server: fix TLS credentials not passed to tiflow in old architecture mode#3720
Conversation
ti-chi-bot
Bot
added
do-not-merge/needs-triage-completed
do-not-merge/release-note-label-needed
|
Hi @dumanshu. Thanks for your PR. I'm waiting for a pingcap member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
ti-chi-bot
Bot
added
the
needs-ok-to-test
Summary of ChangesHello @dumanshu, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request fixes a critical bug in TiCDC's old architecture mode that prevented it from connecting to TLS-enabled PD clusters. The issue was due to TLS credentials from CLI flags not being properly propagated to the underlying Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
ti-chi-bot
Bot
added
the
size/L
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request effectively resolves the issue of TLS credentials not being passed to tiflow in the old architecture mode. The approach of populating serverConfig.Security before marshaling is correct and directly addresses the root cause. The removal of now-redundant code and the addition of comprehensive unit tests are great improvements. I have one suggestion to refactor the new tests for better maintainability, but overall this is a solid contribution.
dumanshu
force-pushed
the
w_dgo-fix-tls-old-arch
branch
from
5dedf9f to
bece430
Compare
ti-chi-bot
Bot
added
release-note
ti-chi-bot
Bot
added
needs-1-more-lgtm
|
/check-issue-triage-complete |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wk989898, wlwilliamx The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ti-chi-bot
Bot
added
lgtm
and removed
needs-1-more-lgtm
[LGTM Timeline notifier]Timeline:
|
|
@dumanshu Please run |
dumanshu
force-pushed
the
w_dgo-fix-tls-old-arch
branch
from
bece430 to
ec3155b
Compare
|
/retest-required |
|
@dumanshu: Cannot trigger testing until a trusted user reviews the PR and leaves an DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@wk989898 Done - ran |
|
Our CI resource pool has been quite strained these past few days, so CIs are frequently aborted. If this happens, just run /retest again after a while. |
|
/retest |
|
/retest |
|
@dumanshu: Cannot trigger testing until a trusted user reviews the PR and leaves an DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/test all |
|
@dumanshu: Cannot trigger testing until a trusted user reviews the PR and leaves an DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@wlwilliamx - can you help with /ok-to-test as per #3720 (comment) ? |
|
/ok-to-test |
ti-chi-bot
Bot
added
ok-to-test
|
/retest |
…mode When TiCDC runs in old architecture mode, TLS credentials passed via CLI flags (--ca, --cert, --key) were not transferred to serverConfig.Security before JSON marshaling. This caused tiflow to receive an empty Security config, resulting in HTTP connections instead of HTTPS. Fix by calling o.getCredential() to populate serverConfig.Security before marshaling, similar to how complete() does it for new architecture mode. Also remove the redundant oldOptions.CaPath/CertPath/KeyPath/AllowedCertCN assignments since the credentials are now in ServerConfig.Security. Closes #3718
dumanshu
force-pushed
the
w_dgo-fix-tls-old-arch
branch
from
ec3155b to
8b166ee
Compare
3 participants
What problem does this PR solve?
Issue Number: close #3718
When TiCDC runs in old architecture mode (delegating to tiflow), TLS credentials passed via CLI flags (
--ca,--cert,--key) are not transferred toserverConfig.Security. This causes TiCDC to connect to PD using HTTP instead of HTTPS, resulting in connection failures for TLS-enabled clusters.What is changed and how it works?
Root cause: In
runTiFlowServer(), the code marshalso.serverConfigto JSON and passes it to tiflow. However,o.serverConfig.Securitywas never populated from the CLI flags before marshaling. The tiflowcomplete()function then copies from the emptyo.ServerConfig.Securityback tocfg.Security, overwriting any credentials.Fix:
o.getCredential()to populateserverConfig.Securitybefore JSON marshalingoldOptions.CaPath/CertPath/KeyPath/AllowedCertCNassignments since credentials are now inServerConfig.SecurityThis is similar to how
complete()does it for new architecture mode at line 161.Check List
Tests
Questions
Will it cause performance regression or break compatibility?
No
Do you need to update user documentation, design documentation or monitoring documentation?
No
Release note