Merge branch 'master' into config-tool

OWNERS_ALIASES

@@ -1,6 +1,6 @@
 # Sort the member alphabetically.
 aliases:
   sig-critical-approvers-config:
-    - easonn7
-    - kevin-xianliu
+    - BenMeadowcroft
     - niubell
+    - yudongusa

client/resource_group/controller/controller.go

@@ -249,16 +249,13 @@ func (c *ResourceGroupsController) Start(ctx context.Context) {
 		defer emergencyTokenAcquisitionTicker.Stop()
 
 		failpoint.Inject("fastCleanup", func() {
-			cleanupTicker.Stop()
-			cleanupTicker = time.NewTicker(100 * time.Millisecond)
+			cleanupTicker.Reset(100 * time.Millisecond)
 			// because of checking `gc.run.consumption` in cleanupTicker,
 			// so should also change the stateUpdateTicker.
-			stateUpdateTicker.Stop()
-			stateUpdateTicker = time.NewTicker(200 * time.Millisecond)
+			stateUpdateTicker.Reset(200 * time.Millisecond)
 		})
 		failpoint.Inject("acceleratedReportingPeriod", func() {
-			stateUpdateTicker.Stop()
-			stateUpdateTicker = time.NewTicker(time.Millisecond * 100)
+			stateUpdateTicker.Reset(time.Millisecond * 100)
 		})
 
 		_, metaRevision, err := c.provider.LoadResourceGroups(ctx)

client/tlsutil/tlsconfig.go

@@ -43,45 +43,45 @@ import (
 	"github.com/tikv/pd/client/errs"
 )
 
-// TLSInfo stores tls configuration to connect to etcd.
-type TLSInfo struct {
-	CertFile           string
-	KeyFile            string
-	TrustedCAFile      string
-	InsecureSkipVerify bool
+// tlsInfo stores tls configuration to connect to etcd.
+type tlsInfo struct {
+	certFile           string
+	keyFile            string
+	trustedCAFile      string
+	insecureSkipVerify bool
 
-	// ServerName ensures the cert matches the given host in case of discovery / virtual hosting
-	ServerName string
+	// serverName ensures the cert matches the given host in case of discovery / virtual hosting
+	serverName string
 
-	// CipherSuites is a list of supported cipher suites.
+	// cipherSuites is a list of supported cipher suites.
 	// If empty, Go auto-populates it by default.
 	// Note that cipher suites are prioritized in the given order.
-	CipherSuites []uint16
+	cipherSuites []uint16
 
 	selfCert bool
 
 	// parseFunc exists to simplify testing. Typically, parseFunc
 	// should be left nil. In that case, tls.X509KeyPair will be used.
 	parseFunc func([]byte, []byte) (tls.Certificate, error)
 
-	// AllowedCN is a CN which must be provided by a client.
-	AllowedCN string
+	// allowedCNs is a list of CNs which must be provided by a client.
+	allowedCNs []string
 }
 
-// ClientConfig generates a tls.Config object for use by an HTTP client.
-func (info TLSInfo) ClientConfig() (*tls.Config, error) {
+// clientConfig generates a tls.Config object for use by an HTTP client.
+func (info tlsInfo) clientConfig() (*tls.Config, error) {
 	var cfg *tls.Config
 	var err error
 
-	if !info.Empty() {
+	if !info.empty() {
 		cfg, err = info.baseConfig()
 		if err != nil {
 			return nil, err
 		}
 	} else {
-		cfg = &tls.Config{ServerName: info.ServerName}
+		cfg = &tls.Config{ServerName: info.serverName}
 	}
-	cfg.InsecureSkipVerify = info.InsecureSkipVerify
+	cfg.InsecureSkipVerify = info.insecureSkipVerify
 
 	CAFiles := info.cafiles()
 	if len(CAFiles) > 0 {
@@ -97,36 +97,38 @@ func (info TLSInfo) ClientConfig() (*tls.Config, error) {
 	return cfg, nil
 }
 
-// Empty returns if the TLSInfo is unset.
-func (info TLSInfo) Empty() bool {
-	return info.CertFile == "" && info.KeyFile == ""
+// empty returns if the TLSInfo is unset.
+func (info tlsInfo) empty() bool {
+	return info.certFile == "" && info.keyFile == ""
 }
 
-func (info TLSInfo) baseConfig() (*tls.Config, error) {
-	if info.KeyFile == "" || info.CertFile == "" {
-		return nil, fmt.Errorf("KeyFile and CertFile must both be present[key: %v, cert: %v]", info.KeyFile, info.CertFile)
+func (info tlsInfo) baseConfig() (*tls.Config, error) {
+	if info.keyFile == "" || info.certFile == "" {
+		return nil, fmt.Errorf("KeyFile and CertFile must both be present[key: %v, cert: %v]", info.keyFile, info.certFile)
 	}
 
-	_, err := NewCert(info.CertFile, info.KeyFile, info.parseFunc)
+	_, err := NewCert(info.certFile, info.keyFile, info.parseFunc)
 	if err != nil {
 		return nil, err
 	}
 
 	cfg := &tls.Config{
 		MinVersion: tls.VersionTLS12,
-		ServerName: info.ServerName,
+		ServerName: info.serverName,
 	}
 
-	if len(info.CipherSuites) > 0 {
-		cfg.CipherSuites = info.CipherSuites
+	if len(info.cipherSuites) > 0 {
+		cfg.CipherSuites = info.cipherSuites
 	}
 
-	if info.AllowedCN != "" {
+	if len(info.allowedCNs) > 0 {
 		cfg.VerifyPeerCertificate = func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {
 			for _, chains := range verifiedChains {
 				if len(chains) != 0 {
-					if info.AllowedCN == chains[0].Subject.CommonName {
-						return nil
+					for _, allowedCN := range info.allowedCNs {
+						if allowedCN == chains[0].Subject.CommonName {
+							return nil
+						}
 					}
 				}
 			}
@@ -137,19 +139,19 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 	// this only reloads certs when there's a client request
 	// TODO: support server-side refresh (e.g. inotify, SIGHUP), caching
 	cfg.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
-		return NewCert(info.CertFile, info.KeyFile, info.parseFunc)
+		return NewCert(info.certFile, info.keyFile, info.parseFunc)
 	}
 	cfg.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
-		return NewCert(info.CertFile, info.KeyFile, info.parseFunc)
+		return NewCert(info.certFile, info.keyFile, info.parseFunc)
 	}
 	return cfg, nil
 }
 
 // cafiles returns a list of CA file paths.
-func (info TLSInfo) cafiles() []string {
+func (info tlsInfo) cafiles() []string {
 	cs := make([]string, 0)
-	if info.TrustedCAFile != "" {
-		cs = append(cs, info.TrustedCAFile)
+	if info.trustedCAFile != "" {
+		cs = append(cs, info.trustedCAFile)
 	}
 	return cs
 }
@@ -162,8 +164,8 @@ type TLSConfig struct {
 	CertPath string `toml:"cert-path" json:"cert-path"`
 	// KeyPath is the path of file that contains X509 key in PEM format.
 	KeyPath string `toml:"key-path" json:"key-path"`
-	// CertAllowedCN is a CN which must be provided by a client
-	CertAllowedCN []string `toml:"cert-allowed-cn" json:"cert-allowed-cn"`
+	// CertAllowedCNs is the list of CN which must be provided by a client
+	CertAllowedCNs []string `toml:"cert-allowed-cn" json:"cert-allowed-cn"`
 
 	SSLCABytes   []byte
 	SSLCertBytes []byte
@@ -194,33 +196,17 @@ func (s TLSConfig) ToTLSConfig() (*tls.Config, error) {
 	if len(s.CertPath) == 0 && len(s.KeyPath) == 0 {
 		return nil, nil
 	}
-	allowedCN, err := s.GetOneAllowedCN()
-	if err != nil {
-		return nil, err
-	}
 
-	tlsInfo := TLSInfo{
-		CertFile:      s.CertPath,
-		KeyFile:       s.KeyPath,
-		TrustedCAFile: s.CAPath,
-		AllowedCN:     allowedCN,
+	tlsInfo := tlsInfo{
+		certFile:      s.CertPath,
+		keyFile:       s.KeyPath,
+		trustedCAFile: s.CAPath,
+		allowedCNs:    s.CertAllowedCNs,
 	}
 
-	tlsConfig, err := tlsInfo.ClientConfig()
+	tlsConfig, err := tlsInfo.clientConfig()
 	if err != nil {
 		return nil, errs.ErrEtcdTLSConfig.Wrap(err).GenWithStackByCause()
 	}
 	return tlsConfig, nil
 }
-
-// GetOneAllowedCN only gets the first one CN.
-func (s TLSConfig) GetOneAllowedCN() (string, error) {
-	switch len(s.CertAllowedCN) {
-	case 1:
-		return s.CertAllowedCN[0], nil
-	case 0:
-		return "", nil
-	default:
-		return "", errs.ErrSecurityConfig.FastGenByArgs("only supports one CN")
-	}
-}

conf/config.toml

@@ -204,6 +204,9 @@
 ## When enabled, usage data will be sent to PingCAP for improving user experience.
 # enable-telemetry = false
 
+## When enabled, configuring a custom prometheus address through Dashboard will not be allowed.
+# disable-custom-prom-addr = false
+
 [keyspace]
 ## pre-alloc is used to pre-allocate keyspaces during pd bootstrap.
 ## Its value should be a list of strings, denoting the name of the keyspaces.

go.mod

@@ -20,7 +20,7 @@ require (
 	github.com/coreos/go-semver v0.3.1
 	github.com/docker/go-units v0.4.0
 	github.com/elliotchance/pie/v2 v2.1.0
-	github.com/gin-contrib/cors v1.4.0
+	github.com/gin-contrib/cors v1.6.0
 	github.com/gin-contrib/gzip v0.0.1
 	github.com/gin-contrib/pprof v1.4.0
 	github.com/gin-gonic/gin v1.9.1
@@ -37,7 +37,7 @@ require (
 	github.com/pingcap/kvproto v0.0.0-20240716095229-5f7ffec83ea7
 	github.com/pingcap/log v1.1.1-0.20221110025148-ca232912c9f3
 	github.com/pingcap/sysutil v1.0.1-0.20230407040306-fb007c5aff21
-	github.com/pingcap/tidb-dashboard v0.0.0-20240815045040-4d89bc193a0c
+	github.com/pingcap/tidb-dashboard v0.0.0-20240830080600-3d0c3db0d55c
 	github.com/prometheus/client_golang v1.19.0
 	github.com/prometheus/common v0.51.1
 	github.com/sasha-s/go-deadlock v0.2.0
@@ -85,10 +85,11 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bitly/go-simplejson v0.5.0 // indirect
 	github.com/breeswish/gin-jwt/v2 v2.6.4-jwt-patch // indirect
-	github.com/bytedance/sonic v1.9.1 // indirect
+	github.com/bytedance/sonic v1.11.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
+	github.com/chenzhuoyu/base64x v0.0.0-20230717121745-296ad89f973d // indirect
+	github.com/chenzhuoyu/iasm v0.9.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -97,7 +98,7 @@ require (
 	github.com/fatih/color v1.10.0 // indirect
 	github.com/fogleman/gg v1.3.0 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
@@ -109,7 +110,7 @@ require (
 	github.com/go-openapi/swag v0.19.15 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.14.0 // indirect
+	github.com/go-playground/validator/v10 v10.19.0 // indirect
 	github.com/go-resty/resty/v2 v2.6.0 // indirect
 	github.com/go-sql-driver/mysql v1.7.0 // indirect
 	github.com/goccy/go-graphviz v0.1.3 // indirect
@@ -135,18 +136,18 @@ require (
 	github.com/joomcode/errorx v1.0.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.4 // indirect
-	github.com/leodido/go-urn v1.2.4 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20230326075908-cb1d2100619a // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
-	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v1.14.15 // indirect
 	github.com/minio/sio v0.3.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/oleiade/reflections v1.0.1 // indirect
 	github.com/onsi/gomega v1.20.1 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.1 // indirect
 	github.com/petermattis/goid v0.0.0-20211229010228-4d14c490ee36 // indirect
 	github.com/pingcap/tipb v0.0.0-20220718022156-3e2483c20a9e // indirect
 	github.com/pkg/errors v0.9.1 // indirect
@@ -168,7 +169,7 @@ require (
 	github.com/tklauser/numcpus v0.6.0 // indirect
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.2.11 // indirect
+	github.com/ugorji/go/codec v1.2.12 // indirect
 	github.com/urfave/cli/v2 v2.3.0 // indirect
 	github.com/vmihailenco/msgpack/v5 v5.3.5 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
@@ -190,7 +191,7 @@ require (
 	go.uber.org/dig v1.9.0 // indirect
 	go.uber.org/fx v1.12.0 // indirect
 	go.uber.org/multierr v1.11.0
-	golang.org/x/arch v0.3.0 // indirect
+	golang.org/x/arch v0.7.0 // indirect
 	golang.org/x/crypto v0.23.0 // indirect
 	golang.org/x/image v0.18.0 // indirect
 	golang.org/x/mod v0.17.0 // indirect