Backup: open mysql client TLS in backup (#2003) (#2066)

Co-authored-by: 尹亮 <30903849+shuijing198799@users.noreply.github.com>

cmd/backup-manager/app/backup/manager.go

@@ -80,15 +80,26 @@ func (bm *Manager) ProcessBackup() error {
  })
  }
 
+ enableTLSClient := false
+ if backup.Spec.From.TLSClient != nil && backup.Spec.From.TLSClient.Enabled {
+ enableTLSClient = true
+ }
+
  if backup.Spec.BR == nil {
  return fmt.Errorf("no br config in %s", bm)
  }
 
  bm.setOptions(backup)
 
  var db *sql.DB
+ var dsn string
  err = wait.PollImmediate(constants.PollInterval, constants.CheckTimeout, func() (done bool, err error) {
- db, err = util.OpenDB(bm.GetDSN())
+ dsn, err = bm.GetDSN(enableTLSClient)
+ if err != nil {
+ klog.Errorf("can't get dsn of tidb cluster %s, err: %s", bm, err)
+ return false, err
+ }
+ db, err = util.OpenDB(dsn)
  if err != nil {
  klog.Warningf("can't connect to tidb cluster %s, err: %s", bm, err)
  return false, nil

cmd/backup-manager/app/export/manager.go

@@ -83,8 +83,16 @@ func (bm *BackupManager) ProcessBackup() error {
  bm.setOptions(backup)
 
  var db *sql.DB
+ var dsn string
  err = wait.PollImmediate(constants.PollInterval, constants.CheckTimeout, func() (done bool, err error) {
- db, err = util.OpenDB(bm.GetDSN())
+ // TLS is not currently supported
+ dsn, err = bm.GetDSN(false)
+ if err != nil {
+ klog.Errorf("can't get dsn of tidb cluster %s, err: %s", bm, err)
+ return false, err
+ }
+
+ db, err = util.OpenDB(dsn)
  if err != nil {
  klog.Warningf("can't connect to tidb cluster %s, err: %s", bm, err)
  return false, nil

cmd/backup-manager/app/import/manager.go

@@ -84,8 +84,16 @@ func (rm *RestoreManager) ProcessRestore() error {
  rm.setOptions(restore)
 
  var db *sql.DB
+ var dsn string
  err = wait.PollImmediate(constants.PollInterval, constants.CheckTimeout, func() (done bool, err error) {
- db, err = util.OpenDB(rm.GetDSN())
+ // TLS is not currently supported
+ dsn, err = rm.GetDSN(false)
+ if err != nil {
+ klog.Errorf("can't get dsn of tidb cluster %s, err: %s", rm, err)
+ return false, err
+ }
+
+ db, err = util.OpenDB(dsn)
  if err != nil {
  klog.Warningf("can't connect to tidb cluster %s, err: %s", rm, err)
  return false, nil

cmd/backup-manager/app/restore/manager.go

@@ -82,11 +82,23 @@ func (rm *Manager) ProcessRestore() error {
  return fmt.Errorf("no br config in %s", rm)
  }
 
+ enableTLSClient := false
+ if restore.Spec.To.TLSClient != nil && restore.Spec.To.TLSClient.Enabled {
+ enableTLSClient = true
+ }
+
  rm.setOptions(restore)
 
  var db *sql.DB
+ var dsn string
  err = wait.PollImmediate(constants.PollInterval, constants.CheckTimeout, func() (done bool, err error) {
- db, err = util.OpenDB(rm.GetDSN())
+ dsn, err = rm.GetDSN(enableTLSClient)
+ if err != nil {
+ klog.Errorf("can't get dsn of tidb cluster %s, err: %s", rm, err)
+ return false, err
+ }
+
+ db, err = util.OpenDB(dsn)
  if err != nil {
  klog.Warningf("can't connect to tidb cluster %s, err: %s", rm, err)
  return false, nil

cmd/backup-manager/app/util/generic.go

@@ -14,10 +14,18 @@
 package util
 
 import (
+ "crypto/tls"
+ "crypto/x509"
  "database/sql"
+ "errors"
  "fmt"
+ "io/ioutil"
+ "path"
 
+ "github.com/go-sql-driver/mysql"
  "github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants"
+ "github.com/pingcap/tidb-operator/pkg/util"
+ corev1 "k8s.io/api/core/v1"
 )
 
 // GenericOptions contains the generic input arguments to the backup/restore command
@@ -35,8 +43,32 @@ func (bo *GenericOptions) String() string {
  return fmt.Sprintf("%s/%s", bo.Namespace, bo.ResourceName)
 }
 
-func (bo *GenericOptions) GetDSN() string {
- return fmt.Sprintf("%s:%s@(%s:%d)/%s?charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB)
+func (bo *GenericOptions) GetDSN(enabledTLSClient bool) (string, error) {
+ if !enabledTLSClient {
+ return fmt.Sprintf("%s:%s@(%s:%d)/%s?charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil
+ }
+ rootCertPool := x509.NewCertPool()
+ pem, err := ioutil.ReadFile(path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey))
+ if err != nil {
+ return "", err
+ }
+ if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
+ return "", errors.New("Failed to append PEM")
+ }
+ clientCert := make([]tls.Certificate, 0, 1)
+ certs, err := tls.LoadX509KeyPair(
+ path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey),
+ path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey))
+ if err != nil {
+ return "", err
+ }
+ clientCert = append(clientCert, certs)
+ mysql.RegisterTLSConfig("customer", &tls.Config{
+ RootCAs: rootCertPool,
+ Certificates: clientCert,
+ ServerName: bo.Host,
+ })
+ return fmt.Sprintf("%s:%s@(%s:%d)/%s?tls=customer&charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil
 }
 
 func (bo *GenericOptions) GetTikvGCLifeTime(db *sql.DB) (string, error) {

docs/api-references/docs.html

@@ -7112,6 +7112,21 @@ <h3 id="pingcap.com/v1alpha1.TiDBAccessConfig">TiDBAccessConfig
 <p>SecretName is the name of secret which stores tidb cluster&rsquo;s password.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>tlsClient</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.TiDBTLSClient">
+TiDBTLSClient
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Whether enable the TLS connection between the SQL client and TiDB server
+Optional: Defaults to nil</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="pingcap.com/v1alpha1.TiDBConfig">TiDBConfig
@@ -8111,6 +8126,7 @@ <h3 id="pingcap.com/v1alpha1.TiDBTLSClient">TiDBTLSClient
 </h3>
 <p>
 (<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiDBAccessConfig">TiDBAccessConfig</a>, 
 <a href="#pingcap.com/v1alpha1.TiDBSpec">TiDBSpec</a>)
 </p>
 <p>
@@ -8149,6 +8165,21 @@ <h3 id="pingcap.com/v1alpha1.TiDBTLSClient">TiDBTLSClient
 4. Set Enabled to <code>true</code>.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>tlsSecret</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Specify a secret of client cert for backup/restore
+Optional: Defaults to <cluster>-tidb-client-secret
+If you want to specify a secret for backup/restore, generate a Secret Object according to the third step of the above procedure, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret
+this field only work in backup/restore process</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="pingcap.com/v1alpha1.TiKVBlockCacheConfig">TiKVBlockCacheConfig

manifests/backup/backup-aws-s3-br.yaml

@@ -13,7 +13,8 @@ spec:
  br:
  cluster: myCluster
  # clusterNamespce: <backup-namespace>
- # enableTLSClient: true
+ # tlsCluster:
+ # enabled: false
  # logLevel: info
  # statusAddr: <status-addr>
  # concurrency: 4
@@ -26,6 +27,9 @@ spec:
  secretName: mySecret
  # port: 4000
  # user: root
+ # tlsClient:
+ # enabled: false
+ # tlsSecret: <backup-tls-secretname>
  s3:
  provider: aws
  region: us-west-2

manifests/backup/backup-s3-br.yaml

@@ -13,7 +13,8 @@ spec:
  br:
  cluster: myCluster
  # clusterNamespce: <backup-namespace>
- # enableTLSClient: true
+ # tlsCluster:
+ # enabled: false
  # logLevel: info
  # statusAddr: <status-addr>
  # concurrency: 4
@@ -26,6 +27,9 @@ spec:
  secretName: mySecret
  # port: 4000
  # user: root
+ # tlsClient:
+ # enabled: false
+ # tlsSecret: <backup-tls-secretname>
  s3:
  provider: ceph
  endpoint: http://10.233.57.220

manifests/backup/backup-schedule-aws-s3-br.yaml

@@ -18,7 +18,8 @@ spec:
  br:
  cluster: myCluster
  # clusterNamespce: backupNamespace
- # enableTLSClient: true
+ # tlsCluster:
+ # enabled: false
  # logLevel: info
  # statusAddr: <status-addr>
  # concurrency: 4
@@ -31,6 +32,9 @@ spec:
  secretName: mysecret
  # port: 4000
  # user: root
+ # tlsClient:
+ # enabled: false
+ # tlsSecret: <backup-tls-secretname>
  s3:
  provider: aws
  region: us-west-2

manifests/backup/backup-schedule-s3-br.yaml

@@ -18,7 +18,8 @@ spec:
  br:
  cluster: myCluster
  # clusterNamespce: backupNamespace
- # enableTLSClient: true
+ # tlsCluster:
+ # enabled: false
  # logLevel: info
  # statusAddr: <status-addr>
  # concurrency: 4
@@ -31,6 +32,9 @@ spec:
  secretName: mysecret
  # port: 4000
  # user: root
+ # tlsClient:
+ # enabled: false
+ # tlsSecret: <backup-tls-secretname>
  s3:
  provider: ceph
  endpoint: http://10.233.57.220

manifests/backup/restore-aws-s3-br.yaml

@@ -13,7 +13,8 @@ spec:
  br:
  cluster: myCluster
  # clusterNamespce: <restore-namespace>
- # enableTLSClient: true
+ # tlsCluster:
+ # enabled: false
  # db: <db-name>
  # table: <table-name>
  # logLevel: info
@@ -28,6 +29,9 @@ spec:
  secretName: mySecret
  # port: 4000
  # user: root
+ # tlsClient:
+ # enabled: false
+ # tlsSecret: <restore-tls-secretname>
  s3:
  provider: aws
  region: us-west-2

manifests/backup/restore-s3-br.yaml

@@ -13,7 +13,8 @@ spec:
  br:
  cluster: myCluster
  # clusterNamespce: <restore-namespace>
- # enableTLSClient: true
+ # tlsCluster:
+ # enabled: false
  # db: <db-name>
  # table: <table-name>
  # logLevel: info
@@ -28,6 +29,9 @@ spec:
  secretName: mySecret
  # port: 4000
  # user: root
+ # tlsClient:
+ # enabled: false
+ # tlsSecret: <restore-tls-secretname>
  s3:
  provider: ceph
  endpoint: http://10.233.57.220

manifests/crd.yaml

@@ -7306,6 +7306,7 @@ spec:
  description: SecretName is the name of secret which stores tidb
  cluster's password.
  type: string
+ tlsClient: {}
  user:
  description: User is the user for login tidb cluster
  type: string
@@ -8242,6 +8243,7 @@ spec:
  description: SecretName is the name of secret which stores tidb
  cluster's password.
  type: string
+ tlsClient: {}
  user:
  description: User is the user for login tidb cluster
  type: string
@@ -9033,6 +9035,7 @@ spec:
  description: SecretName is the name of secret which stores tidb
  cluster's password.
  type: string
+ tlsClient: {}
  user:
  description: User is the user for login tidb cluster
  type: string

pkg/apis/pingcap/v1alpha1/types.go

@@ -648,6 +648,12 @@ type TiDBTLSClient struct {
  // 4. Set Enabled to `true`.
  // +optional
  Enabled bool `json:"enabled,omitempty"`
+ // Specify a secret of client cert for backup/restore
+ // Optional: Defaults to <cluster>-tidb-client-secret
+ // +optional
+ // If you want to specify a secret for backup/restore, generate a Secret Object according to the third step of the above procedure, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret
+ // this field only work in backup/restore process
+ TLSSecret string `json:"tlsSecret,omitempty"`
 }
 
 // TLSCluster can enable TLS connection between TiDB server components
@@ -807,6 +813,10 @@ type TiDBAccessConfig struct {
  User string `json:"user,omitempty"`
  // SecretName is the name of secret which stores tidb cluster's password.
  SecretName string `json:"secretName"`
+ // Whether enable the TLS connection between the SQL client and TiDB server
+ // Optional: Defaults to nil
+ // +optional
+ TLSClient *TiDBTLSClient `json:"tlsClient,omitempty"`
 }
 
 // +k8s:openapi-gen=true