Enable component encryption for TiDB clusters with TiUP

[AricSu]

First-time contributors' checklist

• I've signed Contributor License Agreement that's required for repo owners to accept my contribution.

What is changed, added or deleted? (Required)

依据实测经验，希望 FAQ 可以给使用者更明确的操作路径。

Which TiDB version(s) do your changes apply to? (Required)

Tips for choosing the affected version(s):

By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.

For details, see tips for choosing the affected versions (in Chinese).

• master (the latest development version)
• v6.6 (TiDB 6.6 versions)
• v6.5 (TiDB 6.5 versions)
• v6.4 (TiDB 6.4 versions)
• v6.1 (TiDB 6.1 versions)
• v5.4 (TiDB 5.4 versions)
• v5.3 (TiDB 5.3 versions)
• v5.2 (TiDB 5.2 versions)
• v5.1 (TiDB 5.1 versions)
• v5.0 (TiDB 5.0 versions)

What is the related PR or file link(s)?

• This PR is translated from: Support deploying and managing TLS encryption enabled TiDB cluster tiup#529
• Other reference link(s):

Do your changes match any of the following descriptions?

• Delete files
• Change aliases
• Need modification after applied to another branch
• Might cause conflicts after applied to another branch

[ti-chi-bot]

[REVIEW NOTIFICATION]

This pull request has not been approved.

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

[Oreoxmt]

@kaaaaaaang Could you please help review this PR

[ti-chi-bot]

@kaaaaaaang: adding LGTM is restricted to approvers and reviewers in OWNERS files.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Oreoxmt]

Suggested change

	### TiUP 如何为已存在的 TiDB 集群开启组件加密？
	TiUP v1.9.0 版本开始支持开启组件加密功能，下面以**已存在但并未开启组件间加密的集群**为例，为其开启组件加密，**该操作不支持在线进行需要重启集群**，步骤及说明如下：
	### 如何使用 TiUP 为已存在的 TiDB 集群开启组件加密？
	TiUP v1.9.0 开始支持通过 `tiup cluster tls ${cluster_name} enable` 命令开启组件加密功能，下面以**已存在但并未开启组件间加密的集群**为例，介绍如何为其开启组件加密。
	> **注意：**
	>
	> 该操作需要重启集群，不支持在线执行。

[Oreoxmt]

Suggested change

	1. 通过 `tiup cluster tls {cluster_name} enable/disable` 命令开启或关闭 TLS 组件加密。首先，查看集群初始状态：
	```shell
	tiup cluster display {cluster_name}
	```
	2. 通过 edit-config 将 pd 节点信息保存到单独文件，方便后续扩容。由于 ETCD 机制限制，需先将 PD 节点缩容到 1 个节点后，再使用 `tls ${cluster_name} enable` 开启组件加密。注意：`tls ${cluster_name} enable/disable` 方式开启或关闭 TLS 时会重启 TiDB 集群，行为类似于 tiup cluster restart ，而不是以滚动重启的方式重启节点。
	3. 将 PD 节点缩容至单节点
	```shell
	tiup cluster scale-in {cluster_name} -N {PD_IP:PD_Port}
	tiup cluster display {cluster_name}
	```
	1. 查看集群初始状态，并通过 `tiup cluster edit-config` 备份 PD 节点信息，以便后续扩容：
	```shell
	tiup cluster display ${cluster_name}
	tiup cluster edit-config ${cluster_name}
	```
	2. 将 PD 节点缩容至单个节点：
	```shell
	tiup cluster scale-in ${cluster_name} -N ${PD_IP:PD_Port}
	tiup cluster display ${cluster_name}
	```

[Oreoxmt]

Suggested change

	4. 通过 `tiup cluster tls {cluster_name} enable` 开启 TLS 组件间加密
	```shell
	tiup cluster tls {cluster_name} enable
	```
	3. 开启 TLS 组件间加密：
	> **注意：**
	>
	> 开启或关闭 TLS 组件间加密会重启 TiDB 集群，行为类似于 `tiup cluster restart`，而不是以滚动重启的方式重启节点。
	```shell
	tiup cluster tls ${cluster_name} enable
	```

[Oreoxmt]

Suggested change

	5. 查看集群状态
	```shell
	tiup cluster display {cluster_name}
	```
	6. 验证 TLS 开启情况
	检查 pd-ctl 执行 member 命令，输出的结果中对应的 peer_urls 以及 client_urls 都变为了 https 协议。注意：在 -u 指定 pd 地址时，需要使用 https 协议，若不为 https 协议，则需要检查环境，执行 `tiup cluster tls {cluster_name} disabl 回退操作。如果都是 https 协议，则可以进行下一步骤。
	4. 验证 TLS 开启情况：
	使用 PD Control 检查 [`pd member`](/pd-control.md#member-delete--leader_priority--leader-show--resign--transfer-member_name) 命令的输出，确认 `peer_urls` 和 `client_urls` 是否已切换为 HTTPS 协议。使用 `-u` 指定 PD 地址时，应使用 HTTPS 协议。

[Oreoxmt]

Suggested change

	tiup ctl:{version} pd -u https://{PD_IP:PD_Port} $PDTLS -i
	tiup ctl:v<CLUSTER_VERSION> pd -u https://${PD_IP:PD_Port} $PDTLS -i member

[Oreoxmt]

Suggested change

	如果 `peer_urls` 和 `client_urls` 不是 HTTPS 协议，需检查环境或执行 `tiup cluster tls ${cluster_name} disable` 进行回退。如果已经是 HTTPS 协议，则继续下一步。

[Oreoxmt]

Suggested change

	7. 根据缩容前保存的拓扑信息，扩容 pd 节点
	```shell
	tiup cluster scale-out {cluster_name} ./scale-pd.yaml
	```
	8. 检查集群，并且尝试连接验证集群
	```shell
	tiup cluster display {cluster_name}
	```
	5. 根据第 1 步保存的拓扑信息扩容 PD 节点：
	```shell
	tiup cluster scale-out ${cluster_name} ./scale-pd.yaml
	```
	6. 检查集群状态并尝试连接集群：
	```shell
	tiup cluster display ${cluster_name}
	```

[qiancai]

Removed the needs-cherry-pick-release-7.3 label because the v7.3 docs have been archived at https://docs-archive.pingcap.com/zh/tidb/v7.3 and will no longer receive new updates

[qiancai]

Removed the needs-cherry-pick-release-7.4 label because the v7.4 docs have been archived at https://docs-archive.pingcap.com/zh/tidb/v7.4 and will no longer receive new updates.

[qiancai]

Removed the needs-cherry-pick-release-7.6 label because the v7.6 docs have been archived at https://docs-archive.pingcap.com/zh/tidb/v7.6 and will no longer receive new updates.