Feature Request
Is your feature request related to a problem? Please describe:
When using the built-in TLS function of TiUP (#673), it always issues self-signed certificates with a newly generated CA. Many corporations already have their internal PKI, whose CA is pre-installed to all devices. However, there's no way to stop TiUP from self-signing certificates and use provided ones instead.
Describe the feature you'd like:
When turning on TLS using tiup cluster tls, allow providing certificates paths on machines instead of always issuing new ones.
Why the feature is needed:
As mentioned, corporate using with private PKIs can benefit from this.
Describe alternatives you've considered:
First turn on TLS using tiup cluster tls, then replace the generated certificates with symbol links to certificates issued by corporate PKI. This is dirty and error-prune, and breaks whenever someone runs tiup cluster tls --reload-certificate
Teachability, Documentation, Adoption, Migration Strategy:
I suggest adding an option to tiup cluster tls: --manual-cert-path points to a path with 3 files:
ca.crt is the chain of CAs needed;cert.crt is the certificate with "TLS Web Server + TLS Web Client" key usages;cert.key is the private key.
This certificate path should be available on all cluster nodes.
Feature Request
Is your feature request related to a problem? Please describe:
When using the built-in TLS function of TiUP (#673), it always issues self-signed certificates with a newly generated CA. Many corporations already have their internal PKI, whose CA is pre-installed to all devices. However, there's no way to stop TiUP from self-signing certificates and use provided ones instead.
Describe the feature you'd like:
When turning on TLS using
tiup cluster tls, allow providing certificates paths on machines instead of always issuing new ones.Why the feature is needed:
As mentioned, corporate using with private PKIs can benefit from this.
Describe alternatives you've considered:
First turn on TLS using
tiup cluster tls, then replace the generated certificates with symbol links to certificates issued by corporate PKI. This is dirty and error-prune, and breaks whenever someone runstiup cluster tls --reload-certificateTeachability, Documentation, Adoption, Migration Strategy:
I suggest adding an option to
tiup cluster tls:--manual-cert-pathpoints to a path with 3 files:ca.crtis the chain of CAs needed;cert.crtis the certificate with "TLS Web Server + TLS Web Client" key usages;cert.keyis the private key.This certificate path should be available on all cluster nodes.