Support specifying an initialize sql file on TiDB' s first bootstrap

[fgksgf]

What problem does this PR solve?

Support specifying an initialize sql file on TiDB' s first bootstrap.
Related PR: pingcap/tidb#35625

What is changed and how does it work?

• Add a BootstrapSQLConfigMapName field to tidb spec
• If it's enabled, will mount the specify configmap to tidb pod and add --initialize-sql-file to tidb start script

Code changes

• Has Go code change
• Has CI related scripts change

Tests

• Unit test
• E2E test
• Manual test
  • Run tidb operator locally
  • Create a config map like:

apiVersion: v1
kind: ConfigMap
metadata:
  name: sem
data:
  bootstrap-sql: |
    CREATE USER test_admin;
    GRANT RESTRICTED_VARIABLES_ADMIN ON *.* TO 'test_admin'@'%';
    GRANT RESTRICTED_STATUS_ADMIN ON *.* TO 'test_admin'@'%';
    GRANT RESTRICTED_CONNECTION_ADMIN ON *.* TO 'test_admin'@'%';
    GRANT RESTRICTED_USER_ADMIN ON *.* TO 'test_admin'@'%';
    GRANT RESTRICTED_TABLES_ADMIN ON *.* TO 'test_admin'@'%';
    GRANT RESTRICTED_REPLICA_WRITER_ADMIN ON *.* TO 'test_admin'@'%';
    GRANT SHUTDOWN, CONFIG ON *.* TO 'test_admin'@'%';
    REVOKE SHUTDOWN, CONFIG ON *.* FROM root;

• create a TC CR, specify the BootstrapSQLConfigMapName field and set tidb config to enable SEM
• connect to the tidb with user test_admin and:
  • query show config where type='tidb' and name='security.enable-sem';
  • query select * from INFORMATION_SCHEMA.USER_PRIVILEGES;

+------+-----------------------------------------------------------------+---------------------+-------+
| Type | Instance                                                        | Name                | Value |
+------+-----------------------------------------------------------------+---------------------+-------+
| tidb | with-bootstrap2-tidb-0.with-bootstrap2-tidb-peer.test5.svc:4000 | security.enable-sem | true  |
+------+-----------------------------------------------------------------+---------------------+-------+

+------------------+---------------+---------------------------------+--------------+
| GRANTEE          | TABLE_CATALOG | PRIVILEGE_TYPE                  | IS_GRANTABLE |
+------------------+---------------+---------------------------------+--------------+
| 'test_admin'@'%' | def           | SHUTDOWN                        | NO           |
| 'test_admin'@'%' | def           | CONFIG                          | NO           |
| 'test_admin'@'%' | def           | RESTRICTED_VARIABLES_ADMIN      | NO           |
| 'test_admin'@'%' | def           | RESTRICTED_STATUS_ADMIN         | NO           |
| 'test_admin'@'%' | def           | RESTRICTED_CONNECTION_ADMIN     | NO           |
| 'test_admin'@'%' | def           | RESTRICTED_USER_ADMIN           | NO           |
| 'test_admin'@'%' | def           | RESTRICTED_TABLES_ADMIN         | NO           |
| 'test_admin'@'%' | def           | RESTRICTED_REPLICA_WRITER_ADMIN | NO           |
+------------------+---------------+---------------------------------+--------------+

• tidb pod did not restart
• No code

Side effects

• Breaking backward compatibility
• Other side effects:

Related changes

• Need to cherry-pick to the release branch
• Need to update the documentation

Release Notes

Please refer to Release Notes Language Style Guide before writing the release note.

Support specifying an initialize sql file on TiDB' s first bootstrap

[ti-chi-bot]

[REVIEW NOTIFICATION]

This pull request has been approved by:

• csuzhangxc
• july2993

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

[CLAassistant]

All committers have signed the CLA.

[codecov-commenter]

Codecov Report

Merging #4862 (776f88e) into master (ec7e73f) will increase coverage by 8.36%.
The diff coverage is 0.00%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4862      +/-   ##
==========================================
+ Coverage   59.43%   67.79%   +8.36%     
==========================================
  Files         226      230       +4     
  Lines       25697    28793    +3096     
==========================================
+ Hits        15273    19521    +4248     
+ Misses       8969     7800    -1169     
- Partials     1455     1472      +17     

Flag	Coverage Δ
e2e	52.65% <0.00%> (?)
unittest	59.39% <0.00%> (-0.05%)	⬇️

[july2993]

it seems there are no need to restrict this

[fgksgf]

Because it only take effect at the first bootstrap, so updating the field makes no sense but make tidb restart.

[KanShiori]

Rest LGTM

[csuzhangxc]

why do we need to support updates from non-nil to nil?

[fgksgf]

If the user deletes the bootstrap sql configmap and also wants to remove it from tidb pods.

[hanlins]

/run-all-tests

[hanlins]

/test pull-e2e-kind-across-kubernetes

[handlerww]

/test pull-e2e-kind-across-kubernetes

[handlerww]

/test pull-e2e-kind-serial

[fgksgf]

Any ideas about the error in E2E?

Join cluster with existing data [It]

failed to check status

Unexpected error: "timed out waiting for the condition, 
last error: all pump member hosts don't contain update-1-pump.across-kubernetes-9232.svc.cluster.local"

/home/jenkins/agent/workspace/tidb-operator-pull-e2e-kind-across-kubernetes/go/src/github.com/pingcap/tidb-operator/tests/e2e/tidbcluster/across-kubernetes.go:280

tidb-operator/tests/e2e/tidbcluster/across-kubernetes.go

Lines 991 to 993 in 0ff338f

	if len(ownMembers) == 0 {
	return fmt.Errorf("all pump member hosts don't contain %s", pumpHostSuffix)
	}

Do we need to turn up the timeout?

tidb-operator/tests/e2e/tidbcluster/across-kubernetes.go

Line 279 in 0ff338f

err = CheckStatusWhenAcrossK8sWithTimeout(cli, []*v1alpha1.TidbCluster{tc1, tc2, tc3}, 5*time.Second, 3*time.Minute)

[handlerww]

/test pull-e2e-kind-across-kubernetes

[KanShiori]

/merge

[ti-chi-bot]

This pull request has been accepted and is ready to merge.

Commit hash: 7702ee7

[ti-chi-bot]

@fgksgf: Your PR was out of date, I have automatically updated it for you.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

[hanlins]

/run-all-tests

[hanlins]

/test pull-e2e-kind-serial

[hanlins]

/test pull-e2e-kind-serial

[hanlins]

/test pull-e2e-kind-serial

[hanlins]

/test pull-e2e-kind-serial

[KanShiori]

/test pull-e2e-kind-serial