enable-tls-between-components: add TiProxy for cert-manager (#2929)

dveeden · web-flow · commit 2578d40b61ce · 2025-10-21T09:39:55.000Z
diff --git a/en/enable-tls-between-components.md b/en/enable-tls-between-components.md
@@ -1167,6 +1167,68 @@ This section describes how to issue certificates using two methods: `cfssl` and
 
         After the object is created, `cert-manager` generates a `${cluster_name}-ticdc-cluster-secret` Secret object to be used by the TiCDC component of the TiDB server.
 
+    - TiProxy
+
+        ```yaml
+        apiVersion: cert-manager.io/v1
+        kind: Certificate
+        metadata:
+          name: ${cluster_name}-tiproxy-cluster-secret
+          namespace: ${namespace}
+        spec:
+          secretName: ${cluster_name}-tiproxy-cluster-secret
+          duration: 8760h # 365d
+          renewBefore: 360h # 15d
+          subject:
+            organizations:
+            - PingCAP
+          commonName: "TiDB"
+          usages:
+            - server auth
+            - client auth
+          dnsNames:
+          - "${cluster_name}-tiproxy"
+          - "${cluster_name}-tiproxy.${namespace}"
+          - "${cluster_name}-tiproxy.${namespace}.svc"
+          - "${cluster_name}-tiproxy-peer"
+          - "${cluster_name}-tiproxy-peer.${namespace}"
+          - "${cluster_name}-tiproxy-peer.${namespace}.svc"
+          - "*.${cluster_name}-tiproxy-peer"
+          - "*.${cluster_name}-tiproxy-peer.${namespace}"
+          - "*.${cluster_name}-tiproxy-peer.${namespace}.svc"
+          ipAddresses:
+          - 127.0.0.1
+          - ::1
+          issuerRef:
+            name: ${cluster_name}-tidb-issuer
+            kind: Issuer
+            group: cert-manager.io
+        ```
+
+        `${cluster_name}` is the name of the cluster. Configure the items as follows:
+
+        - Set `spec.secretName` to `${cluster_name}-tiproxy-cluster-secret`.
+        - Add `server auth` and `client auth` in `usages`.
+        - Add the following DNSs in `dnsNames`. You can also add other DNSs according to your needs:
+
+            - `${cluster_name}-tiproxy`
+            - `${cluster_name}-tiproxy.${namespace}`
+            - `${cluster_name}-tiproxy.${namespace}.svc`
+            - `${cluster_name}-tiproxy-peer`
+            - `${cluster_name}-tiproxy-peer.${namespace}`
+            - `${cluster_name}-tiproxy-peer.${namespace}.svc`
+            - `*.${cluster_name}-tiproxy-peer`
+            - `*.${cluster_name}-tiproxy-peer.${namespace}`
+            - `*.${cluster_name}-tiproxy-peer.${namespace}.svc`
+
+        - Add the following 2 IPs in `ipAddresses`. You can also add other IPs according to your needs:
+            - `127.0.0.1`
+            - `::1`        
+        - Add the Issuer created above in `issuerRef`.
+        - For other attributes, refer to [cert-manager API](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec).
+
+      After the object is created, `cert-manager` generates a `${cluster_name}-tiproxy-cluster-secret` Secret object to be used by the TiProxy component of the TiDB server.
+
     - TiFlash
 
         ```yaml
diff --git a/zh/enable-tls-between-components.md b/zh/enable-tls-between-components.md
@@ -1158,6 +1158,68 @@ aliases: ['/docs-cn/tidb-in-kubernetes/dev/enable-tls-between-components/']
 
         创建这个对象以后，`cert-manager` 会生成一个名字为 `${cluster_name}-ticdc-cluster-secret` 的 Secret 对象供 TiDB 集群的 TiCDC 组件使用。
 
+    - TiProxy 组件的 Server 端证书。
+
+        ```yaml
+        apiVersion: cert-manager.io/v1
+        kind: Certificate
+        metadata:
+          name: ${cluster_name}-tiproxy-cluster-secret
+          namespace: ${namespace}
+        spec:
+          secretName: ${cluster_name}-tiproxy-cluster-secret
+          duration: 8760h # 365d
+          renewBefore: 360h # 15d
+          subject:
+            organizations:
+            - PingCAP
+          commonName: "TiDB"
+          usages:
+            - server auth
+            - client auth
+          dnsNames:
+          - "${cluster_name}-tiproxy"
+          - "${cluster_name}-tiproxy.${namespace}"
+          - "${cluster_name}-tiproxy.${namespace}.svc"
+          - "${cluster_name}-tiproxy-peer"
+          - "${cluster_name}-tiproxy-peer.${namespace}"
+          - "${cluster_name}-tiproxy-peer.${namespace}.svc"
+          - "*.${cluster_name}-tiproxy-peer"
+          - "*.${cluster_name}-tiproxy-peer.${namespace}"
+          - "*.${cluster_name}-tiproxy-peer.${namespace}.svc"
+          ipAddresses:
+          - 127.0.0.1
+          - ::1
+          issuerRef:
+            name: ${cluster_name}-tidb-issuer
+            kind: Issuer
+            group: cert-manager.io
+        ```
+
+        其中 `${cluster_name}` 为集群的名字：
+
+        - `spec.secretName` 请设置为 `${cluster_name}-tiproxy-cluster-secret`；
+        - `usages` 请添加上 `server auth` 和 `client auth`；
+        - `dnsNames` 需要填写这些 DNS，根据需要可以填写其他 DNS：
+
+            - `${cluster_name}-tiproxy`
+            - `${cluster_name}-tiproxy.${namespace}`
+            - `${cluster_name}-tiproxy.${namespace}.svc`
+            - `${cluster_name}-tiproxy-peer`
+            - `${cluster_name}-tiproxy-peer.${namespace}`
+            - `${cluster_name}-tiproxy-peer.${namespace}.svc`
+            - `*.${cluster_name}-tiproxy-peer`
+            - `*.${cluster_name}-tiproxy-peer.${namespace}`
+            - `*.${cluster_name}-tiproxy-peer.${namespace}.svc`
+        
+        - `ipAddresses` 需要填写这两个 IP，根据需要可以填写其他 IP：
+            - `127.0.0.1`
+            - `::1`
+        - `issuerRef` 请填写上面创建的 Issuer；
+        - 其他属性请参考 [cert-manager API](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec)。
+
+      创建这个对象以后，`cert-manager` 会生成一个名字为 `${cluster_name}-tiproxy-cluster-secret` 的 Secret 对象供 TiDB 集群的 TiProxy 组件使用。
+
     - TiFlash 组件的 Server 端证书。
 
         ```yaml
