Support IAM role for backup CRD (pingcap#1861)

cofyc · Mar 17, 2020 · 27165a7 · 27165a7
1 parent 9ae7ae2
commit 27165a7
Show file tree

Hide file tree

Showing 15 changed files with 241 additions and 58 deletions.
diff --git a/images/tidb-backup-manager/Dockerfile b/images/tidb-backup-manager/Dockerfile
@@ -1,6 +1,5 @@
 FROM pingcap/tidb-enterprise-tools:latest
-
-ARG VERSION=v1.48.0
+ARG VERSION=v1.51.0
 RUN apk update && apk add ca-certificates
 
 RUN wget -nv https://github.com/ncw/rclone/releases/download/${VERSION}/rclone-${VERSION}-linux-amd64.zip \

diff --git a/manifests/backup/backup-aws-s3-br.yaml b/manifests/backup/backup-aws-s3-br.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: pingcap.com/v1alpha1
+kind: Backup
+metadata:
+ name: demo1-backup-s3
+ namespace: test1
+ # annotations:
+ # iam.amazonaws.com/role: "arn:aws:iam::123456789:role"
+spec:
+ # backupType: full
+ # serviceAccount: myServiceAccount
+ br:
+ cluster: myCluster
+ # clusterNamespce: <backup-namespace>
+ # enableTLSClient: true
+ # logLevel: info
+ # statusAddr: <status-addr>
+ # concurrency: 4
+ # rateLimit: 0
+ # timeAgo: <time>
+ # checksum: true
+ # sendCredToTikv: true
+ from:
+ host: 172.30.6.56
+ secretName: mySecret
+ # port: 4000
+ # user: root
+ s3:
+ provider: aws
+ region: us-west-2
+ bucket: backup
+ prefix: test1-demo1
+ # secretName: aws-secret
diff --git a/manifests/backup/backup-s3-br.yaml b/manifests/backup/backup-s3-br.yaml
@@ -4,20 +4,27 @@ kind: Backup
 metadata:
  name: demo1-backup-s3
  namespace: test1
+ # annotations:
+ # iam.amazonaws.com/role: "arn:aws:iam::123456789:role"
 spec:
- #backupType: full
+ # backupType: full
+ # serviceAccount: myServiceAccount
  br:
- pd: 10.233.40.168:2379
- # ca: <ca>
- # cert: <cert>
- # key: <key>
+ cluster: myCluster
+ # clusterNamespce: <backup-namespace>
+ # enableTLSClient: true
  # logLevel: info
  # statusAddr: <status-addr>
  # concurrency: 4
  # rateLimit: 0
  # timeAgo: <time>
  # checksum: true
  # sendCredToTikv: true
+ from:
+ host: 172.30.6.56
+ secretName: mySecret
+ # port: 4000
+ # user: root
  s3:
  provider: ceph
  endpoint: http://10.233.57.220

diff --git a/manifests/backup/backup-schedule-aws-s3-br.yaml b/manifests/backup/backup-schedule-aws-s3-br.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: pingcap.com/v1alpha1
+kind: BackupSchedule
+metadata:
+ name: demo1-backup-schedule-s3
+ namespace: test1
+ # annotations:
+ # iam.amazonaws.com/role: "arn:aws:iam::123456789:role"
+spec:
+ #maxBackups: 5
+ #pause: true
+ maxReservedTime: "3h"
+ schedule: "*/2 * * * *"
+ backupTemplate:
+ #backupType: full
+ # serviceAccount: myServiceAccount
+ br:
+ cluster: myCluster
+ # clusterNamespce: backupNamespace
+ # enableTLSClient: true
+ # logLevel: info
+ # statusAddr: <status-addr>
+ # concurrency: 4
+ # rateLimit: 0
+ # timeAgo: <time>
+ # checksum: true
+ # sendCredToTikv: true
+ from:
+ host: 172.30.6.56
+ secretName: mysecret
+ # port: 4000
+ # user: root
+ s3:
+ provider: aws
+ region: us-west-2
+ bucket: backup
+ prefix: test1-demo1
+ # secretName: aws-secret
diff --git a/manifests/backup/backup-schedule-s3-br.yaml b/manifests/backup/backup-schedule-s3-br.yaml
@@ -4,25 +4,32 @@ kind: BackupSchedule
 metadata:
  name: demo1-backup-schedule-s3
  namespace: test1
+ # annotations:
+ # iam.amazonaws.com/role: "arn:aws:iam::123456789:role"
 spec:
  #maxBackups: 5
  #pause: true
  maxReservedTime: "3h"
  schedule: "*/2 * * * *"
  backupTemplate:
  #backupType: full
+ # serviceAccount: myServiceAccount
  br:
- pd: 10.233.40.168:2379
- # ca: <ca>
- # cert: <cert>
- # key: <key>
+ cluster: myCluster
+ # clusterNamespce: backupNamespace
+ # enableTLSClient: true
  # logLevel: info
  # statusAddr: <status-addr>
  # concurrency: 4
  # rateLimit: 0
  # timeAgo: <time>
  # checksum: true
  # sendCredToTikv: true
+ from:
+ host: 172.30.6.56
+ secretName: mysecret
+ # port: 4000
+ # user: root
  s3:
  provider: ceph
  endpoint: http://10.233.57.220

diff --git a/manifests/backup/restore-aws-s3-br.yaml b/manifests/backup/restore-aws-s3-br.yaml
@@ -0,0 +1,35 @@
+---
+apiVersion: pingcap.com/v1alpha1
+kind: Restore
+metadata:
+ name: demo1-restore-s3-br
+ namespace: test1
+ # annotations:
+ # iam.amazonaws.com/role: "arn:aws:iam::123456789:role"
+spec:
+ # backupType: full
+ # serviceAccount: myServiceAccount
+ br:
+ cluster: myCluster
+ # clusterNamespce: <restore-namespace>
+ # enableTLSClient: true
+ # db: <db-name>
+ # table: <table-name>
+ # logLevel: info
+ # statusAddr: <status-addr>
+ # concurrency: 4
+ # rateLimit: 0
+ # timeAgo: <time>
+ # checksum: true
+ # sendCredToTikv: true
+ to:
+ host: 172.30.6.56
+ secretName: mySecret
+ # port: 4000
+ # user: root
+ s3:
+ provider: aws
+ region: us-west-2
+ bucket: backup
+ prefix: test1-demo1
+ # secretName: aws-secret
diff --git a/manifests/backup/restore-s3-br.yaml b/manifests/backup/restore-s3-br.yaml
@@ -4,22 +4,29 @@ kind: Restore
 metadata:
  name: demo1-restore-s3-br
  namespace: test1
+ # annotations:
+ # iam.amazonaws.com/role: "arn:aws:iam::123456789:role"
 spec:
  # backupType: full
+ # serviceAccount: myServiceAccount
  br:
- pd: 10.233.40.168:2379
+ cluster: myCluster
+ # clusterNamespce: <restore-namespace>
+ # enableTLSClient: true
  # db: <db-name>
  # table: <table-name>
- # ca: <ca>
- # cert: <cert>
- # key: <key>
  # logLevel: info
  # statusAddr: <status-addr>
  # concurrency: 4
  # rateLimit: 0
  # timeAgo: <time>
  # checksum: true
  # sendCredToTikv: true
+ to:
+ host: 172.30.6.56
+ secretName: mySecret
+ # port: 4000
+ # user: root
  s3:
  provider: ceph
  endpoint: http://10.233.57.220

diff --git a/manifests/crd.yaml b/manifests/crd.yaml
@@ -6896,8 +6896,10 @@ spec:
  type: string
  required:
  - provider
- - secretName
  type: object
+ serviceAccount:
+ description: Specify service account of backup
+ type: string
  storageClassName:
  description: The storageClassName of the persistent volume for Backup
  data storage. Defaults to Kubernetes default storage class.
@@ -7712,8 +7714,10 @@ spec:
  type: string
  required:
  - provider
- - secretName
  type: object
+ serviceAccount:
+ description: Specify service account of restore
+ type: string
  storageClassName:
  description: The storageClassName of the persistent volume for Restore
  data storage. Defaults to Kubernetes default storage class.
@@ -8617,8 +8621,10 @@ spec:
  type: string
  required:
  - provider
- - secretName
  type: object
+ serviceAccount:
+ description: Specify service account of backup
+ type: string
  storageClassName:
  description: The storageClassName of the persistent volume for Backup
  data storage. Defaults to Kubernetes default storage class.

diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go
@@ -719,7 +719,7 @@ type S3StorageProvider struct {
  Acl string `json:"acl,omitempty"`
  // SecretName is the name of secret which stores
  // S3 compliant storage access key and secret key.
- SecretName string `json:"secretName"`
+ SecretName string `json:"secretName,omitempty"`
  // Prefix for the keys.
  Prefix string `json:"prefix,omitempty"`
  // SSE Sever-Side Encryption.
@@ -804,6 +804,8 @@ type BackupSpec struct {
  // Affinity of backup Pods
  // +optional
  Affinity *corev1.Affinity `json:"affinity,omitempty"`
+ // Specify service account of backup
+ ServiceAccount string `json:"serviceAccount,omitempty"`
 }
 
 // +k8s:openapi-gen=true
@@ -1022,6 +1024,8 @@ type RestoreSpec struct {
  // Affinity of restore Pods
  // +optional
  Affinity *corev1.Affinity `json:"affinity,omitempty"`
+ // Specify service account of restore
+ ServiceAccount string `json:"serviceAccount,omitempty"`
 }
 
 // RestoreStatus represents the current status of a tidb cluster restore.

diff --git a/pkg/backup/backup/backup_cleaner.go b/pkg/backup/backup/backup_cleaner.go
@@ -123,14 +123,19 @@ func (bc *backupCleaner) makeCleanJob(backup *v1alpha1.Backup) (*batchv1.Job, st
  fmt.Sprintf("--backupName=%s", name),
  }
 
+ serviceAccount := constants.DefaultServiceAccountName
+ if backup.Spec.ServiceAccount != "" {
+ serviceAccount = backup.Spec.ServiceAccount
+ }
  backupLabel := label.NewBackup().Instance(backup.GetInstanceName()).CleanJob().Backup(name)
 
  podSpec := &corev1.PodTemplateSpec{
  ObjectMeta: metav1.ObjectMeta{
- Labels: backupLabel.Labels(),
+ Labels: backupLabel.Labels(),
+ Annotations: backup.Annotations,
  },
  Spec: corev1.PodSpec{
- ServiceAccountName: constants.DefaultServiceAccountName,
+ ServiceAccountName: serviceAccount,
  Containers: []corev1.Container{
  {
  Name: label.BackupJobLabelVal,

diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go
@@ -172,7 +172,6 @@ func (bm *backupManager) makeExportJob(backup *v1alpha1.Backup) (*batchv1.Job, s
  if err != nil {
  return nil, reason, fmt.Errorf("backup %s/%s, %v", ns, name, err)
  }
-
  envVars = append(envVars, storageEnv...)
  // TODO: make pvc request storage size configurable
  reason, err = bm.ensureBackupPVCExist(backup)
@@ -193,14 +192,19 @@ func (bm *backupManager) makeExportJob(backup *v1alpha1.Backup) (*batchv1.Job, s
  fmt.Sprintf("--storageType=%s", backuputil.GetStorageType(backup.Spec.StorageProvider)),
  }
 
+ serviceAccount := constants.DefaultServiceAccountName
+ if backup.Spec.ServiceAccount != "" {
+ serviceAccount = backup.Spec.ServiceAccount
+ }
  backupLabel := label.NewBackup().Instance(backup.GetInstanceName()).BackupJob().Backup(name)
  // TODO: need add ResourceRequirement for backup job
  podSpec := &corev1.PodTemplateSpec{
  ObjectMeta: metav1.ObjectMeta{
- Labels: backupLabel.Labels(),
+ Labels: backupLabel.Labels(),
+ Annotations: backup.Annotations,
  },
  Spec: corev1.PodSpec{
- ServiceAccountName: constants.DefaultServiceAccountName,
+ ServiceAccountName: serviceAccount,
  Containers: []corev1.Container{
  {
  Name: label.BackupJobLabelVal,
@@ -285,12 +289,17 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s
  })
  }
 
+ serviceAccount := constants.DefaultServiceAccountName
+ if backup.Spec.ServiceAccount != "" {
+ serviceAccount = backup.Spec.ServiceAccount
+ }
  podSpec := &corev1.PodTemplateSpec{
  ObjectMeta: metav1.ObjectMeta{
- Labels: backupLabel.Labels(),
+ Labels: backupLabel.Labels(),
+ Annotations: backup.Annotations,
  },
  Spec: corev1.PodSpec{
- ServiceAccountName: constants.DefaultServiceAccountName,
+ ServiceAccountName: serviceAccount,
  Containers: []corev1.Container{
  {
  Name: label.BackupJobLabelVal,