Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support reloading TLS certificates for TiFlash #12251

Merged
merged 7 commits into from
Feb 14, 2023
Merged

support reloading TLS certificates for TiFlash #12251

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
78674ee
Update enable-tls-between-components.md
qiancai Jan 28, 2023
beb7e19
align with doc-cn changes
qiancai Feb 2, 2023
d98652f
sync the changes
qiancai Feb 3, 2023
94d041f
Merge remote-tracking branch 'upstream/master' into tiflash_load_cert…
qiancai Feb 3, 2023
e414a84
Apply suggestions from code review
qiancai Feb 3, 2023
3818f6b
Update tidb-external-ts.md
qiancai Feb 7, 2023
cd723e8
Revert "Update tidb-external-ts.md"
qiancai Feb 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
9 changes: 4 additions & 5 deletions enable-tls-between-components.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,9 @@ aliases: ['/docs/dev/enable-tls-between-components/','/docs/dev/how-to/secure/en

This document describes how to enable encrypted data transmission between components within a TiDB cluster. Once enabled, encrypted transmission is used between the following components:

- TiDB and TiKV; TiDB and PD
- TiKV and PD
- Communication between TiDB, TiKV, PD, and TiFlash
- TiDB Control and TiDB; TiKV Control and TiKV; PD Control and PD
- Internal communication within each TiKV, PD, TiDB cluster
- Internal communication within each TiDB, TiKV, PD, and TiFlash cluster

Currently, it is not supported to only enable encrypted transmission of some specific components.

Expand Down Expand Up @@ -209,9 +208,9 @@ To verify component caller's identity, you need to mark the certificate user ide

## Reload certificates

- If your TiDB cluster is deployed in a local data center, to reload the certificates and keys, TiDB, PD, TiKV, TiCDC and all kinds of clients reread the current certificates and key files each time a new connection is created, without restarting the TiDB cluster.
- If your TiDB cluster is deployed in a local data center, to reload the certificates and keys, TiDB, PD, TiKV, TiFlash, TiCDC, and all kinds of clients reread the current certificates and key files each time a new connection is created, without restarting the TiDB cluster.

- If your TiDB cluster is deployed on your own managed cloud, make sure that the issuance of TLS certificates is integrated with the certificate management service of the cloud provider. The TLS certificates of the TiDB, PD, TiKV, and TiCDC components can be automatically rotated without restarting the TiDB cluster.
- If your TiDB cluster is deployed on your own managed cloud, make sure that the issuance of TLS certificates is integrated with the certificate management service of the cloud provider. The TLS certificates of the TiDB, PD, TiKV, TiFlash, and TiCDC components can be automatically rotated without restarting the TiDB cluster.

## Certificate validity

Expand Down