pingcap
diff --git a/‎en/TOC.md‎
Lines changed: 2 additions & 0 deletions b/‎en/TOC.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎en/deploy-failures.md‎
Lines changed: 85 additions & 0 deletions b/‎en/deploy-failures.md‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎en/deploy-tidb-cluster.md‎
Lines changed: 1 addition & 0 deletions b/‎en/deploy-tidb-cluster.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎en/enable-tls-between-components.md‎
Lines changed: 2 additions & 273 deletions b/‎en/enable-tls-between-components.md‎
Lines changed: 2 additions & 273 deletions
@@ -47,6 +47,8 @@
     - [Destroy a TiDB Cluster](destroy-a-tidb-cluster.md)
 - Troubleshoot
   - [Troubleshooting Tips](tips.md)
+  - [Deployment Failures](deploy-failures.md)
+  - [Cluster Exceptions](exceptions.md)
 - Reference
   - Architecture
     - [TiDB Operator](architecture.md)
 
@@ -5,4 +5,89 @@ summary: Learn the common deployment failures of TiDB on Kubernetes and their so
 
 # Common Deployment Failures of TiDB on Kubernetes
 
+This document describes the common deployment failures of TiDB on Kubernetes and their solutions.
+
+## The Pod is not created normally
+
+After creating a backup/restore task, if the Pod is not created, you can perform a diagnostic operation by executing the following commands:
+
+```shell
+kubectl get backups -n ${namespace}
+kubectl get jobs -n ${namespace}
+kubectl describe backups -n ${namespace} ${backup_name}
+kubectl describe jobs -n ${namespace} ${backupjob_name}
+kubectl describe restores -n ${namespace} ${restore_name}
+```
+
 ## The Pod is in the Pending state
+
+The Pending state of a Pod is usually caused by conditions of insufficient resources, for example:
+
+- The `StorageClass` of the PVC used by PD, TiKV, TiFlash, Backup, and Restore Pods does not exist or the PV is insufficient.
+- No nodes in the Kubernetes cluster can satisfy the CPU or memory resources requested by the Pod.
+- The certificates used by TiDB or TiProxy components are not configured.
+
+You can check the specific reason for Pending by using the `kubectl describe pod` command:
+
+```shell
+kubectl describe po -n ${namespace} ${pod_name}
+```
+
+### CPU or memory resources are insufficient
+
+If the CPU or memory resources are insufficient, you can lower the CPU or memory resources requested by the corresponding component for scheduling, or add a new Kubernetes node.
+
+### StorageClass of the PVC does not exist
+
+If the `StorageClass` of the PVC cannot be found, take the following steps:
+
+1. Get the available `StorageClass` in the cluster:
+
+    ```shell
+    kubectl get storageclass
+    ```
+
+2. Change `storageClassName` to the name of the `StorageClass` available in the cluster.
+
+3. Update the configuration file:
+
+    If you want to run a backup/restore task, first execute `kubectl delete bk ${backup_name} -n ${namespace}` to delete the old backup/restore task, and then execute `kubectl apply -f backup.yaml` to create a new backup/restore task.
+
+4. Delete the corresponding PVCs:
+
+    ```shell
+    kubectl delete pvc -n ${namespace} ${pvc_name}
+    ```
+
+### Insufficient available PVs
+
+If a `StorageClass` exists in the cluster but the available PVs are insufficient, you need to add PV resources correspondingly.
+
+## The Pod is in the `CrashLoopBackOff` state
+
+A Pod in the `CrashLoopBackOff` state means that the container in the Pod repeatedly aborts (in the loop of abort - restart by `kubelet` - abort). There are many potential causes of `CrashLoopBackOff`.
+
+### View the log of the current container
+
+```shell
+kubectl -n ${namespace} logs -f ${pod_name}
+```
+
+### View the log when the container was last restarted
+
+```shell
+kubectl -n ${namespace} logs -p ${pod_name}
+```
+
+After checking the error messages in the log, you can refer to [Cannot start `tidb-server`](https://docs.pingcap.com/tidb/stable/troubleshoot-tidb-cluster#cannot-start-tidb-server), [Cannot start `tikv-server`](https://docs.pingcap.com/tidb/stable/troubleshoot-tidb-cluster#cannot-start-tikv-server), and [Cannot start `pd-server`](https://docs.pingcap.com/tidb/stable/troubleshoot-tidb-cluster#cannot-start-pd-server) for further troubleshooting.
+
+### `ulimit` is not large enough
+
+TiKV might fail to start when `ulimit` is not large enough. In this case, you can modify the `/etc/security/limits.conf` file of the Kubernetes node to increase the `ulimit`:
+
+```
+root soft nofile 1000000
+root hard nofile 1000000
+root soft core unlimited
+root soft stack 10240
+```
@@ -211,6 +211,7 @@ After preparing the YAML files for each component, deploy the TiDB cluster by fo
     metadata:
       name: basic
       namespace: db
+    spec: {}
     ```
 
     Create the `Cluster` CRD:
 
@@ -23,284 +23,13 @@ This document describes how to enable Transport Layer Security (TLS) between com
 
 3. Configure `pd-ctl` and `tikv-ctl` to connect to the cluster.
 
-Certificates can be issued in multiple methods. This document describes two methods. You can choose either of them to issue certificates for the TiDB cluster:
-
-- Use `cfssl`
-- Use `cert-manager`
+Certificates can be issued in multiple methods. This document describes how to use the `cert-manager` system to issue certificates for the TiDB cluster.
 
 If you need to renew the existing TLS certificate, refer to [Renew and Replace the TLS Certificate](renew-tls-certificate.md).
 
 ## Step 1. Generate certificates for components of the TiDB cluster
 
-This section describes how to issue certificates using two methods: `cfssl` and `cert-manager`.
-
-### Use `cfssl`
-
-1. Download `cfssl` and initialize the certificate issuer:
-
-    ```shell
-    mkdir -p ~/bin
-    curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
-    curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
-    chmod +x ~/bin/{cfssl,cfssljson}
-    export PATH=$PATH:~/bin
-
-    mkdir -p cfssl
-    cd cfssl
-    ```
-
-2. Generate the `ca-config.json` configuration file:
-
-    > **Note:**
-    >
-    > - All TiDB components share the same set of TLS certificates for inter-component communication to encrypt traffic between clients and servers. Therefore, when generating the CA configuration, you must specify both `server auth` and `client auth`.
-    > - It is recommended that all component certificates be issued by the same CA.
-
-    ```shell
-    cat << EOF > ca-config.json
-    {
-        "signing": {
-            "default": {
-                "expiry": "8760h"
-            },
-            "profiles": {
-                "internal": {
-                    "expiry": "8760h",
-                    "usages": [
-                        "signing",
-                        "key encipherment",
-                        "server auth",
-                        "client auth"
-                    ]
-                }
-            }
-        }
-    }
-    EOF
-    ```
-
-3. Generate the `ca-csr.json` configuration file:
-
-    ```shell
-    cat << EOF > ca-csr.json
-    {
-        "CN": "TiDB",
-        "CA": {
-            "expiry": "87600h"
-        },
-        "key": {
-            "algo": "rsa",
-            "size": 2048
-        },
-        "names": [
-            {
-                "C": "US",
-                "L": "CA",
-                "O": "PingCAP",
-                "ST": "Beijing",
-                "OU": "TiDB"
-            }
-        ]
-    }
-    EOF
-    ```
-
-4. Generate CA by the configured option:
-
-    ```shell
-    cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
-    ```
-
-5. Generate certificates:
-
-    In this step, you need to generate a set of certificates for each component group of the TiDB cluster.
-
-    - PD certificate
-
-        First, generate the default `pd.json` file:
-
-        ```shell
-        cfssl print-defaults csr > pd.json
-        ```
-
-        Then, edit this file to change the `CN` and `hosts` attributes:
-
-        ```json
-        ...
-            "CN": "TiDB",
-            "hosts": [
-              "127.0.0.1",
-              "::1",
-              "${pd_group_name}-pd",
-              "${pd_group_name}-pd.${namespace}",
-              "${pd_group_name}-pd.${namespace}.svc",
-              "${pd_group_name}-pd-peer",
-              "${pd_group_name}-pd-peer.${namespace}",
-              "${pd_group_name}-pd-peer.${namespace}.svc",
-              "*.${pd_group_name}-pd-peer",
-              "*.${pd_group_name}-pd-peer.${namespace}",
-              "*.${pd_group_name}-pd-peer.${namespace}.svc"
-            ],
-        ...
-        ```
-
-        `${pd_group_name}` is the name of PDGroup, and `${namespace}` is the namespace in which the TiDB cluster is deployed. You can also add your customized `hosts`.
-
-        Finally, generate the PD certificate:
-
-        ```shell
-        cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=internal pd.json | cfssljson -bare pd
-        ```
-
-    - TiKV certificate
-
-        First, generate the default `tikv.json` file:
-
-        ```shell
-        cfssl print-defaults csr > tikv.json
-        ```
-
-        Then, edit this file to change the `CN` and `hosts` attributes:
-
-        ```json
-        ...
-            "CN": "TiDB",
-            "hosts": [
-              "127.0.0.1",
-              "::1",
-              "${tikv_group_name}-tikv",
-              "${tikv_group_name}-tikv.${namespace}",
-              "${tikv_group_name}-tikv.${namespace}.svc",
-              "${tikv_group_name}-tikv-peer",
-              "${tikv_group_name}-tikv-peer.${namespace}",
-              "${tikv_group_name}-tikv-peer.${namespace}.svc",
-              "*.${tikv_group_name}-tikv-peer",
-              "*.${tikv_group_name}-tikv-peer.${namespace}",
-              "*.${tikv_group_name}-tikv-peer.${namespace}.svc"
-            ],
-        ...
-        ```
-
-        `${tikv_group_name}` is the name of TiKVGroup, and `${namespace}` is the namespace in which the TiDB cluster is deployed. You can also add your customized `hosts`.
-
-        Finally, generate the TiKV certificate:
-
-        ```shell
-        cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=internal tikv.json | cfssljson -bare tikv
-        ```
-
-    - TiDB certificate
-
-        First, generate the default `tidb.json` file:
-
-        ```shell
-        cfssl print-defaults csr > tidb.json
-        ```
-
-        Then, edit this file to change the `CN` and `hosts` attributes:
-
-        ```json
-        ...
-            "CN": "TiDB",
-            "hosts": [
-              "127.0.0.1",
-              "::1",
-              "${tidb_group_name}-tidb",
-              "${tidb_group_name}-tidb.${namespace}",
-              "${tidb_group_name}-tidb.${namespace}.svc",
-              "${tidb_group_name}-tidb-peer",
-              "${tidb_group_name}-tidb-peer.${namespace}",
-              "${tidb_group_name}-tidb-peer.${namespace}.svc",
-              "*.${tidb_group_name}-tidb-peer",
-              "*.${tidb_group_name}-tidb-peer.${namespace}",
-              "*.${tidb_group_name}-tidb-peer.${namespace}.svc"
-            ],
-        ...
-        ```
-
-        `${tidb_group_name}` is the name of TiDBGroup, and `${namespace}` is the namespace in which the TiDB cluster is deployed. You can also add your customized `hosts`.
-
-        Finally, generate the TiDB certificate:
-
-        ```shell
-        cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=internal tidb.json | cfssljson -bare tidb
-        ```
-
-    - Other components
-
-        In addition to PD, TiKV, and TiDB, other component groups also require their own TLS certificates. The following example shows the basic steps to generate a component certificate:
-
-        First, generate the default `${component_name}.json` file:
-
-        ```shell
-        cfssl print-defaults csr > ${component_name}.json
-        ```
-
-        Then, edit this file to change the `CN` and `hosts` attributes:
-
-        ```json
-        ...
-            "CN": "TiDB",
-            "hosts": [
-              "127.0.0.1",
-              "::1",
-              "${group_name}-${component_name}",
-              "${group_name}-${component_name}.${namespace}",
-              "${group_name}-${component_name}.${namespace}.svc",
-              "${group_name}-${component_name}-peer",
-              "${group_name}-${component_name}-peer.${namespace}",
-              "${group_name}-${component_name}-peer.${namespace}.svc",
-              "*.${group_name}-${component_name}-peer",
-              "*.${group_name}-${component_name}-peer.${namespace}",
-              "*.${group_name}-${component_name}-peer.${namespace}.svc"
-            ],
-        ...
-        ```
-
-        In this file:
-
-        - `${group_name}` is the name of the component group.
-        - `${component_name}` is the name of the component (use lowercase letters, such as `pd`, `tikv`, and `tidb`).
-        - `${namespace}` the namespace in which the TiDB cluster is deployed.
-        - You can also add your customized `hosts`.
-
-        Finally, generate the component certificate:
-
-        ```shell
-        cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=internal ${component_name}.json | cfssljson -bare ${component_name}
-        ```
-
-6. Create the Kubernetes Secret object:
-
-    If you have already generated a set of certificates for each component and a set of client-side certificates for each client as described in the preceding steps, create the Secret objects for the TiDB cluster by executing the following command:
-
-    Create the Secret for the PD cluster certificate:
-
-    ```shell
-    kubectl create secret generic ${pd_group_name}-pd-cluster-secret --namespace=${namespace} --from-file=tls.crt=pd.pem --from-file=tls.key=pd-key.pem --from-file=ca.crt=ca.pem
-    ```
-
-    Create the Secret for the TiKV cluster certificate:
-
-    ```shell
-    kubectl create secret generic ${tikv_group_name}-tikv-cluster-secret --namespace=${namespace} --from-file=tls.crt=tikv.pem --from-file=tls.key=tikv-key.pem --from-file=ca.crt=ca.pem
-    ```
-
-    Create the Secret for the TiDB cluster certificate:
-
-    ```shell
-    kubectl create secret generic ${tidb_group_name}-tidb-cluster-secret --namespace=${namespace} --from-file=tls.crt=tidb.pem --from-file=tls.key=tidb-key.pem --from-file=ca.crt=ca.pem
-    ```
-
-    Create the Secret for other component certificates:
-
-    ```shell
-    kubectl create secret generic ${group_name}-${component_name}-cluster-secret --namespace=${namespace} --from-file=tls.crt=${component_name}.pem --from-file=tls.key=${component_name}-key.pem --from-file=ca.crt=ca.pem
-    ```
-
-    In this step, separate Secrets are created for the server-side certificates of PD, TiKV, and TiDB for loading during startup, and another set of client-side certificates is provided for their client connections.
-
-### Use `cert-manager`
+This section describes how to issue certificates using `cert-manager`.
 
 1. Install `cert-manager`.