if len(sqlCAPath) > 0 {
+		c.Security.SSLCA = sqlCAPath
+		c.Security.SSLCert = sqlCertPath
+		c.Security.SSLKey = sqlKeyPath
+	}
+
+	podIP := os.Getenv(EnvPodIP)
+	namespace := os.Getenv(EnvNamespace)
+	if len(podIP) > 0 && len(namespace) > 0 {
+		c.AdvertiseAddress = podDNSName(podIP, namespace)
+	}
+
+	return nil
+}
+
+func podDNSName(podIP string, namespace string) string {
+	return fmt.Sprintf(
+		"%s.%s.pod.cluster.local",
+		strings.ReplaceAll(podIP, ".", "-"),
+		namespace,
+	)
+}
+
 // RemovedVariableCheck checks if the config file contains any items
 // which have been removed. These will not take effect any more.
 func (c *Config) RemovedVariableCheck(confFile string) error {
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -1053,6 +1053,9 @@ func TestDeployModeConfig(t *testing.T) {
 	conf := NewConfig()
 	require.Equal(t, deploymode.Premium, conf.DeployMode)
 	require.NoError(t, conf.Valid())
+	conf.DeployMode = deploymode.Mode(100)
+	require.ErrorContains(t, conf.Valid(), "invalid deploy-mode")
+	conf.DeployMode = deploymode.Premium
 
 	storeDir := t.TempDir()
 	configFile := filepath.Join(storeDir, "config.toml")
@@ -1080,6 +1083,26 @@ func TestDeployModeConfig(t *testing.T) {
 	require.NoError(t, conf.Load(configFile))
 	require.Equal(t, deploymode.Starter, conf.DeployMode)
 	require.NoError(t, conf.Valid())
+	conf.TiKVAPIServiceAddr = "tikv-api.internal:20170"
+	conf.TiDBWorker.APIServerAddr = "tidb-worker.internal:10280"
+	t.Setenv(EnvClusterCA, "/tmp/cluster-ca.pem")
+	t.Setenv(EnvClusterCert, "/tmp/cluster-cert.pem")
+	t.Setenv(EnvClusterKey, "/tmp/cluster-key.pem")
+	t.Setenv(EnvSQLCA, "/tmp/sql-ca.pem")
+	t.Setenv(EnvSQLCert, "/tmp/sql-cert.pem")
+	t.Setenv(EnvSQLKey, "/tmp/sql-key.pem")
+	t.Setenv(EnvPodIP, "10.10.1.2")
+	t.Setenv(EnvNamespace, "tidb")
+	require.NoError(t, conf.AdjustStarterConfig(true))
+	require.Equal(t, "10-10-1-2.tidb.pod.cluster.local", conf.AdvertiseAddress)
+	require.Equal(t, "/tmp/cluster-ca.pem", conf.Security.ClusterSSLCA)
+	require.Equal(t, "/tmp/cluster-cert.pem", conf.Security.ClusterSSLCert)
+	require.Equal(t, "/tmp/cluster-key.pem", conf.Security.ClusterSSLKey)
+	require.Equal(t, "/tmp/sql-ca.pem", conf.Security.SSLCA)
+	require.Equal(t, "/tmp/sql-cert.pem", conf.Security.SSLCert)
+	require.Equal(t, "/tmp/sql-key.pem", conf.Security.SSLKey)
+	require.Equal(t, "https://tikv-api.internal:20170", conf.TiKVAPIServiceAddr)
+	require.Equal(t, "https://tidb-worker.internal:10280", conf.TiDBWorker.APIServerAddr)
 
 	require.NoError(t, os.WriteFile(configFile, []byte(`deploy-mode = "unknown"`), 0644))
 	conf = NewConfig()
diff --git a/pkg/server/stat.go b/pkg/server/stat.go
@@ -53,7 +53,21 @@ func (s *Server) Stats(_ *variable.SessionVars) (map[string]any, error) {
 
 	tlsConfig := s.GetTLSConfig()
 	if tlsConfig != nil {
-		if len(tlsConfig.Certificates) == 1 {
+		if tlsConfig.GetCertificate != nil {
+			certs, err := tlsConfig.GetCertificate(nil)
+			if err != nil {
+				logutil.BgLogger().Error("Failed to get TLS certificates while acquiring server status", zap.Error(err))
+			}
+			if certs != nil && len(certs.Certificate) > 0 {
+				pc, err := x509.ParseCertificate(certs.Certificate[0])
+				if err != nil {
+					logutil.BgLogger().Error("Failed to parse TLS certificates to get server status", zap.Error(err))
+				} else {
+					m[serverNotAfter] = pc.NotAfter.Format("Jan _2 15:04:05 2006 MST")
+					m[serverNotBefore] = pc.NotBefore.Format("Jan _2 15:04:05 2006 MST")
+				}
+			}
+		} else if len(tlsConfig.Certificates) == 1 {
 			pc, err := x509.ParseCertificate(tlsConfig.Certificates[0].Certificate[0])
 			if err != nil {
 				logutil.BgLogger().Error("Failed to parse TLS certficates to get server status", zap.Error(err))
diff --git a/pkg/server/tests/tls/tls_test.go b/pkg/server/tests/tls/tls_test.go
@@ -461,7 +461,9 @@ func TestReloadTLS(t *testing.T) {
 
 	// try reload a valid cert.
 	tlsCfg := server.GetTLSConfig()
-	cert, err := x509.ParseCertificate(tlsCfg.Certificates[0].Certificate[0])
+	tlsCert, err := tlsCfg.GetCertificate(nil)
+	require.NoError(t, err)
+	cert, err := x509.ParseCertificate(tlsCert.Certificate[0])
 	require.NoError(t, err)
 	oldExpireTime := cert.NotAfter
 	_, _, err = generateCert(1, "tidb-server", caCert, caKey, "/tmp/server-key-reload2.pem", "/tmp/server-cert-reload2.pem", func(c *x509.Certificate) {
@@ -485,7 +487,9 @@ func TestReloadTLS(t *testing.T) {
 	require.NoError(t, err)
 
 	tlsCfg = server.GetTLSConfig()
-	cert, err = x509.ParseCertificate(tlsCfg.Certificates[0].Certificate[0])
+	tlsCert, err = tlsCfg.GetCertificate(nil)
+	require.NoError(t, err)
+	cert, err = x509.ParseCertificate(tlsCert.Certificate[0])
 	require.NoError(t, err)
 	newExpireTime := cert.NotAfter
 	require.True(t, newExpireTime.After(oldExpireTime))
diff --git a/pkg/util/misc.go b/pkg/util/misc.go
@@ -35,6 +35,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"github.com/pingcap/errors"
@@ -399,13 +400,14 @@ func LoadTLSCertificates(ca, key, cert string, autoTLS bool, rsaKeySize int) (tl
 		}
 	}
 
-	var tlsCert tls.Certificate
-	tlsCert, err = tls.LoadX509KeyPair(cert, key)
+	certs, err := tls.LoadX509KeyPair(cert, key)
 	if err != nil {
 		logutil.BgLogger().Warn("load x509 failed", zap.Error(err))
 		err = errors.Trace(err)
 		return
 	}
+	cs := &atomic.Pointer[tls.Certificate]{}
+	cs.Store(&certs)
 
 	requireTLS := tlsutil.RequireSecureTransport.Load()
 
@@ -467,12 +469,24 @@ func LoadTLSCertificates(ca, key, cert string, autoTLS bool, rsaKeySize int) (tl
 
 	/* #nosec G402 */
 	tlsConfig = &tls.Config{
-		Certificates: []tls.Certificate{tlsCert},
 		ClientCAs:    certPool,
 		ClientAuth:   clientAuthPolicy,
 		MinVersion:   minTLSVersion,
 		CipherSuites: cipherSuites,
 	}
+	tlsConfig.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+		certs, err := tls.LoadX509KeyPair(cert, key)
+		if err != nil {
+			logutil.BgLogger().Warn("could not load server certificate, using the old one", zap.Error(err))
+			if old := cs.Load(); old != nil {
+				return old, nil
+			}
+			return nil, nil
+		}
+		newCerts := &certs
+		cs.Store(newCerts)
+		return newCerts, nil
+	}
 	return
 }
 
