Enable mutual TLS authentication among TiDB components Once enabled, the mutual authentication applies to all components, and it does not support applying to only part of the components. The steps to enable this feature: 1. Generate TiDB server components certificates and a client-side certifiacete for them. There are multiple ways to generate these certificates: - user-provided certificates: https://pingcap.com/docs/stable/how-to/secure/generate-self-signed-certificates/ - use the K8s built-in certificate signing system signed certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ - or use cert-manager signed certificates: https://cert-manager.io/ 2. Create one secret object for one component which contains the certificates created above. The name of this Secret must be: ${cluster_name}—cluster-secret. For PD: kubectl create secret generic ${cluster_name}-pd-cluster-secret –namespace=${namespace} –from-file=tls.crt= –from-file=tls.key= –from-file=ca.crt= For TiKV: kubectl create secret generic ${cluster_name}-tikv-cluster-secret –namespace=${namespace} –from-file=tls.crt= –from-file=tls.key= –from-file=ca.crt= For TiDB: kubectl create secret generic ${cluster_name}-tidb-cluster-secret –namespace=${namespace} –from-file=tls.crt= –from-file=tls.key= –from-file=ca.crt= For Client: kubectl create secret generic ${cluster_name}-cluster-client-secret –namespace=${namespace} –from-file=tls.crt= –from-file=tls.key= –from-file=ca.crt= Same for other components.