Feat: add tiproxy controllers (#6214)

Author: fgksgf

.gitignore

@@ -3,3 +3,5 @@ output
 .idea/
 coverage.txt
 .vscode/
+.cursorignore
+.DS_Store

.golangci.yml

@@ -42,7 +42,7 @@ linters:
     paths:
       - ".*/br/.*/_test.go"
       - ".*/br/.*/testutils/.*"
-      - "tests/e2e/br/.*"
+      - "tests/e2e/.*"
       - "third_party/.*"
   settings:
     dupl:

api/core/v1alpha1/common_types.go

@@ -271,7 +271,7 @@ const (
 )
 
 type SchedulePolicyEvenlySpread struct {
-	// All instances of a group will evenly spread in differnet topologies
+	// All instances of a group will evenly spread in different topologies
 	Topologies []ScheduleTopology `json:"topologies"`
 }
 

api/core/v1alpha1/names.go

@@ -38,6 +38,12 @@ const (
 	VolumeNameClusterClientTLS = meta.NamePrefix + "cluster-client-tls"
 	// VolumeNameMySQLTLS is the volume name for the TLS secret used by TLS communication between TiDB server and MySQL client.
 	VolumeNameMySQLTLS = meta.NamePrefix + "tidb-sql-tls"
+	// VolumeNameTiProxyMySQLTLS is the volume name for the TLS secret used by TLS communication between TiProxy and MySQL client.
+	VolumeNameTiProxyMySQLTLS = meta.NamePrefix + "tiproxy-sql-tls"
+	// VolumeNameTiProxyHTTPTLS is the volume name for the TLS secret used by TLS communication between TiProxy HTTP server and HTTP client.
+	VolumeNameTiProxyHTTPTLS = meta.NamePrefix + "tiproxy-http-tls"
+	// VolumeNameTiProxyTiDBTLS is the volume name for the TLS secret used by TLS communication between TiProxy and TiDB server.
+	VolumeNameTiProxyTiDBTLS = meta.NamePrefix + "tiproxy-tidb-tls"
 )
 
 // All container names
@@ -51,6 +57,7 @@ const (
 	ContainerNameTiCDC     = "ticdc"
 	ContainerNameTSO       = "tso"
 	ContainerNameScheduler = "scheduler"
+	ContainerNameTiProxy   = "tiproxy"
 
 	// An init container to copy pre stop checker cmd to main container
 	ContainerNamePrestopChecker = meta.NamePrefix + "prestop-checker"
@@ -78,6 +85,7 @@ const (
 	DirPathConfigTiCDC     = "/etc/ticdc"
 	DirPathConfigTSO       = "/etc/tso"
 	DirPathConfigScheduler = "/etc/scheduler"
+	DirPathConfigTiProxy   = "/etc/tiproxy"
 
 	// DirPathPrestop defines dir path of pre stop checker cmd
 	DirPathPrestop = "/prestop"
@@ -99,8 +107,15 @@ const (
 	DirPathClusterTLSTiCDC     = "/var/lib/ticdc-tls"
 	DirPathClusterTLSTSO       = "/var/lib/tso-tls"
 	DirPathClusterTLSScheduler = "/var/lib/scheduler-tls"
-	// Dir path of tls file for tidb and mysql client
+	DirPathClusterTLSTiProxy   = "/var/lib/tiproxy-tls"
+	// DirPathMySQLTLS is the dir path of tls file for tidb and mysql client
 	DirPathMySQLTLS = "/var/lib/tidb-sql-tls"
+	// DirPathTiProxyMySQLTLS is the dir path of tls file for tiproxy and mysql client
+	DirPathTiProxyMySQLTLS = "/var/lib/tiproxy-sql-tls"
+	// DirPathTiProxyHTTPTLS is the dir path of tls file for tiproxy http server
+	DirPathTiProxyHTTPTLS = "/var/lib/tiproxy-http-tls"
+	// DirPathTiProxyTiDBTLS is the dir path of tls file for tiproxy and tidb
+	DirPathTiProxyTiDBTLS = "/var/lib/tiproxy-tidb-tls"
 )
 
 // All file names

api/core/v1alpha1/tiproxy_types.go

@@ -19,10 +19,18 @@ import (
 )
 
 const (
-	TiProxyPortNameClient    = "mysql-client"
-	TiProxyPortNameStatus    = "status"
+	TiProxyPortNameClient = "mysql-client"
+	TiProxyPortNameAPI    = "api"
+	TiProxyPortNamePeer   = "peer"
+
 	DefaultTiProxyPortClient = 6000
-	DefaultTiProxyPortStatus = 3080
+	DefaultTiProxyPortAPI    = 3080
+	DefaultTiProxyPortPeer   = 3081
+)
+
+const (
+	TiProxyGroupCondAvailable   = "Available"
+	TiProxyGroupAvailableReason = "TiProxyGroupAvailable"
 )
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -142,8 +150,6 @@ type TiProxyTemplateSpec struct {
 type TiProxyPreStop struct {
 	// SleepSeconds is the seconds to sleep before sending the SIGTERM to the TiProxy container.
 	// It's useful to achieve a graceful shutdown of the TiProxy container.
-	// Operator will calculate the TiProxy pod's `terminationGracePeriod` based on this field:
-	// `terminationGracePeriod` = `preStopHookSleepSeconds` + 15(gracefulCloseConnectionsTimeout) + 5(buffer)
 	// Default is 10 seconds.
 	SleepSeconds int32 `json:"sleepSeconds,omitempty"`
 }
@@ -156,13 +162,22 @@ type TiProxySecurity struct {
 type TiProxyServer struct {
 	// Port defines all ports listened by TiProxy.
 	Ports TiProxyPorts `json:"ports,omitempty"`
+
+	// Labels defines the server labels of the TiProxy.
+	// TiDB Operator will ignore `labels` in TiProxy's config file and use this field instead.
+	// Note these label keys are managed by TiDB Operator, it will be set automatically and you can not modify them:
+	//  - zone
+	// +kubebuilder:validation:XValidation:rule="!('zone' in self)",message="labels cannot contain 'zone', it's managed by TiDB Operator"
+	Labels map[string]string `json:"labels,omitempty"`
 }
 
 type TiProxyPorts struct {
 	// Client defines port for TiProxy's SQL service.
 	Client *Port `json:"client,omitempty"`
-	// Status defines port for TiProxy status API.
-	Status *Port `json:"status,omitempty"`
+	// API defines port for TiProxy API service.
+	API *Port `json:"api,omitempty"`
+	// Peer defines port for TiProxy's peer service.
+	Peer *Port `json:"peer,omitempty"`
 }
 
 type TiProxyProbes struct {
@@ -173,29 +188,27 @@ type TiProxyProbes struct {
 
 type TiProxyProb struct {
 	// "tcp" will use TCP socket to connect component port.
-	// "command" will probe the status api of TiProxy.
+	// "command" will probe the HTTP API of TiProxy.
 	// +kubebuilder:validation:Enum=tcp;command
 	Type *string `json:"type,omitempty"`
 }
 
 type TiProxyTLS struct {
-	// When enabled, TiProxy will accept TLS encrypted connections from MySQL clients.
+	// MySQL defines the TLS configuration for connections between TiProxy and MySQL clients.
 	// The steps to enable this feature:
-	//   1. Generate a TiProxy server-side certificate and a client-side certificate for the TiProxy cluster.
+	//   1. Generate a TiProxy server-side certificate for the TiProxy cluster.
 	//      There are multiple ways to generate certificates:
 	//        - user-provided certificates: https://docs.pingcap.com/TiProxy/stable/generate-self-signed-certificates
 	//        - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
 	//        - or use cert-manager signed certificates: https://cert-manager.io/
 	//   2. Create a K8s Secret object which contains the TiProxy server-side certificate created above.
 	//      The name of this Secret must be: <groupName>-tiproxy-server-secret.
 	//        kubectl create secret generic <groupName>-tiproxy-server-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
-	//   3. Create a K8s Secret object which contains the TiProxy client-side certificate created above which will be used by TiProxy Operator.
-	//      The name of this Secret must be: <groupName>-tiproxy-client-secret.
-	//        kubectl create secret generic <groupName>-tiproxy-client-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
-	//   4. Set Enabled to `true`.
+	//   3. Set Enabled to `true`.
 	MySQL *TLS `json:"mysql,omitempty"`
 
-	// Backend defines the TLS configuration for connections between TiProxy and TiDB.
+	// Backend defines the TLS configuration for connections between TiProxy and TiDB servers.
+	// To enable this feature, the corresponding TiDB server must be configured with TLS enabled.
 	Backend *TLS `json:"backend,omitempty"`
 }
 
@@ -209,13 +222,13 @@ type TiProxySpec struct {
 	Cluster ClusterReference `json:"cluster"`
 
 	// Topology defines the topology domain of this TiProxy instance.
-	// It will be translated into a node affnity config.
+	// It will be translated into a node affinity config.
 	// Topology cannot be changed.
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="topology is immutable"
 	Topology Topology `json:"topology,omitempty"`
 
-	// Subdomain means the subdomain of the exported pd dns.
-	// A same pd cluster will use a same subdomain
+	// Subdomain means the subdomain of the exported tiproxy dns.
+	// A same tiproxy cluster will use a same subdomain
 	Subdomain string `json:"subdomain"`
 
 	// TiProxyTemplateSpec embeded some fields managed by TiProxyGroup.

api/core/v1alpha1/zz_generated.deepcopy.go

@@ -106,7 +106,7 @@ spec:
                       properties:
                         topologies:
                           description: All instances of a group will evenly spread
-                            in differnet topologies
+                            in different topologies
                           items:
                             properties:
                               topology:

manifests/crd/core.pingcap.com_pdgroups.yaml

@@ -98,7 +98,7 @@ spec:
                       properties:
                         topologies:
                           description: All instances of a group will evenly spread
-                            in differnet topologies
+                            in different topologies
                           items:
                             properties:
                               topology:

manifests/crd/core.pingcap.com_schedulergroups.yaml

@@ -95,7 +95,7 @@ spec:
                       properties:
                         topologies:
                           description: All instances of a group will evenly spread
-                            in differnet topologies
+                            in different topologies
                           items:
                             properties:
                               topology:

manifests/crd/core.pingcap.com_ticdcgroups.yaml

@@ -98,7 +98,7 @@ spec:
                       properties:
                         topologies:
                           description: All instances of a group will evenly spread
-                            in differnet topologies
+                            in different topologies
                           items:
                             properties:
                               topology:

manifests/crd/core.pingcap.com_tidbgroups.yaml

@@ -97,7 +97,7 @@ spec:
                       properties:
                         topologies:
                           description: All instances of a group will evenly spread
-                            in differnet topologies
+                            in different topologies
                           items:
                             properties:
                               topology:

manifests/crd/core.pingcap.com_tiflashgroups.yaml

@@ -98,7 +98,7 @@ spec:
                       properties:
                         topologies:
                           description: All instances of a group will evenly spread
-                            in differnet topologies
+                            in different topologies
                           items:
                             properties:
                               topology:

manifests/crd/core.pingcap.com_tikvgroups.yaml

@@ -8360,8 +8360,6 @@ spec:
                     description: |-
                       SleepSeconds is the seconds to sleep before sending the SIGTERM to the TiProxy container.
                       It's useful to achieve a graceful shutdown of the TiProxy container.
-                      Operator will calculate the TiProxy pod's `terminationGracePeriod` based on this field:
-                      `terminationGracePeriod` = `preStopHookSleepSeconds` + 15(gracefulCloseConnectionsTimeout) + 5(buffer)
                       Default is 10 seconds.
                     format: int32
                     type: integer
@@ -8377,7 +8375,7 @@ spec:
                       type:
                         description: |-
                           "tcp" will use TCP socket to connect component port.
-                          "command" will probe the status api of TiProxy.
+                          "command" will probe the HTTP API of TiProxy.
                         enum:
                         - tcp
                         - command
@@ -8406,28 +8404,26 @@ spec:
                     description: Whether enable the TLS connection.
                     properties:
                       backend:
-                        description: Backend defines the TLS configuration for connections
-                          between TiProxy and TiDB.
+                        description: |-
+                          Backend defines the TLS configuration for connections between TiProxy and TiDB servers.
+                          To enable this feature, the corresponding TiDB server must be configured with TLS enabled.
                         properties:
                           enabled:
                             type: boolean
                         type: object
                       mysql:
                         description: |-
-                          When enabled, TiProxy will accept TLS encrypted connections from MySQL clients.
+                          MySQL defines the TLS configuration for connections between TiProxy and MySQL clients.
                           The steps to enable this feature:
-                            1. Generate a TiProxy server-side certificate and a client-side certificate for the TiProxy cluster.
+                            1. Generate a TiProxy server-side certificate for the TiProxy cluster.
                                There are multiple ways to generate certificates:
                                  - user-provided certificates: https://docs.pingcap.com/TiProxy/stable/generate-self-signed-certificates
                                  - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
                                  - or use cert-manager signed certificates: https://cert-manager.io/
                             2. Create a K8s Secret object which contains the TiProxy server-side certificate created above.
                                The name of this Secret must be: <groupName>-tiproxy-server-secret.
                                  kubectl create secret generic <groupName>-tiproxy-server-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
-                            3. Create a K8s Secret object which contains the TiProxy client-side certificate created above which will be used by TiProxy Operator.
-                               The name of this Secret must be: <groupName>-tiproxy-client-secret.
-                                 kubectl create secret generic <groupName>-tiproxy-client-secret --namespace=<namespace> --from-file=tls.crt=<path/to/tls.crt> --from-file=tls.key=<path/to/tls.key> --from-file=ca.crt=<path/to/ca.crt>
-                            4. Set Enabled to `true`.
+                            3. Set Enabled to `true`.
                         properties:
                           enabled:
                             type: boolean
@@ -8437,9 +8433,31 @@ spec:
               server:
                 description: Server defines the server configuration of TiProxy.
                 properties:
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      Labels defines the server labels of the TiProxy.
+                      TiDB Operator will ignore `labels` in TiProxy's config file and use this field instead.
+                      Note these label keys are managed by TiDB Operator, it will be set automatically and you can not modify them:
+                       - zone
+                    type: object
+                    x-kubernetes-validations:
+                    - message: labels cannot contain 'zone', it's managed by TiDB
+                        Operator
+                      rule: '!(''zone'' in self)'
                   ports:
                     description: Port defines all ports listened by TiProxy.
                     properties:
+                      api:
+                        description: API defines port for TiProxy API service.
+                        properties:
+                          port:
+                            format: int32
+                            type: integer
+                        required:
+                        - port
+                        type: object
                       client:
                         description: Client defines port for TiProxy's SQL service.
                         properties:
@@ -8449,8 +8467,8 @@ spec:
                         required:
                         - port
                         type: object
-                      status:
-                        description: Status defines port for TiProxy status API.
+                      peer:
+                        description: Peer defines port for TiProxy's peer service.
                         properties:
                           port:
                             format: int32
@@ -8462,15 +8480,15 @@ spec:
                 type: object
               subdomain:
                 description: |-
-                  Subdomain means the subdomain of the exported pd dns.
-                  A same pd cluster will use a same subdomain
+                  Subdomain means the subdomain of the exported tiproxy dns.
+                  A same tiproxy cluster will use a same subdomain
                 type: string
               topology:
                 additionalProperties:
                   type: string
                 description: |-
                   Topology defines the topology domain of this TiProxy instance.
-                  It will be translated into a node affnity config.
+                  It will be translated into a node affinity config.
                   Topology cannot be changed.
                 minProperties: 1
                 type: object