pingcap
sync_diff_inspector: Use TLS by default
What problem does this PR solve?
Issue Number: close #12269
What is changed and how it works?
This PR makes it:
- Use TLS if available. With fallback to non-TLS if it is not available.
- This will not do CA validation as there is no CA configured.
- This results that without TLS config
sync-diff-inspectorcan connect to non-TLS servers and servers that use TLS, includingrequire_secure_transport=ON.
It is still recommended to configure a CA certificate and if needed a client certificate and key as the CA certificate can prevent against MitM attacks.
Alternatives
- We could add an option like
security.tlsmodewith values likedisabled/required/preferred/validate_ca/validate_identitythat follows the similarly named options in the MySQL Client. - We could make an option that turns on TLS without fallback to non-TLS, but without the CA validation.
For the unittest
- Fixed the order of the actual and expected output for the lines that I touched
- Using predictive uuids
Check List
Tests
- Manual test (add detailed scripts or steps below)
Questions
Will it cause performance regression or break compatibility?
Do you need to update user documentation, design documentation or monitoring documentation?
Release note
`sync_diff_inspector` now uses TLS when it is available
@dveeden: GitHub didn't allow me to request PR reviews from the following users: joechenrh.
Note that only pingcap members and repo collaborators can review this PR, and authors cannot review their own PRs.
In response to this:
/cc @joechenrh
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
![ti-chi-bot[bot] avatar](https://avatars.githubusercontent.com/in/214286?v=4 "Published by a pub.dev verified publisher"){kind=small}
From the pull-syncdiff-integration-test:
An error occurred while initializing diff: tls: server selected unsupported protocol version 302, please check log info in /tmp/sync_diff_inspector_test/sync_diff_inspector/output/sync_diff.log for full details
Note that TLS version 302 is also known asl TLSv1.1.
See also https://go.dev/src/crypto/tls/common.go
VersionTLS10 = 0x0301
VersionTLS11 = 0x0302
VersionTLS12 = 0x0303
VersionTLS13 = 0x0304
And also in crypto/tls:
// MinVersion contains the minimum TLS version that is acceptable.
//
// By default, TLS 1.2 is currently used as the minimum. TLS 1.0 is the
// minimum supported by this package.
//
// The server-side default can be reverted to TLS 1.0 by including the value
// "tls10server=1" in the GODEBUG environment variable.
MinVersion uint16
So I think this test might be using a old and EOL version of MySQL and/or be misconfigured.
However failures against servers with TLSv1.1 and older is something we should at least mention in the release notes.
[LGTM Timeline notifier]
Timeline:
2025-07-30 02:30:24.844797934 +0000 UTC m=+58437.530068170: :ballot_box_with_check: agreed by Leavrth.
@lance6716: GitHub didn't allow me to request PR reviews from the following users: joechenrh.
Note that only pingcap members and repo collaborators can review this PR, and authors cannot review their own PRs.
In response to this:
/cc @joechenrh
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
I can't approve 😂 /cc @kennytm
Sorry just remind you to review the code because I remember you have more recent experience than us in sync-diff. Seem CI is broken due to TLS version @dveeden
I can't approve 😂 /cc @kennytm
Sorry just remind you to review the code because I remember you have more recent experience than us in sync-diff. Seem CI is broken due to TLS version @dveeden
See also https://github.com/pingcap/tiflow/pull/12268#issuecomment-3133949130
I think CI was upgraded from a vintage 5.7 MySQL to MySQL 8.0.4x. That should solve this issue.
@joechenrh: adding LGTM is restricted to approvers and reviewers in OWNERS files.
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: joechenrh, Leavrth
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [Leavrth]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
4 tests failed, seems legit.
An error occurred while initializing diff: tls: server selected unsupported protocol version 302, please check log info in /tmp/sync_diff_inspector_test/sync_diff_inspector/output/sync_diff.log for full details
@dveeden: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| pull-syncdiff-integration-test | 6bbcba1a483674362dc7556b68419fad44fdf379 | link | true | /test pull-syncdiff-integration-test |
| pull-cdc-integration-pulsar-test | 6bbcba1a483674362dc7556b68419fad44fdf379 | link | true | /test pull-cdc-integration-pulsar-test |
| pull-dm-integration-test | 6bbcba1a483674362dc7556b68419fad44fdf379 | link | true | /test pull-dm-integration-test |
| pull-cdc-integration-storage-test | 6bbcba1a483674362dc7556b68419fad44fdf379 | link | true | /test pull-cdc-integration-storage-test |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.