server: propagate TLS flags to tiflow options

[wlwilliamx]

What problem does this PR solve?

Issue Number: close #4082

What is changed and how it works?

In old architecture mode, TiCDC delegates to github.com/pingcap/tiflow/pkg/cmd/server but reuses TiCDC's cobra command, so cobra flags are bound to TiCDC's options instead of tiflow's.

tiflow Options.complete() rebuilds ServerConfig.Security from tiflowServer.Options.CaPath/CertPath/KeyPath, so TiCDC must propagate TLS flag values into those fields. Otherwise, when TLS flags are present on the CLI, tiflow sees them as visited but with empty values, overwrites the security config to empty, and fails https PD endpoint validation.

This PR adds a small adapter function to build tiflow server options and explicitly fills CaPath/CertPath/KeyPath/AllowedCertCN.

Check List

Tests

• Unit test (go test ./cmd/cdc/server -run TestBuildTiFlowServerOptionsPropagatesTLSFlags)
• Integration test
• Manual test

Questions

Will it cause performance regression or break compatibility?

No. This only affects old architecture mode's delegation path and only changes how TLS flags are propagated to tiflow options.

Do you need to update user documentation, design documentation or monitoring documentation?

N/A

Release note

Fix TiCDC failing to start in old architecture mode when PD endpoints are https and TLS credentials are provided via CLI flags.

Summary by CodeRabbit

• Chores
  • Centralized TLS configuration propagation for TiFlow server options construction
  • Enhanced consistency in JSON error handling

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[gemini-code-assist]

Summary of Changes

Hello @wlwilliamx, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical issue in TiCDC's old architecture mode where TLS configuration was not correctly propagated to the underlying tiflow server when using command-line flags. The changes ensure that TLS credentials are properly transferred, allowing TiCDC to successfully connect to HTTPS PD endpoints, thereby enhancing secure communication without breaking existing functionality.

Highlights

• TLS Flag Propagation: Introduced a new function buildTiFlowServerOptions to explicitly transfer TLS-related CLI flag values (CA path, certificate path, key path, and allowed CNs) from TiCDC's internal options to tiflow's server options. This ensures that when TiCDC reuses its Cobra command, these critical security parameters are correctly passed to the underlying tiflow server.
• Fix for HTTPS PD Endpoints: Resolved an issue where TiCDC, operating in old architecture mode and delegating to tiflow, would fail to connect to HTTPS PD endpoints if TLS credentials were provided via CLI flags. The previous mechanism caused tiflow to incorrectly interpret these flags as set but with empty values, leading to validation failures.
• Test Refinement: The unit test TestRunTiFlowServerPopulatesSecurityConfig was renamed to TestBuildTiFlowServerOptionsPropagatesTLSFlags and updated to directly test the new buildTiFlowServerOptions function, verifying that all TLS flags are correctly propagated and set within the tiflow server options.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR introduces a new helper function buildTiFlowServerOptions to centralize TLS flag propagation from TiCDC's options to tiflow's Options when delegating in old architecture mode, ensuring CLI-provided TLS credentials (CaPath, CertPath, KeyPath, AllowedCertCN) are correctly preserved during server initialization.

Changes

Cohort / File(s)	Summary
TLS Flag Propagation Helper cmd/cdc/server/server.go	New unexported function buildTiFlowServerOptions(o) centralizes construction of tiflowServer.Options from TiCDC options, including TLS-related paths and certificate CN; replaces inline construction in runTiFlowServer. Error handling for JSON operations adjusted.
Test Update cmd/cdc/server/server_test.go	Replaces TestRunTiFlowServerPopulatesSecurityConfig with TestBuildTiFlowServerOptionsPropagatesTLSFlags to validate end-to-end TLS flag propagation through the new builder function, including CAPath, CertPath, KeyPath, CertAllowedCN, and ServerPdAddr composition.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A bundled-up helper hops into view,
"TLS flags were lost, now I know what to do!"
Building options with CertPath so bright,
Your security credentials, now held tight! 🔐✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: propagating TLS flags to tiflow options in the server module.
Linked Issues check	✅ Passed	The PR successfully addresses issue #4082 by adding an adapter function (buildTiFlowServerOptions) that propagates TLS CLI flags into tiflow's Options fields and includes a corresponding unit test.
Out of Scope Changes check	✅ Passed	All changes are directly related to the TLS flag propagation objective: the new helper function, error handling adjustments, test replacement, and related updates are within scope.
Description check	✅ Passed	The pull request description includes all required sections: Issue Number, detailed explanation of the problem and solution, test information, compatibility assessment, and a clear release note.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request correctly addresses an issue with TLS flag propagation for the old architecture mode. The introduction of buildTiFlowServerOptions is a good refactoring that improves code clarity and testability. The accompanying test case thoroughly validates the fix. I have a couple of minor suggestions to enhance error handling to be more consistent with the existing codebase.

[wlwilliamx]

/test all

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 3AceShowHand, wk989898

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [3AceShowHand,wk989898]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-01-29 02:56:29.955862934 +0000 UTC m=+1240217.569819780: ☑️ agreed by 3AceShowHand.
• 2026-01-29 03:54:28.354488953 +0000 UTC m=+1243695.968445830: ☑️ agreed by wk989898.

[wlwilliamx]

/retest

[wlwilliamx]

/retest