fix(cert): only mount ca.crt in ca secret (#6455)

Author: liubog2008

pkg/apiutil/core/v1alpha1/instance.go

@@ -89,6 +89,12 @@ func ClusterTLSVolume[
 							LocalObjectReference: corev1.LocalObjectReference{
 								Name: ca,
 							},
+							Items: []corev1.KeyToPath{
+								{
+									Key:  corev1.ServiceAccountRootCAKey,
+									Path: corev1.ServiceAccountRootCAKey,
+								},
+							},
 						},
 					},
 					{

pkg/apiutil/core/v1alpha1/tidb.go

@@ -148,6 +148,12 @@ func TiDBMySQLTLSVolume(db *v1alpha1.TiDB) *corev1.Volume {
 							LocalObjectReference: corev1.LocalObjectReference{
 								Name: ca,
 							},
+							Items: []corev1.KeyToPath{
+								{
+									Key:  corev1.ServiceAccountRootCAKey,
+									Path: corev1.ServiceAccountRootCAKey,
+								},
+							},
 						},
 					},
 					{

pkg/apiutil/core/v1alpha1/tiproxy.go

@@ -131,6 +131,12 @@ func TiProxyMySQLTLSVolume(tiproxy *v1alpha1.TiProxy) *corev1.Volume {
 							LocalObjectReference: corev1.LocalObjectReference{
 								Name: ca,
 							},
+							Items: []corev1.KeyToPath{
+								{
+									Key:  corev1.ServiceAccountRootCAKey,
+									Path: corev1.ServiceAccountRootCAKey,
+								},
+							},
 						},
 					},
 					{
@@ -233,6 +239,12 @@ func TiProxyHTTPServerTLSVolume(tiproxy *v1alpha1.TiProxy) *corev1.Volume {
 							LocalObjectReference: corev1.LocalObjectReference{
 								Name: ca,
 							},
+							Items: []corev1.KeyToPath{
+								{
+									Key:  corev1.ServiceAccountRootCAKey,
+									Path: corev1.ServiceAccountRootCAKey,
+								},
+							},
 						},
 					},
 					{
@@ -360,6 +372,12 @@ func TiProxyBackendTLSVolume(tiproxy *v1alpha1.TiProxy) *corev1.Volume {
 							LocalObjectReference: corev1.LocalObjectReference{
 								Name: ca,
 							},
+							Items: []corev1.KeyToPath{
+								{
+									Key:  corev1.ServiceAccountRootCAKey,
+									Path: corev1.ServiceAccountRootCAKey,
+								},
+							},
 						},
 					},
 					{

tests/e2e/framework/workload/options.go

@@ -99,6 +99,12 @@ func ConfigJobWithTLS(job *batchv1.Job, o *Options) *batchv1.Job {
 								LocalObjectReference: corev1.LocalObjectReference{
 									Name: o.CA,
 								},
+								Items: []corev1.KeyToPath{
+									{
+										Key:  corev1.ServiceAccountRootCAKey,
+										Path: corev1.ServiceAccountRootCAKey,
+									},
+								},
 							},
 						},
 						{

tests/e2e/suite/cluster/tls.go

@@ -40,8 +40,9 @@ var _ = ginkgo.Describe("TLS", label.Cluster, label.FeatureTLS, func() {
 			ns := f.Namespace.Name
 			cluster := f.Cluster.Name
 
-			ca := "cluster-ca"
-			mysqlClientCA, mysqlServerCertKeyPair := "mysql-ca", "mysql-tls"
+			// add ns prefix of ca because the bundle is a cluster scope resource
+			ca := ns + "-cluster-ca"
+			mysqlClientCA, mysqlServerCertKeyPair := ns+"-mysql-ca", "mysql-tls"
 			pdg := f.MustCreatePD(ctx,
 				data.WithMSMode(),
 				data.WithClusterTLS[*runtime.PDGroup](ca, "pd-internal"),