Redis TLS Origination through the sidecar Author: Sam Stoelinga | Twitter: samosx | GitHub: samos123 Based on blog post: https://samos-it.com/posts/securing-redis-istio-tls-origniation-termination Architecture: K8s app using Redis over TLS only app-1 Namespace ms-1 K8s Pod External DB ms-2 K8s Pod ms-3 K8s Pod TLS only ● App with multiple microservices ● external Redis TLS only ● each microservice traffic Istio TLS Origination Architecture: K8s app using Redis over TLS only (TLS origination) app-1 Namespace ms-1 K8s Pod External DB container app container istio-proxy TCP TLS ● app talks

and authentication scheme used depends on the transport used. With gRPC (the default for Vitess), TLS can be used to secure both internal and external RPCs. We’ll detail what the options are. Caller ID gRPC transport, Vitess can use the usual TLS security features (familiarity with SSL / TLS is necessary here): • Any Vitess server can be configured to use TLS with the following command line parameters: in the provided file. • A Vitess go client can be configured with symmetrical parameters to enable TLS: – ..._grpc_ca: list of server cert signers to trust. – ..._grpc_server_name: name of the server cert

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Securing Vitess Using TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client certificates can also be mandated by setting -mysql_server_ssl_ca. If there is no CA specified then TLS is optional. X services and internally uses RPCs. These RPCs can optionally utilize secure transport options to use TLS over the gRPC HTTP/2 transport protocol. This document explains how to use these features. Finally

services and internally uses RPCs. These RPCs can optionally utilize secure transport options to use TLS over the gRPC HTTP/2 transport protocol. This document explains how to use these features. Finally transport, Vitess can use the usual TLS security features. Please note that familiarity with TLS is necessary here: • Any Vitess server can be configured to use TLS with the following command line parameters: in the provided file. • A Vitess go client can be configured with symmetrical parameters to enable TLS: 83 – xxxx_grpc_ca: list of server cert signers to trust. I.E. the client will only connect to servers

VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client certificates can also be mandated by setting -mysql_server_ssl_ca. If there is no CA specified then TLS is optional. Temporary services and internally uses RPCs. These RPCs can optionally utilize secure transport options to use TLS over the gRPC HTTP/2 transport protocol. This document explains how to use these features. Finally transport, Vitess can use the usual TLS security features. Please note that familiarity with TLS is necessary here: • Any Vitess server can be configured to use TLS with the following command line parameters:

VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client certificates can also be mandated by setting -mysql_server_ssl_ca. If there is no CA specified then TLS is optional. Temporary services and internally uses RPCs. These RPCs can optionally utilize secure transport options to use TLS over the gRPC HTTP/2 transport protocol. This document explains how to use these features. Finally transport, Vitess can use the usual TLS security features. Please note that familiarity with TLS is necessary here: • Any Vitess server can be configured to use TLS with the following command line parameters:

VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client certificates can also be mandated by setting -mysql_server_ssl_ca. If there is no CA specified then TLS is optional. Temporary services and internally uses RPCs. These RPCs can optionally utilize secure transport options to use TLS over the gRPC HTTP/2 transport protocol. This document explains how to use these features. Finally transport, Vitess can use the usual TLS security features. Please note that familiarity with TLS is necessary here: • Any Vitess server can be configured to use TLS with the following command line parameters:

Ansible 部署方案（强烈推荐） 离线 Ansible 部署方案 Docker 部署方案 Docker Compose 部署方案 跨机房部署方案 配置集群 参数解释 TiDB 配置项解释 开启 TLS 验证 生成自签名证书 监控集群 整体监控框架概述 重要监控指标详解 组件状态 API & 监控 扩容缩容 集群扩容缩容方案 使用 Ansible 扩容缩容 升级 升级组件版本 TiDB 2.0 升级操作指南 Compose 部署方案 跨机房部署方案 配置集群 参数解释 README - 8 - 本文档使用 书栈(BookStack.CN) 构建 TiDB 配置项解释 使用 Ansible 变更组件配置 开启 TLS 验证 生成自签名证书 监控集群 整体监控框架概述 重要监控指标详解 组件状态 API & 监控 扩容缩容 集群扩容缩容方案 使用 Ansible 扩容缩容 升级 升级组件版本 TiDB 2.0 升级操作指南 tcp 层开启 keepalive 默认: false PEM 格式的 SSL 证书文件路径 默认: “” 当同时设置了该选项和 --ssl-key 选项时，TiDB 将接受（但不强制）客户端使用 TLS 安全地连接到 TiDB。 若指定的证书或私钥无效，则 TiDB 会照常启动，但无法接受安全连接。 PEM 格式的 SSL 证书密钥文件路径，即 --ssl-cert 所指定的证书的私钥 默认:

· · · · · · · · · · · · · · 3627 14.11.1 Enable TLS between TiDB Clients and Servers · · · · · · · · · · · · · · · · · · · · 3627 14.11.2 Enable TLS Between TiDB Components · · · · · · · · · · · · · Change type Description TiDB tls- �→ version �→ Modified The default value is “”. The default sup- ported TLS versions of TiDB are changed from TLS1.1 or higher to TLS1.2 or higher. 54 Configuration 2.3.9 Security Security 7.6 7.5 7.1 6.5 6.1 5.4 5.3 5.2 5.1 5.0 4.0 Transparent layer security (TLS) Y Y Y Y Y Y Y Y Y Y Y Encryption at rest (TDE) Y Y Y Y Y Y Y Y Y Y Y Role-based authentication (RBAC)

· · · · · · · · · · · · · · · · · 840 8.1.2 Enable TLS between TiDB Clients and Servers · · · · · · · · · · · · · · · · · · · · 846 8.1.3 Enable TLS Between TiDB Components · · · · · · · · · · · · · · issue that setting the SSL certificate configuration to an empty string in TiFlash incorrectly enables TLS and causes TiFlash to fail to start #9235 @JaySon-Huang • Fix the issue that TiFlash might panic when confusing WARN log when it fails to obtain the keyspace name #54232 @kennytm • Fix the issue that the TLS configuration of TiDB Lightning affects cluster certificates #54172 @ei-sugimoto • Fix the issue that