You are viewing the documentation for an older major version of the TiDB Operator tool (TiDB Operator v1.0).

TiDB Operator release-1.3, the latest major version of TiDB Operator, is now stable and recommended for general use. To view this page for TiDB Operator release-1.3, click here.

Initialize a TiDB Cluster in Kubernetes

This document describes how to initialize a TiDB cluster in Kubernetes (K8s), specifically, how to configure the initial account and password and how to initialize the database by executing SQL statements automatically in batch.


The following steps only apply when you create a cluster for the first time. Further configuration or modification after the initial cluster creation is not valid.

Set initial account and password

When a cluster is created, a default account root is created with no password. This might cause security issues. You can set a password for the root account in the following steps:

  1. Create the Namespace.

    Before creating the cluster, create the Namespace:

    kubectl create namespace <namespace>
  2. Create a secret object.

    Before creating a cluster, create a secret to specify the password for root:

    kubectl create secret generic tidb-secret --from-literal=root=<root-password> --namespace=<namespace>

    If you also want to create users automatically, append the desired user name and the password, for example:

    kubectl create secret generic tidb-secret --from-literal=root=<root-password> --from-literal=developer=<developer-passowrd> --namespace=<namespace>

    This command creates users root and developer with their passwords, which are saved in the tidb-secret object. By default, the regular user developer is only granted with USAGE privilege; other privileges are set in the configuration item tidb.initSql.

  3. Set a host that has access to TiDB.

    Before deploying the cluster, you can set a host that has access to TiDB by using the tidb.permitHost configuration item. If it is not set, all hosts have access to TiDB. For details, refer to Mysql GRANT host name.

      passwordSecretName: tidb-secret
      permitHost: <mysql-client-host-name>
  4. Deploy the cluster.

    After creating the secret, deploy the cluster using the following command:

    helm install pingcap/tidb-cluster -f values.yaml --name=<release-name> --namespace=<namespace> --version=<chart-version>

    After specifying tidb.passwordSecretName, the above command sets up a cluster with an initialization job created automatically. Using the available secret, this job creates the password for the root account, and creates other user accounts and passwords if specified. The password specified here is required when you login to the MySQL client.


    When the initialization job is created, the Pod for the TiDB cluster has not been created fully. There might be a few errors before initialization completes and Pod state becomes Completed.

Initialize SQL statements in batch

You can also execute the SQL statements in batch in tidb.initSql for initialization. This function by default creates some databases or tables for the cluster and performs user privilege management operations. For example, the following configuration automatically creates a database named app after the cluster creation, and grants the developer account full management privileges on app.

  passwordSecretName: tidb-secret
  initSql: |-
    GRANT ALL PRIVILEGES ON app.* TO 'developer'@'%';

Save the above configuration to the values.yaml file and run the following command to deploy the cluster:

helm install pingcap/tidb-cluster -f values.yaml --name=<release-name> --namespace=<namespace> --version=<chart_version>

Currently no verification has been implemented for initSql. You can create accounts and set passwords in initSql, but it is not recommended because passwords created this way are saved as plaintext in the initializer job object.

Was this page helpful?