server: propagate TLS flags to tiflow options (#4083)

[ti-chi-bot]

This is an automated cherry-pick of #4083

What problem does this PR solve?

Issue Number: close #4082

What is changed and how it works?

In old architecture mode, TiCDC delegates to github.com/pingcap/tiflow/pkg/cmd/server but reuses TiCDC's cobra command, so cobra flags are bound to TiCDC's options instead of tiflow's.

tiflow Options.complete() rebuilds ServerConfig.Security from tiflowServer.Options.CaPath/CertPath/KeyPath, so TiCDC must propagate TLS flag values into those fields. Otherwise, when TLS flags are present on the CLI, tiflow sees them as visited but with empty values, overwrites the security config to empty, and fails https PD endpoint validation.

This PR adds a small adapter function to build tiflow server options and explicitly fills CaPath/CertPath/KeyPath/AllowedCertCN.

Check List

Tests

• Unit test (go test ./cmd/cdc/server -run TestBuildTiFlowServerOptionsPropagatesTLSFlags)
• Integration test
• Manual test

Questions

Will it cause performance regression or break compatibility?

No. This only affects old architecture mode's delegation path and only changes how TLS flags are propagated to tiflow options.

Do you need to update user documentation, design documentation or monitoring documentation?

N/A

Release note

Fix TiCDC failing to start in old architecture mode when PD endpoints are https and TLS credentials are provided via CLI flags.

Summary by CodeRabbit

• Chores
  • Centralized TLS configuration propagation for TiFlow server options construction
  • Enhanced consistency in JSON error handling

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tenfyzhong for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello @ti-chi-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a critical bug in TiCDC's old architecture mode where TLS configuration flags were not correctly passed to the underlying TiFlow server. The fix ensures that when TiCDC connects to HTTPS-enabled PD endpoints and TLS credentials are provided via CLI flags, these security settings are properly recognized and applied by the TiFlow server, preventing startup failures related to secure communication.

Highlights

• TLS Flag Propagation Fix: Addressed an issue where TiCDC, when running in old architecture mode and delegating to tiflow/pkg/cmd/server, failed to correctly propagate TLS CLI flag values to tiflowServer.Options. This caused tiflow to incorrectly interpret TLS flags as empty, leading to ServerConfig.Security being overwritten and HTTPS PD endpoint validation failures.
• New buildTiFlowServerOptions Function: Introduced a new helper function, buildTiFlowServerOptions, to explicitly construct tiflowServer.Options. This function now ensures that CaPath, CertPath, KeyPath, and AllowedCertCN from TiCDC's options are correctly copied to the corresponding fields in tiflowServer.Options.
• Updated Unit Test: Modified an existing unit test, renamed to TestBuildTiFlowServerOptionsPropagatesTLSFlags, to specifically verify that TLS credentials are accurately propagated to both tiflowServer.Options and its embedded ServerConfig.Security.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• cmd/cdc/server/server.go
  • Refactored runTiFlowServer to extract the logic for building tiflowServer.Options into a new function buildTiFlowServerOptions.
  • Ensured that TLS-related fields (CaPath, CertPath, KeyPath, AllowedCertCN) are explicitly populated in tiflowServer.Options from TiCDC's options.
  • Updated error handling for JSON marshaling and unmarshaling to return nil, errors.Trace(err).
• cmd/cdc/server/server_test.go
  • Renamed TestRunTiFlowServerPopulatesSecurityConfig to TestBuildTiFlowServerOptionsPropagatesTLSFlags.
  • Modified the test to directly call buildTiFlowServerOptions and assert the correct propagation of TLS flags to tiflowServer.Options and its ServerConfig.Security.
  • Removed unused imports for encoding/json and tiflowConfig.

Activity

• This pull request is an automated cherry-pick of server: propagate TLS flags to tiflow options #4083.
• The changes address and close issue Old architecture mode: TLS CLI flags lost when delegating to tiflow (follow-up to #3718/#3720) #4082.
• A unit test (go test ./cmd/cdc/server -run TestBuildTiFlowServerOptionsPropagatesTLSFlags) was added/updated to validate the fix.
• A release note was provided, indicating a bugfix for TiCDC failing to start in old architecture mode with HTTPS PD endpoints and CLI TLS flags.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly addresses an issue where TLS flags were not being propagated to tiflow options in the old architecture mode, which could cause failures with HTTPS PD endpoints. The logic has been cleanly refactored into a new buildTiFlowServerOptions function, which improves code organization and testability. The new unit test is comprehensive and validates the fix effectively. I have one suggestion to enhance error handling consistency.

[gemini-code-assist]

For improved error handling and consistency with other parts of the codebase (like pkg/config/server.go), it would be better to use the specific ErrEncodeFailed and ErrDecodeFailed errors from the pkg/errors package. This will provide more context when debugging JSON marshaling or unmarshaling failures.

Suggested change

	cfgData, err := json.Marshal(o.serverConfig)
	if err != nil {
	return errors.Trace(err)
	return nil, errors.Trace(err)
	}
	var oldCfg tiflowConfig.ServerConfig
	err = json.Unmarshal(cfgData, &oldCfg)
	if err != nil {
	return errors.Trace(err)
	return nil, errors.Trace(err)
	}
	cfgData, err := json.Marshal(o.serverConfig)
	if err != nil {
	return nil, errors.ErrEncodeFailed.Wrap(err)
	}
	var oldCfg tiflowConfig.ServerConfig
	err = json.Unmarshal(cfgData, &oldCfg)
	if err != nil {
	return nil, errors.ErrDecodeFailed.GenWithStackByArgs(err)
	}