tiproxy: fix http tls when only tls cluster is enabled (#5555)

Signed-off-by: xhe <xw897002528@gmail.com>
pingcap · Feb 26, 2024 · a002cb1 · a002cb1
1 parent 521a829
commit a002cb1
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/pkg/manager/member/tiproxy_member_manager.go b/pkg/manager/member/tiproxy_member_manager.go
@@ -125,24 +125,21 @@ func (m *tiproxyMemberManager) syncConfigMap(tc *v1alpha1.TidbCluster, set *apps
 		cfgWrapper.Set("proxy.require-backend-tls", false)
 	}
 
-	if tc.IsTLSClusterEnabled() {
+	tlsCluster := tc.IsTLSClusterEnabled()
+	tlsTiDB := tc.Spec.TiDB != nil && tc.Spec.TiDB.IsTLSClientEnabled()
+	if tlsCluster {
 		cfgWrapper.Set("security.cluster-tls.ca", path.Join(util.ClusterClientTLSPath, "ca.crt"))
 		cfgWrapper.Set("security.cluster-tls.key", path.Join(util.ClusterClientTLSPath, "tls.key"))
 		cfgWrapper.Set("security.cluster-tls.cert", path.Join(util.ClusterClientTLSPath, "tls.crt"))
 	}
-	if tc.Spec.TiDB != nil && tc.Spec.TiDB.IsTLSClientEnabled() {
+	if tlsTiDB {
 		cfgWrapper.Set("security.server-tls.ca", path.Join(tiproxyServerPath, "ca.crt"))
 		cfgWrapper.Set("security.server-tls.key", path.Join(tiproxyServerPath, "tls.key"))
 		cfgWrapper.Set("security.server-tls.cert", path.Join(tiproxyServerPath, "tls.crt"))
 		if cfgWrapper.Get("security.server-tls.skip-ca") == nil {
 			cfgWrapper.Set("security.server-tls.skip-ca", true)
 		}
 
-		cfgWrapper.Set("security.server-http-tls.ca", path.Join(tiproxyServerPath, "ca.crt"))
-		cfgWrapper.Set("security.server-http-tls.key", path.Join(tiproxyServerPath, "tls.key"))
-		cfgWrapper.Set("security.server-http-tls.cert", path.Join(tiproxyServerPath, "tls.crt"))
-		cfgWrapper.Set("security.server-http-tls.skip-ca", true)
-
 		if tc.Spec.TiProxy.SSLEnableTiDB || !tc.SkipTLSWhenConnectTiDB() {
 			if cfgWrapper.Get("security.sql-tls.skip-ca") == nil && tc.Spec.TiDB.TLSClient.SkipInternalClientCA {
 				cfgWrapper.Set("security.sql-tls.skip-ca", true)
@@ -155,6 +152,14 @@ func (m *tiproxyMemberManager) syncConfigMap(tc *v1alpha1.TidbCluster, set *apps
 			}
 		}
 	}
+	// TODO: this should only be set on `tlsCluster`. `tlsTiDB` check is for backward compatibility.
+	// and it should be removed in the future.
+	if tlsCluster || tlsTiDB {
+		cfgWrapper.Set("security.server-http-tls.ca", path.Join(tiproxyServerPath, "ca.crt"))
+		cfgWrapper.Set("security.server-http-tls.key", path.Join(tiproxyServerPath, "tls.key"))
+		cfgWrapper.Set("security.server-http-tls.cert", path.Join(tiproxyServerPath, "tls.crt"))
+		cfgWrapper.Set("security.server-http-tls.skip-ca", true)
+	}
 
 	cfgBytes, err := cfgWrapper.MarshalTOML()
 	if err != nil {