When enabled, TiDB will accept TLS encrypted connections from MySQL client The steps to enable this feature: 1. Generate a TiDB server-side certificate and a client-side certifiacete for the TiDB cluster. There are multiple ways to generate certificates: - user-provided certificates: https://pingcap.com/docs/stable/how-to/secure/enable-tls-clients/ - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ - or use cert-manager signed certificates: https://cert-manager.io/ 2. Create a K8s Secret object which contains the TiDB server-side certificate created above. The name of this Secret must be: ${cluster_name}-tidb-server-secret. kubectl create secret generic ${cluster_name}-tidb-server-secret –namespace=${namespace} –from-file=tls.crt= –from-file=tls.key= –from-file=ca.crt= 3. Create a K8s Secret object which contains the TiDB client-side certificate created above which will be used by TiDB Operator. The name of this Secret must be: ${cluster_name}-tidb-client-secret. kubectl create secret generic ${cluster_name}-tidb-client-secret –namespace=${namespace} –from-file=tls.crt= –from-file=tls.key= –from-file=ca.crt= 4. Set Enabled to true.

Specify a secret of client cert for backup/restore Optional: Defaults to -tidb-client-secret If you want to specify a secret for backup/restore, generate a Secret Object according to the third step of the above procedure, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret this field only work in backup/restore process