Is there a way to automatically reload TiDB Server TLS certificate?

jarupatjdbr · July 18, 2023, 7:16am

Application environment: Kubernetes with cert-manager

TiDB version: 7.1

Reproduction method:

Problem:

I’m following this instruction to setup TLS for mysql client Enable TLS for the MySQL Client | PingCAP Docs

I’m using cert-manager to generate certificate. This means that cert-manager will automatically renew the certificate.

However for TiDB to reload new TLS cert, my understanding is that we need to call ALTER INSTANCE RELOAD TLS; ALTER INSTANCE | PingCAP Docs

Is there a way for Tidb to reload the TLS cert automatically? If not, what is the recommend way to reload certificate? Can we run a background job on TiDB? Or do I need to rely on kubernetes job? Are there other suggestion?

Resource allocation:

Attachment:

TiDB-Bot · July 18, 2023, 7:17am

According to the official documentation , to reload the TLS certificate, key, and CA, you need to execute the ALTER INSTANCE RELOAD TLS statement on the running TiDB instance. The newly loaded certificate, key, and CA take effect on the connection that is established after the statement is successfully executed. The connection established before the statement execution is not affected.

However, there is no built-in way to automatically reload the TLS certificate in TiDB. You can use a Kubernetes CronJob to periodically execute the ALTER INSTANCE RELOAD TLS statement to reload the certificate. You can also use a Kubernetes Job to execute the statement when the certificate is renewed by cert-manager.

Alternatively, you can use a third-party tool like Orchestrator to manage the TiDB cluster and automatically reload the TLS certificate when it is renewed.

Please note that when an error occurs during reloading, by default, the previous key and certificate continue to be used. However, if you have added the optional NO ROLLBACK ON ERROR, when an error occurs during reloading, the error is not returned, and the subsequent requests are handled with the TLS security connection disabled . Therefore, it is recommended to test the reloading process before deploying it to production.

: Enable TLS between Clients and Servers
: SQL Statement: ALTER INSTANCE
: Orchestrator