-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable component encryption for TiDB clusters with TiUP #12508
base: master
Are you sure you want to change the base?
Conversation
[REVIEW NOTIFICATION] This pull request has not been approved. To complete the pull request process, please ask the reviewers in the list to review by filling The full list of commands accepted by this bot can be found here. Reviewer can indicate their review by submitting an approval review. |
@kaaaaaaang Could you please help review this PR |
@kaaaaaaang: adding LGTM is restricted to approvers and reviewers in OWNERS files. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
### TiUP 如何为已存在的 TiDB 集群开启组件加密? | ||
|
||
TiUP v1.9.0 版本开始支持开启组件加密功能,下面以**已存在但并未开启组件间加密的集群**为例,为其开启组件加密,**该操作不支持在线进行需要重启集群**,步骤及说明如下: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
### TiUP 如何为已存在的 TiDB 集群开启组件加密? | |
TiUP v1.9.0 版本开始支持开启组件加密功能,下面以**已存在但并未开启组件间加密的集群**为例,为其开启组件加密,**该操作不支持在线进行需要重启集群**,步骤及说明如下: | |
### 如何使用 TiUP 为已存在的 TiDB 集群开启组件加密? | |
TiUP v1.9.0 开始支持通过 `tiup cluster tls ${cluster_name} enable` 命令开启组件加密功能,下面以**已存在但并未开启组件间加密的集群**为例,介绍如何为其开启组件加密。 | |
> **注意:** | |
> | |
> 该操作需要重启集群,不支持在线执行。 |
1. 通过 `tiup cluster tls {cluster_name} enable/disable` 命令开启或关闭 TLS 组件加密。首先,查看集群初始状态: | ||
|
||
```shell | ||
tiup cluster display {cluster_name} | ||
``` | ||
|
||
2. 通过 edit-config 将 pd 节点信息保存到单独文件,方便后续扩容。由于 ETCD 机制限制,需先将 PD 节点缩容到 1 个节点后,再使用 `tls ${cluster_name} enable` 开启组件加密。注意:`tls ${cluster_name} enable/disable` 方式开启或关闭 TLS 时会重启 TiDB 集群,行为类似于 tiup cluster restart ,而不是以滚动重启的方式重启节点。 | ||
|
||
3. 将 PD 节点缩容至单节点 | ||
|
||
```shell | ||
tiup cluster scale-in {cluster_name} -N {PD_IP:PD_Port} | ||
tiup cluster display {cluster_name} | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1. 通过 `tiup cluster tls {cluster_name} enable/disable` 命令开启或关闭 TLS 组件加密。首先,查看集群初始状态: | |
```shell | |
tiup cluster display {cluster_name} | |
``` | |
2. 通过 edit-config 将 pd 节点信息保存到单独文件,方便后续扩容。由于 ETCD 机制限制,需先将 PD 节点缩容到 1 个节点后,再使用 `tls ${cluster_name} enable` 开启组件加密。注意:`tls ${cluster_name} enable/disable` 方式开启或关闭 TLS 时会重启 TiDB 集群,行为类似于 tiup cluster restart ,而不是以滚动重启的方式重启节点。 | |
3. 将 PD 节点缩容至单节点 | |
```shell | |
tiup cluster scale-in {cluster_name} -N {PD_IP:PD_Port} | |
tiup cluster display {cluster_name} | |
``` | |
1. 查看集群初始状态,并通过 `tiup cluster edit-config` 备份 PD 节点信息,以便后续扩容: | |
```shell | |
tiup cluster display ${cluster_name} | |
tiup cluster edit-config ${cluster_name} | |
``` | |
2. 将 PD 节点缩容至单个节点: | |
```shell | |
tiup cluster scale-in ${cluster_name} -N ${PD_IP:PD_Port} | |
tiup cluster display ${cluster_name} | |
``` |
4. 通过 `tiup cluster tls {cluster_name} enable` 开启 TLS 组件间加密 | ||
|
||
```shell | ||
tiup cluster tls {cluster_name} enable | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
4. 通过 `tiup cluster tls {cluster_name} enable` 开启 TLS 组件间加密 | |
```shell | |
tiup cluster tls {cluster_name} enable | |
``` | |
3. 开启 TLS 组件间加密: | |
> **注意:** | |
> | |
> 开启或关闭 TLS 组件间加密会重启 TiDB 集群,行为类似于 `tiup cluster restart`,而不是以滚动重启的方式重启节点。 | |
```shell | |
tiup cluster tls ${cluster_name} enable | |
``` |
5. 查看集群状态 | ||
|
||
```shell | ||
tiup cluster display {cluster_name} | ||
``` | ||
|
||
6. 验证 TLS 开启情况 | ||
|
||
检查 pd-ctl 执行 member 命令,输出的结果中对应的 peer_urls 以及 client_urls 都变为了 https 协议。注意:在 -u 指定 pd 地址时,需要使用 https 协议,若不为 https 协议,则需要检查环境,执行 `tiup cluster tls {cluster_name} disabl 回退操作。如果都是 https 协议,则可以进行下一步骤。 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
5. 查看集群状态 | |
```shell | |
tiup cluster display {cluster_name} | |
``` | |
6. 验证 TLS 开启情况 | |
检查 pd-ctl 执行 member 命令,输出的结果中对应的 peer_urls 以及 client_urls 都变为了 https 协议。注意:在 -u 指定 pd 地址时,需要使用 https 协议,若不为 https 协议,则需要检查环境,执行 `tiup cluster tls {cluster_name} disabl 回退操作。如果都是 https 协议,则可以进行下一步骤。 | |
4. 验证 TLS 开启情况: | |
使用 PD Control 检查 [`pd member`](/pd-control.md#member-delete--leader_priority--leader-show--resign--transfer-member_name) 命令的输出,确认 `peer_urls` 和 `client_urls` 是否已切换为 HTTPS 协议。使用 `-u` 指定 PD 地址时,应使用 HTTPS 协议。 |
|
||
```shell | ||
export PDTLS="--cacert /root/.tiup/storage/cluster/clusters/{cluster_name}/tls/ca.crt --cert /root/.tiup/storage/cluster/clusters/{cluster_name}/tls/client.crt --key /root/.tiup/storage/cluster/clusters/{cluster_name}/tls/client.pem" | ||
tiup ctl:{version} pd -u https://{PD_IP:PD_Port} $PDTLS -i |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tiup ctl:{version} pd -u https://{PD_IP:PD_Port} $PDTLS -i | |
tiup ctl:v<CLUSTER_VERSION> pd -u https://${PD_IP:PD_Port} $PDTLS -i member |
export PDTLS="--cacert /root/.tiup/storage/cluster/clusters/{cluster_name}/tls/ca.crt --cert /root/.tiup/storage/cluster/clusters/{cluster_name}/tls/client.crt --key /root/.tiup/storage/cluster/clusters/{cluster_name}/tls/client.pem" | ||
tiup ctl:{version} pd -u https://{PD_IP:PD_Port} $PDTLS -i | ||
``` | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
如果 `peer_urls` 和 `client_urls` 不是 HTTPS 协议,需检查环境或执行 `tiup cluster tls ${cluster_name} disable` 进行回退。如果已经是 HTTPS 协议,则继续下一步。 | |
7. 根据缩容前保存的拓扑信息,扩容 pd 节点 | ||
|
||
```shell | ||
tiup cluster scale-out {cluster_name} ./scale-pd.yaml | ||
``` | ||
|
||
8. 检查集群,并且尝试连接验证集群 | ||
|
||
```shell | ||
tiup cluster display {cluster_name} | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
7. 根据缩容前保存的拓扑信息,扩容 pd 节点 | |
```shell | |
tiup cluster scale-out {cluster_name} ./scale-pd.yaml | |
``` | |
8. 检查集群,并且尝试连接验证集群 | |
```shell | |
tiup cluster display {cluster_name} | |
``` | |
5. 根据第 1 步保存的拓扑信息扩容 PD 节点: | |
```shell | |
tiup cluster scale-out ${cluster_name} ./scale-pd.yaml | |
``` | |
6. 检查集群状态并尝试连接集群: | |
```shell | |
tiup cluster display ${cluster_name} | |
``` |
Removed the needs-cherry-pick-release-7.3 label because the v7.3 docs have been archived at https://docs-archive.pingcap.com/zh/tidb/v7.3 and will no longer receive new updates |
Removed the needs-cherry-pick-release-7.4 label because the v7.4 docs have been archived at https://docs-archive.pingcap.com/zh/tidb/v7.4 and will no longer receive new updates. |
Removed the needs-cherry-pick-release-7.6 label because the v7.6 docs have been archived at https://docs-archive.pingcap.com/zh/tidb/v7.6 and will no longer receive new updates. |
First-time contributors' checklist
What is changed, added or deleted? (Required)
依据实测经验,希望 FAQ 可以给使用者更明确的操作路径。
Which TiDB version(s) do your changes apply to? (Required)
Tips for choosing the affected version(s):
By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.
For details, see tips for choosing the affected versions (in Chinese).
What is the related PR or file link(s)?
Do your changes match any of the following descriptions?