*: put source/task tls config into etcd #1910
Conversation
|
[REVIEW NOTIFICATION] This pull request has been approved by:
To complete the pull request process, please ask the reviewers in the list to review by filling The full list of commands accepted by this bot can be found here. Reviewer can indicate their review by submitting an approval review. |
Ehco1996
changed the title
dm/config/security_test.go
Outdated
| testdataPath = "./testdata" | ||
|
|
||
| caFile = "./testdata/ca.pem" |
There was a problem hiding this comment.
How about using c.Mkdir() to save them in temporary files.
dm/ctl/master/start_task.go
Outdated
| if task.TargetDB != nil && task.TargetDB.Security != nil { | ||
| loadErr := task.TargetDB.Security.LoadTLSContent() | ||
| if loadErr != nil { | ||
| return loadErr | ||
| } |
There was a problem hiding this comment.
It seems not compatible with the former version. If we still put TLS files on the dm-worker server we will fail to start a task now.
There was a problem hiding this comment.
Maybe I could add a hint to the error message to help the user locate the problem?
There was a problem hiding this comment.
Can we ignore this error here and let the dm-worker take a try?
If it still fails to read tls content, we can report an error. If users have several sources/tasks using tls before, it might be hard for them to change their way to use DM.
There was a problem hiding this comment.
Besides, I find that if we directly rolling upgrade DM from former version using MySQL tls, it seems that the former tasks will directly fail because they didn't have SSLCABytes in source config. Am I right?
There was a problem hiding this comment.
To ensure that tasks already using tls connections are not interrupted after this upgrade
Before the database connection is established, an attempt is made to read the configuration from the local disk
cc @lance6716
| echo "check data" | ||
| check_sync_diff $WORK_DIR $cur/conf/diff_config.toml | ||
|
|
||
| echo "pause task before kill and restart dm-worker" |
There was a problem hiding this comment.
I think we should delete tls files first to make sure we have ha.
There was a problem hiding this comment.
I don't think so, the worker doesn't read the certificate from the file in the code now,
we always read it from etcd, because we use this method to load the certificate (ToTLSConfigWithVerifyByRawbytes)
There was a problem hiding this comment.
If dm-worker reads tls files from the local disk, we can also pass this test. Our test should make sure the former way fails this test.
There was a problem hiding this comment.
also added in 6d62706
ti-chi-bot
added
status/LGT2
Ehco1996
removed
the
status/PTAL
|
/merge |
|
This pull request has been accepted and is ready to merge. Commit hash: 39268c5
|
Ehco1996
added
the
needs-cherry-pick-release-2.0
|
In response to a cherrypick label: new pull request created: #1998. |
What problem does this PR solve?
close #1909
close #1932
close #1956
#1982
What is changed and how it works?
update
/tidb/dumpling/tidb-toolsdependencies to the latest versionwhen the user has configured the SSL-related configuration, the contents of the certificate file are read and saved to the ETCD
In order to simulate this scenario in CI, the PR for the mysql SSL supported by CI must be merged before this PR
I've manually re-palyed the CI changes, link is here
Check List
Tests
Code changes
Side effects
Related changes
dm/dm-ansible