Support to overwrite ClusterClientTLSSecretName for ticdc

pingcap · Oct 28, 2024 · ebc894b · ebc894b
1 parent 33fe843
commit ebc894b
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 1 deletion.
diff --git a/docs/api-references/docs.md b/docs/api-references/docs.md
@@ -16599,6 +16599,21 @@ This field is useful for sharing the same mTLS cert secret for multiple ticdc cl
 </tr>
 <tr>
 <td>
+<code>clusterClientTLSSecretName</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ClusterTLSSecretName is used for overwriting the default <strong>cluster client</strong> cert secret name (see also: pkg/util/util.go:ClusterClientTLSSecretName)
+This field is useful for sharing the same cluster client cert secret for multiple ticdc clusters connecting to the same upstream tidb cluster.
+The ClusterClientTLSSecret is actually not directly used by ticdc, but it is useful for executing some commands via <code>ticdc-ctl</code>
+by <code>kubectl exec -it ticdc-0 -- /cdc cli --ca /var/lib/cluster-client-tls/ca.crt --cert /var/lib/cluster-client-tls/tls.crt --key /var/lib/cluster-client-tls/tls.key ...</code>.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>baseImage</code></br>
 <em>
 string

diff --git a/manifests/crd/v1/pingcap.com_tidbclusters.yaml b/manifests/crd/v1/pingcap.com_tidbclusters.yaml
@@ -13152,6 +13152,8 @@ spec:
                     x-kubernetes-list-map-keys:
                     - name
                     x-kubernetes-list-type: map
+                  clusterClientTLSSecretName:
+                    type: string
                   clusterTLSSecretName:
                     type: string
                   config:

diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go
@@ -864,6 +864,13 @@ type TiCDCSpec struct {
 	// +optional
 	ClusterTLSSecretName string `json:"clusterTLSSecretName,omitempty"`
 
+	// ClusterTLSSecretName is used for overwriting the default **cluster client** cert secret name (see also: pkg/util/util.go:ClusterClientTLSSecretName)
+	// This field is useful for sharing the same cluster client cert secret for multiple ticdc clusters connecting to the same upstream tidb cluster.
+	// The ClusterClientTLSSecret is actually not directly used by ticdc, but it is useful for executing some commands via `ticdc-ctl`
+	//  by `kubectl exec -it ticdc-0 -- /cdc cli --ca /var/lib/cluster-client-tls/ca.crt --cert /var/lib/cluster-client-tls/tls.crt --key /var/lib/cluster-client-tls/tls.key ...`.
+	// +optional
+	ClusterClientTLSSecretName string `json:"clusterClientTLSSecretName,omitempty"`
+
 	// Base image of the component, image tag is now allowed during validation
 	// +kubebuilder:default=pingcap/ticdc
 	// +optional

diff --git a/pkg/manager/member/ticdc_member_manager.go b/pkg/manager/member/ticdc_member_manager.go
@@ -411,7 +411,7 @@ func getNewTiCDCStatefulSet(tc *v1alpha1.TidbCluster, cm *corev1.ConfigMap) (*ap
 		}, corev1.Volume{
 			Name: util.ClusterClientVolName, VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: util.ClusterClientTLSSecretName(tc.Name),
+					SecretName: getTiCDCClusterClientTLSCertSecretName(tc),
 				},
 			},
 		})
@@ -575,6 +575,15 @@ func getTiCDCClusterTLSCertSecretName(tc *v1alpha1.TidbCluster) string {
 	return clusterTLSSecretName
 }
 
+func getTiCDCClusterClientTLSCertSecretName(tc *v1alpha1.TidbCluster) string {
+	clusterClientTLSSecretName := util.ClusterClientTLSSecretName(tc.Name)
+	if tc.Spec.TiCDC.ClusterClientTLSSecretName != "" {
+		clusterClientTLSSecretName = tc.Spec.TiCDC.ClusterClientTLSSecretName
+	}
+
+	return clusterClientTLSSecretName
+}
+
 func labelTiCDC(tc *v1alpha1.TidbCluster) label.Label {
 	instanceName := tc.GetInstanceName()
 	return label.New().Instance(instanceName).TiCDC()