lightning/config: align the behaviour of tidb.tls to doc (pingcap#53140)

close pingcap#53001

pkg/lightning/config/config.go

@@ -179,22 +179,33 @@ func (d *DBStore) adjust(
 	}
 
 	switch d.TLS {
-	case "skip-verify", "preferred":
+	case "preferred":
+		d.Security.AllowFallbackToPlaintext = true
+		fallthrough
+	case "skip-verify":
 		if d.Security.TLSConfig == nil {
 			/* #nosec G402 */
 			d.Security.TLSConfig = &tls.Config{
 				MinVersion:         tls.VersionTLS12,
 				InsecureSkipVerify: true,
 				NextProtos:         []string{"h2", "http/1.1"}, // specify `h2` to let Go use HTTP/2.
 			}
-			d.Security.AllowFallbackToPlaintext = true
+		} else {
+			d.Security.TLSConfig.InsecureSkipVerify = true
 		}
 	case "cluster":
 		if len(s.CAPath) == 0 {
 			return common.ErrInvalidConfig.GenWithStack("cannot set `tidb.tls` to 'cluster' without a [security] section")
 		}
-	case "", "false":
-		d.TLS = "false"
+	case "":
+	case "false":
+		d.Security.TLSConfig = nil
+		d.Security.CAPath = ""
+		d.Security.CertPath = ""
+		d.Security.KeyPath = ""
+		d.Security.CABytes = nil
+		d.Security.CertBytes = nil
+		d.Security.KeyBytes = nil
 	default:
 		return common.ErrInvalidConfig.GenWithStack("unsupported `tidb.tls` config %s", d.TLS)
 	}

pkg/lightning/config/config_test.go

@@ -385,6 +385,17 @@ func TestAdjustSecuritySection(t *testing.T) {
 			`,
 			expectedCA:     "",
 			hasTLS:         true,
+			fallback2NoTLS: false,
+		},
+		{
+			input: `
+				[security]
+				[tidb]
+				tls = "preferred"
+				[tidb.security]
+			`,
+			expectedCA:     "",
+			hasTLS:         true,
 			fallback2NoTLS: true,
 		},
 		{
@@ -398,6 +409,18 @@ func TestAdjustSecuritySection(t *testing.T) {
 			hasTLS:         false,
 			fallback2NoTLS: false,
 		},
+		{
+			input: `
+				[security]
+				[tidb]
+				tls = "false"
+				[tidb.security]
+				ca-path = "/path/to/ca2.pem"
+			`,
+			expectedCA:     "",
+			hasTLS:         false,
+			fallback2NoTLS: false,
+		},
 	}
 
 	for _, tc := range testCases {