From a996230848c7186155488094b1aa5bcd60658cd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Wed, 3 Dec 2025 08:27:15 +0100 Subject: [PATCH 1/5] tiproxy: add detail about reloading certificates once an hour --- tiproxy/tiproxy-configuration.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tiproxy/tiproxy-configuration.md b/tiproxy/tiproxy-configuration.md index 7d0d14dbd9f5d..bb189e7fbce53 100644 --- a/tiproxy/tiproxy-configuration.md +++ b/tiproxy/tiproxy-configuration.md @@ -221,6 +221,10 @@ When you need to isolate computing layer resources, you can configure multiple v ### security +> **Note:** +> +> TiProxy re-reads certificate files once per hour. Changes to certificate files on disk may take up to one hour before they are applied. + There are four TLS objects in the `[security]` section with different names. They share the same configuration format and fields, but they are interpreted differently depending on their names. ```toml From 0fa2a03f18ac2f60aa1b78be2576eae666a2f22c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Wed, 3 Dec 2025 08:31:25 +0100 Subject: [PATCH 2/5] Update enable-tls-between-components.md to correct TiProxy description --- enable-tls-between-components.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index 24073e6a14c65..1b629db9ef1fe 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -264,7 +264,9 @@ After configuring TLS for communication between TiDB components, you can use the ## Reload certificates -- If your TiDB cluster is deployed in a local data center, to reload the certificates and keys, TiDB, PD, TiKV, TiFlash, TiCDC, TiProxy, and all kinds of clients reread the current certificates and key files each time a new connection is created, without restarting the TiDB cluster. +- If your TiDB cluster is deployed in a local data center, to reload the certificates and keys, TiDB, PD, TiKV, TiFlash, TiCDC, and all kinds of clients reread the current certificates and key files each time a new connection is created, without restarting the TiDB cluster. + +- TiProxy reloads the certificates from disk once an hour. - If your TiDB cluster is deployed on your own managed cloud, make sure that the issuance of TLS certificates is integrated with the certificate management service of the cloud provider. The TLS certificates of the TiDB, PD, TiKV, TiFlash, TiCDC, and TiProxy components can be automatically rotated without restarting the TiDB cluster. From d824db1d4bf8f8ee248731440c1ff84c08045532 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Wed, 3 Dec 2025 08:32:04 +0100 Subject: [PATCH 3/5] Apply suggestion from @gemini-code-assist[bot] Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tiproxy/tiproxy-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tiproxy/tiproxy-configuration.md b/tiproxy/tiproxy-configuration.md index bb189e7fbce53..0c50c98fd6256 100644 --- a/tiproxy/tiproxy-configuration.md +++ b/tiproxy/tiproxy-configuration.md @@ -223,7 +223,7 @@ When you need to isolate computing layer resources, you can configure multiple v > **Note:** > -> TiProxy re-reads certificate files once per hour. Changes to certificate files on disk may take up to one hour before they are applied. +> TiProxy reloads certificate files once per hour. Therefore, any changes you make to the certificate files on disk can take up to one hour to take effect. There are four TLS objects in the `[security]` section with different names. They share the same configuration format and fields, but they are interpreted differently depending on their names. From 406c3738292d329fe50fb5d43184a10c91435b28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Thu, 4 Dec 2025 12:06:33 +0100 Subject: [PATCH 4/5] Update tiproxy/tiproxy-configuration.md Co-authored-by: Grace Cai --- tiproxy/tiproxy-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tiproxy/tiproxy-configuration.md b/tiproxy/tiproxy-configuration.md index 0c50c98fd6256..7d5f005398405 100644 --- a/tiproxy/tiproxy-configuration.md +++ b/tiproxy/tiproxy-configuration.md @@ -223,7 +223,7 @@ When you need to isolate computing layer resources, you can configure multiple v > **Note:** > -> TiProxy reloads certificate files once per hour. Therefore, any changes you make to the certificate files on disk can take up to one hour to take effect. +> TiProxy reloads certificates from disk once an hour. Therefore, any changes that you make to certificate files on disk can take up to one hour to take effect. There are four TLS objects in the `[security]` section with different names. They share the same configuration format and fields, but they are interpreted differently depending on their names. From 5c7b47291169fad6f0addea4f53420856fa82112 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Thu, 4 Dec 2025 16:53:56 +0100 Subject: [PATCH 5/5] Update enable-tls-between-components.md Co-authored-by: Grace Cai --- enable-tls-between-components.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index 1b629db9ef1fe..feb54945d10a6 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -266,7 +266,7 @@ After configuring TLS for communication between TiDB components, you can use the - If your TiDB cluster is deployed in a local data center, to reload the certificates and keys, TiDB, PD, TiKV, TiFlash, TiCDC, and all kinds of clients reread the current certificates and key files each time a new connection is created, without restarting the TiDB cluster. -- TiProxy reloads the certificates from disk once an hour. +- TiProxy reloads certificates from disk once an hour. - If your TiDB cluster is deployed on your own managed cloud, make sure that the issuance of TLS certificates is integrated with the certificate management service of the cloud provider. The TLS certificates of the TiDB, PD, TiKV, TiFlash, TiCDC, and TiProxy components can be automatically rotated without restarting the TiDB cluster.