From c7941135e94f7acc1bb718dad1343ac4a4b3eda0 Mon Sep 17 00:00:00 2001 From: shuijing198799 Date: Thu, 19 Mar 2020 15:56:34 +0800 Subject: [PATCH 01/17] backup: support br compatiable with new TLS interface --- cmd/backup-manager/app/backup/backup.go | 19 ++++++++++--------- cmd/backup-manager/app/restore/restore.go | 15 ++++++++------- docs/api-references/docs.html | 11 ++++++++--- manifests/crd.yaml | 12 +++--------- .../pingcap/v1alpha1/openapi_generated.go | 9 +++++---- pkg/apis/pingcap/v1alpha1/types.go | 6 ++++-- pkg/backup/backup/backup_manager.go | 12 ++++++++---- pkg/backup/restore/restore_manager.go | 12 ++++++++---- 8 files changed, 54 insertions(+), 42 deletions(-) diff --git a/cmd/backup-manager/app/backup/backup.go b/cmd/backup-manager/app/backup/backup.go index 5e9ab4210d..ac7178fd3d 100644 --- a/cmd/backup-manager/app/backup/backup.go +++ b/cmd/backup-manager/app/backup/backup.go @@ -23,15 +23,16 @@ import ( "github.com/gogo/protobuf/proto" kvbackup "github.com/pingcap/kvproto/pkg/backup" "github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants" - "github.com/pingcap/tidb-operator/cmd/backup-manager/app/util" + backupUtil "github.com/pingcap/tidb-operator/cmd/backup-manager/app/util" "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1" + "github.com/pingcap/tidb-operator/pkg/util" corev1 "k8s.io/api/core/v1" "k8s.io/klog" ) // Options contains the input arguments to the backup command type Options struct { - util.GenericOptions + backupUtil.GenericOptions } func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) { @@ -44,10 +45,10 @@ func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) { return "", err } args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", backup.Spec.BR.Cluster, clusterNamespace)) - if backup.Spec.BR.EnableTLSClient { - args = append(args, fmt.Sprintf("--ca=%s", constants.ServiceAccountCAPath)) - args = append(args, fmt.Sprintf("--cert=%s", path.Join(constants.BRCertPath, corev1.TLSCertKey))) - args = append(args, fmt.Sprintf("--key=%s", path.Join(constants.BRCertPath, corev1.TLSPrivateKeyKey))) + if backup.Spec.BR.TLSCluster != nil && backup.Spec.BR.TLSCluster.Enabled { + args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, constants.ServiceAccountCAPath))) + args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey))) + args = append(args, fmt.Sprintf("--key=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey))) } var btype string @@ -73,7 +74,7 @@ func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) { // getCommitTs get backup position from `EndVersion` in BR backup meta func getCommitTs(backup *v1alpha1.Backup) (uint64, error) { var commitTs uint64 - s, err := util.NewRemoteStorage(backup) + s, err := backupUtil.NewRemoteStorage(backup) if err != nil { return commitTs, err } @@ -101,7 +102,7 @@ func getCommitTs(backup *v1alpha1.Backup) (uint64, error) { // constructOptions constructs options for BR and also return the remote path func constructOptions(backup *v1alpha1.Backup) ([]string, string, error) { - args, remotePath, err := util.ConstructBRGlobalOptionsForBackup(backup) + args, remotePath, err := backupUtil.ConstructBRGlobalOptionsForBackup(backup) if err != nil { return args, remotePath, err } @@ -124,7 +125,7 @@ func constructOptions(backup *v1alpha1.Backup) ([]string, string, error) { // getBackupSize get the backup data size from remote func getBackupSize(backup *v1alpha1.Backup) (int64, error) { var size int64 - s, err := util.NewRemoteStorage(backup) + s, err := backupUtil.NewRemoteStorage(backup) if err != nil { return size, err } diff --git a/cmd/backup-manager/app/restore/restore.go b/cmd/backup-manager/app/restore/restore.go index 90d0667ee0..3a7abe1f9b 100644 --- a/cmd/backup-manager/app/restore/restore.go +++ b/cmd/backup-manager/app/restore/restore.go @@ -19,14 +19,15 @@ import ( "path" "github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants" - "github.com/pingcap/tidb-operator/cmd/backup-manager/app/util" + backupUtil "github.com/pingcap/tidb-operator/cmd/backup-manager/app/util" "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1" + "github.com/pingcap/tidb-operator/pkg/util" corev1 "k8s.io/api/core/v1" "k8s.io/klog" ) type Options struct { - util.GenericOptions + backupUtil.GenericOptions } func (ro *Options) restoreData(restore *v1alpha1.Restore) error { @@ -39,10 +40,10 @@ func (ro *Options) restoreData(restore *v1alpha1.Restore) error { return err } args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", restore.Spec.BR.Cluster, clusterNamespace)) - if restore.Spec.BR.EnableTLSClient { - args = append(args, fmt.Sprintf("--ca=%s", constants.ServiceAccountCAPath)) - args = append(args, fmt.Sprintf("--cert=%s", path.Join(constants.BRCertPath, corev1.TLSCertKey))) - args = append(args, fmt.Sprintf("--key=%s", path.Join(constants.BRCertPath, corev1.TLSPrivateKeyKey))) + if restore.Spec.BR.TLSCluster != nil && restore.Spec.BR.TLSCluster.Enabled { + args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, constants.ServiceAccountCAPath))) + args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey))) + args = append(args, fmt.Sprintf("--key=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey))) } var restoreType string @@ -66,7 +67,7 @@ func (ro *Options) restoreData(restore *v1alpha1.Restore) error { } func constructBROptions(restore *v1alpha1.Restore) ([]string, error) { - args, err := util.ConstructBRGlobalOptionsForRestore(restore) + args, err := backupUtil.ConstructBRGlobalOptionsForRestore(restore) if err != nil { return nil, err } diff --git a/docs/api-references/docs.html b/docs/api-references/docs.html index 41c5be1b10..286be033d2 100644 --- a/docs/api-references/docs.html +++ b/docs/api-references/docs.html @@ -1546,13 +1546,17 @@

BRConfig -enableTLSClient
+tlsCluster
-bool + +TLSCluster + -

Whether enable TLS in TiDBCluster

+(Optional) +

Whether enable the TLS connection between TiDB server components +Optional: Defaults to nil

@@ -6652,6 +6656,7 @@

TLSCluster

(Appears on: +BRConfig, TidbClusterSpec)

diff --git a/manifests/crd.yaml b/manifests/crd.yaml index d69a3a1d49..0caffeaec2 100644 --- a/manifests/crd.yaml +++ b/manifests/crd.yaml @@ -6766,9 +6766,6 @@ spec: db: description: DB is the specific DB which will be backed-up or restored type: string - enableTLSClient: - description: Whether enable TLS in TiDBCluster - type: boolean logLevel: description: LogLevel is the log level type: string @@ -6796,6 +6793,7 @@ spec: description: TimeAgo is the history version of the backup task, e.g. 1m, 1h type: string + tlsCluster: {} required: - cluster type: object @@ -7610,9 +7608,6 @@ spec: db: description: DB is the specific DB which will be backed-up or restored type: string - enableTLSClient: - description: Whether enable TLS in TiDBCluster - type: boolean logLevel: description: LogLevel is the log level type: string @@ -7640,6 +7635,7 @@ spec: description: TimeAgo is the history version of the backup task, e.g. 1m, 1h type: string + tlsCluster: {} required: - cluster type: object @@ -8497,9 +8493,6 @@ spec: description: DB is the specific DB which will be backed-up or restored type: string - enableTLSClient: - description: Whether enable TLS in TiDBCluster - type: boolean logLevel: description: LogLevel is the log level type: string @@ -8527,6 +8520,7 @@ spec: description: TimeAgo is the history version of the backup task, e.g. 1m, 1h type: string + tlsCluster: {} required: - cluster type: object diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go index 077d8ddad4..ae26ed35e2 100644 --- a/pkg/apis/pingcap/v1alpha1/openapi_generated.go +++ b/pkg/apis/pingcap/v1alpha1/openapi_generated.go @@ -375,11 +375,10 @@ func schema_pkg_apis_pingcap_v1alpha1_BRConfig(ref common.ReferenceCallback) com Description: "BRConfig contains config for BR", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "enableTLSClient": { + "tlsCluster": { SchemaProps: spec.SchemaProps{ - Description: "Whether enable TLS in TiDBCluster", - Type: []string{"boolean"}, - Format: "", + Description: "Whether enable the TLS connection between TiDB server components Optional: Defaults to nil", + Ref: ref("github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TLSCluster"), }, }, "cluster": { @@ -470,6 +469,8 @@ func schema_pkg_apis_pingcap_v1alpha1_BRConfig(ref common.ReferenceCallback) com Required: []string{"cluster"}, }, }, + Dependencies: []string{ + "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TLSCluster"}, } } diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go index ee2f3813a8..499bb65e30 100644 --- a/pkg/apis/pingcap/v1alpha1/types.go +++ b/pkg/apis/pingcap/v1alpha1/types.go @@ -819,8 +819,10 @@ type BackupSpec struct { // +k8s:openapi-gen=true // BRConfig contains config for BR type BRConfig struct { - // Whether enable TLS in TiDBCluster - EnableTLSClient bool `json:"enableTLSClient,omitempty"` + // Whether enable the TLS connection between TiDB server components + // Optional: Defaults to nil + // +optional + TLSCluster *TLSCluster `json:"tlsCluster,omitempty"` // ClusterName of backup/restore cluster Cluster string `json:"cluster"` // Namespace of backup/restore cluster diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go index cf8d94e5f5..95d1881948 100644 --- a/pkg/backup/backup/backup_manager.go +++ b/pkg/backup/backup/backup_manager.go @@ -22,6 +22,7 @@ import ( backuputil "github.com/pingcap/tidb-operator/pkg/backup/util" "github.com/pingcap/tidb-operator/pkg/controller" "github.com/pingcap/tidb-operator/pkg/label" + "github.com/pingcap/tidb-operator/pkg/util" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -276,14 +277,17 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s backupLabel := label.NewBackup().Instance(backup.GetInstanceName()).BackupJob().Backup(name) volumeMounts := []corev1.VolumeMount{} volumes := []corev1.Volume{} - if backup.Spec.BR.EnableTLSClient { + if backup.Spec.BR.TLSCluster != nil && backup.Spec.BR.TLSCluster.Enabled { volumeMounts = append(volumeMounts, corev1.VolumeMount{ - Name: "br-tls", ReadOnly: true, MountPath: constants.BRCertPath, + Name: "tidb-client-tls", + ReadOnly: true, + MountPath: util.TiDBClientTLSPath, }) volumes = append(volumes, corev1.Volume{ - Name: "br-tls", VolumeSource: corev1.VolumeSource{ + Name: "tidb-client-tls", + VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: fmt.Sprintf("%s-client", controller.PDMemberName(backup.Spec.BR.Cluster)), + SecretName: util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster), }, }, }) diff --git a/pkg/backup/restore/restore_manager.go b/pkg/backup/restore/restore_manager.go index cdbcec11e8..cb31a234b6 100644 --- a/pkg/backup/restore/restore_manager.go +++ b/pkg/backup/restore/restore_manager.go @@ -23,6 +23,7 @@ import ( listers "github.com/pingcap/tidb-operator/pkg/client/listers/pingcap/v1alpha1" "github.com/pingcap/tidb-operator/pkg/controller" "github.com/pingcap/tidb-operator/pkg/label" + "github.com/pingcap/tidb-operator/pkg/util" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -260,14 +261,17 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo restoreLabel := label.NewBackup().Instance(restore.GetInstanceName()).RestoreJob().Restore(name) volumeMounts := []corev1.VolumeMount{} volumes := []corev1.Volume{} - if restore.Spec.BR.EnableTLSClient { + if restore.Spec.BR.TLSCluster != nil && restore.Spec.BR.TLSCluster.Enabled { volumeMounts = append(volumeMounts, corev1.VolumeMount{ - Name: "br-tls", ReadOnly: true, MountPath: constants.BRCertPath, + Name: "tidb-client-tls", + ReadOnly: true, + MountPath: util.TiDBClientTLSPath, }) volumes = append(volumes, corev1.Volume{ - Name: "br-tls", VolumeSource: corev1.VolumeSource{ + Name: "tidb-client-tls", + VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: fmt.Sprintf("%s-client", controller.PDMemberName(restore.Spec.BR.Cluster)), + SecretName: util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster), }, }, }) From 0076590c57dcfc2400795644c7f85ab215b4b847 Mon Sep 17 00:00:00 2001 From: shuijing198799 Date: Thu, 19 Mar 2020 16:00:52 +0800 Subject: [PATCH 02/17] backup: fix ca name, use k8s core one --- cmd/backup-manager/app/backup/backup.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/backup-manager/app/backup/backup.go b/cmd/backup-manager/app/backup/backup.go index ac7178fd3d..8fb99f4c89 100644 --- a/cmd/backup-manager/app/backup/backup.go +++ b/cmd/backup-manager/app/backup/backup.go @@ -46,7 +46,7 @@ func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) { } args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", backup.Spec.BR.Cluster, clusterNamespace)) if backup.Spec.BR.TLSCluster != nil && backup.Spec.BR.TLSCluster.Enabled { - args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, constants.ServiceAccountCAPath))) + args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey))) args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey))) args = append(args, fmt.Sprintf("--key=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey))) } From 14c9d8f9368d3c3902b612f82b05d0b0e2ee02a6 Mon Sep 17 00:00:00 2001 From: shuijing198799 Date: Thu, 19 Mar 2020 16:00:59 +0800 Subject: [PATCH 03/17] backup: fix ca name, use k8s core one --- cmd/backup-manager/app/restore/restore.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/backup-manager/app/restore/restore.go b/cmd/backup-manager/app/restore/restore.go index 3a7abe1f9b..a0fef0fd6f 100644 --- a/cmd/backup-manager/app/restore/restore.go +++ b/cmd/backup-manager/app/restore/restore.go @@ -41,7 +41,7 @@ func (ro *Options) restoreData(restore *v1alpha1.Restore) error { } args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", restore.Spec.BR.Cluster, clusterNamespace)) if restore.Spec.BR.TLSCluster != nil && restore.Spec.BR.TLSCluster.Enabled { - args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, constants.ServiceAccountCAPath))) + args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey))) args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey))) args = append(args, fmt.Sprintf("--key=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey))) } From ba2284f5c16596c4c6724b9ab1c326725e5c0e71 Mon Sep 17 00:00:00 2001 From: shuijing198799 Date: Thu, 19 Mar 2020 20:07:37 +0800 Subject: [PATCH 04/17] fix tiny --- cmd/backup-manager/app/restore/restore.go | 1 - 1 file changed, 1 deletion(-) diff --git a/cmd/backup-manager/app/restore/restore.go b/cmd/backup-manager/app/restore/restore.go index a0fef0fd6f..9a73e21e5f 100644 --- a/cmd/backup-manager/app/restore/restore.go +++ b/cmd/backup-manager/app/restore/restore.go @@ -18,7 +18,6 @@ import ( "os/exec" "path" - "github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants" backupUtil "github.com/pingcap/tidb-operator/cmd/backup-manager/app/util" "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1" "github.com/pingcap/tidb-operator/pkg/util" From cc8b9d7c422ae2b03035187ef95c2f1138b26e03 Mon Sep 17 00:00:00 2001 From: shuijing198799 Date: Thu, 19 Mar 2020 20:27:26 +0800 Subject: [PATCH 05/17] gen code --- pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go index e8ed1ac39c..88e7aed5d1 100644 --- a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go @@ -28,6 +28,11 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BRConfig) DeepCopyInto(out *BRConfig) { *out = *in + if in.TLSCluster != nil { + in, out := &in.TLSCluster, &out.TLSCluster + *out = new(TLSCluster) + **out = **in + } if in.Concurrency != nil { in, out := &in.Concurrency, &out.Concurrency *out = new(uint32) From 67ade573ee01f42305accd3b631b5c492a721911 Mon Sep 17 00:00:00 2001 From: shuijing198799 Date: Fri, 20 Mar 2020 12:09:46 +0800 Subject: [PATCH 06/17] fix tls path error --- cmd/backup-manager/app/backup/backup.go | 6 +++--- cmd/backup-manager/app/restore/restore.go | 6 +++--- pkg/backup/backup/backup_manager.go | 8 ++++---- pkg/backup/restore/restore_manager.go | 8 ++++---- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/cmd/backup-manager/app/backup/backup.go b/cmd/backup-manager/app/backup/backup.go index 8fb99f4c89..2becef8bf6 100644 --- a/cmd/backup-manager/app/backup/backup.go +++ b/cmd/backup-manager/app/backup/backup.go @@ -46,9 +46,9 @@ func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) { } args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", backup.Spec.BR.Cluster, clusterNamespace)) if backup.Spec.BR.TLSCluster != nil && backup.Spec.BR.TLSCluster.Enabled { - args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey))) - args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey))) - args = append(args, fmt.Sprintf("--key=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey))) + args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.ClusterClientTLSPath, corev1.ServiceAccountRootCAKey))) + args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.ClusterClientTLSPath, corev1.TLSCertKey))) + args = append(args, fmt.Sprintf("--key=%s", path.Join(util.ClusterClientTLSPath, corev1.TLSPrivateKeyKey))) } var btype string diff --git a/cmd/backup-manager/app/restore/restore.go b/cmd/backup-manager/app/restore/restore.go index 9a73e21e5f..d2e5a643d8 100644 --- a/cmd/backup-manager/app/restore/restore.go +++ b/cmd/backup-manager/app/restore/restore.go @@ -40,9 +40,9 @@ func (ro *Options) restoreData(restore *v1alpha1.Restore) error { } args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", restore.Spec.BR.Cluster, clusterNamespace)) if restore.Spec.BR.TLSCluster != nil && restore.Spec.BR.TLSCluster.Enabled { - args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey))) - args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey))) - args = append(args, fmt.Sprintf("--key=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey))) + args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.ClusterClientTLSPath, corev1.ServiceAccountRootCAKey))) + args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.ClusterClientTLSPath, corev1.TLSCertKey))) + args = append(args, fmt.Sprintf("--key=%s", path.Join(util.ClusterClientTLSPath, corev1.TLSPrivateKeyKey))) } var restoreType string diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go index 95d1881948..fa162fba9c 100644 --- a/pkg/backup/backup/backup_manager.go +++ b/pkg/backup/backup/backup_manager.go @@ -279,15 +279,15 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s volumes := []corev1.Volume{} if backup.Spec.BR.TLSCluster != nil && backup.Spec.BR.TLSCluster.Enabled { volumeMounts = append(volumeMounts, corev1.VolumeMount{ - Name: "tidb-client-tls", + Name: "cluster-client-tls", ReadOnly: true, - MountPath: util.TiDBClientTLSPath, + MountPath: util.ClusterClientTLSPath, }) volumes = append(volumes, corev1.Volume{ - Name: "tidb-client-tls", + Name: "cluster-client-tls", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster), + SecretName: util.ClusterClientTLSSecretName(backup.Spec.BR.Cluster), }, }, }) diff --git a/pkg/backup/restore/restore_manager.go b/pkg/backup/restore/restore_manager.go index cb31a234b6..1a38b7489f 100644 --- a/pkg/backup/restore/restore_manager.go +++ b/pkg/backup/restore/restore_manager.go @@ -263,15 +263,15 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo volumes := []corev1.Volume{} if restore.Spec.BR.TLSCluster != nil && restore.Spec.BR.TLSCluster.Enabled { volumeMounts = append(volumeMounts, corev1.VolumeMount{ - Name: "tidb-client-tls", + Name: "cluster-client-tls", ReadOnly: true, - MountPath: util.TiDBClientTLSPath, + MountPath: util.ClusterClientTLSPath, }) volumes = append(volumes, corev1.Volume{ - Name: "tidb-client-tls", + Name: "cluster-client-tls", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster), + SecretName: util.ClusterClientTLSSecretName(restore.Spec.BR.Cluster), }, }, }) From 8036fa0ab09a7cbb94c728ad261cf16a6cac8c9c Mon Sep 17 00:00:00 2001 From: shuijing198799 Date: Fri, 20 Mar 2020 17:41:02 +0800 Subject: [PATCH 07/17] backup: add enable client tls in backup --- cmd/backup-manager/app/backup/manager.go | 14 ++++++- cmd/backup-manager/app/export/manager.go | 10 ++++- cmd/backup-manager/app/import/manager.go | 9 ++++- cmd/backup-manager/app/restore/manager.go | 15 +++++++- cmd/backup-manager/app/util/generic.go | 37 ++++++++++++++++++- docs/api-references/docs.html | 16 ++++++++ manifests/crd.yaml | 3 ++ .../pingcap/v1alpha1/openapi_generated.go | 8 ++++ pkg/apis/pingcap/v1alpha1/types.go | 4 ++ .../pingcap/v1alpha1/zz_generated.deepcopy.go | 9 ++++- pkg/backup/backup/backup_cleaner.go | 2 +- pkg/backup/backup/backup_manager.go | 20 +++++++++- pkg/backup/restore/restore_manager.go | 20 +++++++++- 13 files changed, 154 insertions(+), 13 deletions(-) diff --git a/cmd/backup-manager/app/backup/manager.go b/cmd/backup-manager/app/backup/manager.go index f4389b1d48..b060153394 100644 --- a/cmd/backup-manager/app/backup/manager.go +++ b/cmd/backup-manager/app/backup/manager.go @@ -80,6 +80,12 @@ func (bm *Manager) ProcessBackup() error { }) } + var enableTLSClient bool + enableTLSClient = false + if backup.Spec.From.TLSClient != nil && backup.Spec.From.TLSClient.Enabled { + enableTLSClient = true + } + if backup.Spec.BR == nil { return fmt.Errorf("no br config in %s", bm) } @@ -87,8 +93,14 @@ func (bm *Manager) ProcessBackup() error { bm.setOptions(backup) var db *sql.DB + var dsn string err = wait.PollImmediate(constants.PollInterval, constants.CheckTimeout, func() (done bool, err error) { - db, err = util.OpenDB(bm.GetDSN()) + dsn, err = bm.GetDSN(enableTLSClient) + if err != nil { + klog.Errorf("can't get dsn of tidb cluster %s, err: %s", bm, err) + return false, err + } + db, err = util.OpenDB(dsn) if err != nil { klog.Warningf("can't connect to tidb cluster %s, err: %s", bm, err) return false, nil diff --git a/cmd/backup-manager/app/export/manager.go b/cmd/backup-manager/app/export/manager.go index b4a488e6ef..544dd75598 100644 --- a/cmd/backup-manager/app/export/manager.go +++ b/cmd/backup-manager/app/export/manager.go @@ -83,8 +83,16 @@ func (bm *BackupManager) ProcessBackup() error { bm.setOptions(backup) var db *sql.DB + var dsn string err = wait.PollImmediate(constants.PollInterval, constants.CheckTimeout, func() (done bool, err error) { - db, err = util.OpenDB(bm.GetDSN()) + // TLS is not currently supported + dsn, err = bm.GetDSN(false) + if err != nil { + klog.Errorf("can't get dsn of tidb cluster %s, err: %s", bm, err) + return false, err + } + + db, err = util.OpenDB(dsn) if err != nil { klog.Warningf("can't connect to tidb cluster %s, err: %s", bm, err) return false, nil diff --git a/cmd/backup-manager/app/import/manager.go b/cmd/backup-manager/app/import/manager.go index 3d6ac2ce31..f7c2c7c9ed 100644 --- a/cmd/backup-manager/app/import/manager.go +++ b/cmd/backup-manager/app/import/manager.go @@ -84,8 +84,15 @@ func (rm *RestoreManager) ProcessRestore() error { rm.setOptions(restore) var db *sql.DB + var dsn string err = wait.PollImmediate(constants.PollInterval, constants.CheckTimeout, func() (done bool, err error) { - db, err = util.OpenDB(rm.GetDSN()) + // TLS is not currently supported + dsn, err = rm.GetDSN(false) + if err != nil { + klog.Errorf("can't get dsn of tidb cluster %s, err: %s", rm, err) + return false, err + } + if err != nil { klog.Warningf("can't connect to tidb cluster %s, err: %s", rm, err) return false, nil diff --git a/cmd/backup-manager/app/restore/manager.go b/cmd/backup-manager/app/restore/manager.go index 56b06b66f5..990b31cd5d 100644 --- a/cmd/backup-manager/app/restore/manager.go +++ b/cmd/backup-manager/app/restore/manager.go @@ -82,11 +82,24 @@ func (rm *Manager) ProcessRestore() error { return fmt.Errorf("no br config in %s", rm) } + var enableTLSClient bool + enableTLSClient = false + if restore.Spec.To.TLSClient != nil && restore.Spec.To.TLSClient.Enabled { + enableTLSClient = true + } + rm.setOptions(restore) var db *sql.DB + var dsn string err = wait.PollImmediate(constants.PollInterval, constants.CheckTimeout, func() (done bool, err error) { - db, err = util.OpenDB(rm.GetDSN()) + dsn, err = rm.GetDSN(enableTLSClient) + if err != nil { + klog.Errorf("can't get dsn of tidb cluster %s, err: %s", rm, err) + return false, err + } + + db, err = util.OpenDB(dsn) if err != nil { klog.Warningf("can't connect to tidb cluster %s, err: %s", rm, err) return false, nil diff --git a/cmd/backup-manager/app/util/generic.go b/cmd/backup-manager/app/util/generic.go index 04bebc5b3b..17a98aa61f 100644 --- a/cmd/backup-manager/app/util/generic.go +++ b/cmd/backup-manager/app/util/generic.go @@ -14,10 +14,18 @@ package util import ( + "crypto/tls" + "crypto/x509" "database/sql" + "errors" "fmt" + "io/ioutil" + "path" + "github.com/go-sql-driver/mysql" "github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants" + "github.com/pingcap/tidb-operator/pkg/util" + corev1 "k8s.io/api/core/v1" ) // GenericOptions contains the generic input arguments to the backup/restore command @@ -35,8 +43,33 @@ func (bo *GenericOptions) String() string { return fmt.Sprintf("%s/%s", bo.Namespace, bo.ResourceName) } -func (bo *GenericOptions) GetDSN() string { - return fmt.Sprintf("%s:%s@(%s:%d)/%s?charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB) +func (bo *GenericOptions) GetDSN(enabledTLSClient bool) (string, error) { + if enabledTLSClient { + rootCertPool := x509.NewCertPool() + pem, err := ioutil.ReadFile(path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey)) + if err != nil { + return "", err + } + if ok := rootCertPool.AppendCertsFromPEM(pem); !ok { + return "", errors.New("Failed to append PEM.") + } + clientCert := make([]tls.Certificate, 0, 1) + certs, err := tls.LoadX509KeyPair( + path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey), + path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey)) + if err != nil { + return "", err + } + clientCert = append(clientCert, certs) + mysql.RegisterTLSConfig("customer", &tls.Config{ + RootCAs: rootCertPool, + Certificates: clientCert, + ServerName: bo.Host, + }) + return fmt.Sprintf("%s:%s@(%s:%d)/%s?tls=customer&charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil + } else { + return fmt.Sprintf("%s:%s@(%s:%d)/%s?charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil + } } func (bo *GenericOptions) GetTikvGCLifeTime(db *sql.DB) (string, error) { diff --git a/docs/api-references/docs.html b/docs/api-references/docs.html index 286be033d2..4293d852c8 100644 --- a/docs/api-references/docs.html +++ b/docs/api-references/docs.html @@ -6762,6 +6762,21 @@

TiDBAccessConfig

SecretName is the name of secret which stores tidb cluster’s password.

+ + +tlsClient
+ + +TiDBTLSClient + + + + +(Optional) +

Whether enable the TLS connection between the SQL client and TiDB server +Optional: Defaults to nil

+ +

TiDBConfig @@ -7638,6 +7653,7 @@

TiDBTLSClient

(Appears on: +TiDBAccessConfig, TiDBSpec)

diff --git a/manifests/crd.yaml b/manifests/crd.yaml index 0caffeaec2..2849277203 100644 --- a/manifests/crd.yaml +++ b/manifests/crd.yaml @@ -6813,6 +6813,7 @@ spec: description: SecretName is the name of secret which stores tidb cluster's password. type: string + tlsClient: {} user: description: User is the user for login tidb cluster type: string @@ -7749,6 +7750,7 @@ spec: description: SecretName is the name of secret which stores tidb cluster's password. type: string + tlsClient: {} user: description: User is the user for login tidb cluster type: string @@ -8540,6 +8542,7 @@ spec: description: SecretName is the name of secret which stores tidb cluster's password. type: string + tlsClient: {} user: description: User is the user for login tidb cluster type: string diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go index ae26ed35e2..b6d2fa4e22 100644 --- a/pkg/apis/pingcap/v1alpha1/openapi_generated.go +++ b/pkg/apis/pingcap/v1alpha1/openapi_generated.go @@ -3201,10 +3201,18 @@ func schema_pkg_apis_pingcap_v1alpha1_TiDBAccessConfig(ref common.ReferenceCallb Format: "", }, }, + "tlsClient": { + SchemaProps: spec.SchemaProps{ + Description: "Whether enable the TLS connection between the SQL client and TiDB server Optional: Defaults to nil", + Ref: ref("github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiDBTLSClient"), + }, + }, }, Required: []string{"host", "secretName"}, }, }, + Dependencies: []string{ + "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiDBTLSClient"}, } } diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go index 499bb65e30..0c6fb806c6 100644 --- a/pkg/apis/pingcap/v1alpha1/types.go +++ b/pkg/apis/pingcap/v1alpha1/types.go @@ -781,6 +781,10 @@ type TiDBAccessConfig struct { User string `json:"user,omitempty"` // SecretName is the name of secret which stores tidb cluster's password. SecretName string `json:"secretName"` + // Whether enable the TLS connection between the SQL client and TiDB server + // Optional: Defaults to nil + // +optional + TLSClient *TiDBTLSClient `json:"tlsClient,omitempty"` } // +k8s:openapi-gen=true diff --git a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go index 88e7aed5d1..96bd867ff7 100644 --- a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go @@ -269,7 +269,7 @@ func (in *BackupScheduleStatus) DeepCopy() *BackupScheduleStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BackupSpec) DeepCopyInto(out *BackupSpec) { *out = *in - out.From = in.From + in.From.DeepCopyInto(&out.From) if in.TikvGCLifeTime != nil { in, out := &in.TikvGCLifeTime, &out.TikvGCLifeTime *out = new(string) @@ -1924,7 +1924,7 @@ func (in *RestoreList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RestoreSpec) DeepCopyInto(out *RestoreSpec) { *out = *in - out.To = in.To + in.To.DeepCopyInto(&out.To) if in.TikvGCLifeTime != nil { in, out := &in.TikvGCLifeTime, &out.TikvGCLifeTime *out = new(string) @@ -2239,6 +2239,11 @@ func (in *TLSCluster) DeepCopy() *TLSCluster { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TiDBAccessConfig) DeepCopyInto(out *TiDBAccessConfig) { *out = *in + if in.TLSClient != nil { + in, out := &in.TLSClient, &out.TLSClient + *out = new(TiDBTLSClient) + **out = **in + } return } diff --git a/pkg/backup/backup/backup_cleaner.go b/pkg/backup/backup/backup_cleaner.go index 001406da15..3f29ab65f6 100644 --- a/pkg/backup/backup/backup_cleaner.go +++ b/pkg/backup/backup/backup_cleaner.go @@ -140,7 +140,7 @@ func (bc *backupCleaner) makeCleanJob(backup *v1alpha1.Backup) (*batchv1.Job, st Name: label.BackupJobLabelVal, Image: controller.TidbBackupManagerImage, Args: args, - ImagePullPolicy: corev1.PullAlways, + ImagePullPolicy: corev1.PullIfNotPresent, Env: storageEnv, }, }, diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go index fa162fba9c..bc5a23cadd 100644 --- a/pkg/backup/backup/backup_manager.go +++ b/pkg/backup/backup/backup_manager.go @@ -211,7 +211,7 @@ func (bm *backupManager) makeExportJob(backup *v1alpha1.Backup) (*batchv1.Job, s Name: label.BackupJobLabelVal, Image: controller.TidbBackupManagerImage, Args: args, - ImagePullPolicy: corev1.PullAlways, + ImagePullPolicy: corev1.PullIfNotPresent, VolumeMounts: []corev1.VolumeMount{ {Name: label.BackupJobLabelVal, MountPath: constants.BackupRootPath}, }, @@ -293,6 +293,22 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s }) } + if backup.Spec.From.TLSClient != nil && backup.Spec.From.TLSClient.Enabled { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: "tidb-client-tls", + ReadOnly: true, + MountPath: util.TiDBClientTLSPath, + }) + volumes = append(volumes, corev1.Volume{ + Name: "tidb-client-tls", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster), + }, + }, + }) + } + serviceAccount := constants.DefaultServiceAccountName if backup.Spec.ServiceAccount != "" { serviceAccount = backup.Spec.ServiceAccount @@ -309,7 +325,7 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s Name: label.BackupJobLabelVal, Image: controller.TidbBackupManagerImage, Args: args, - ImagePullPolicy: corev1.PullAlways, + ImagePullPolicy: corev1.PullIfNotPresent, VolumeMounts: volumeMounts, Env: envVars, }, diff --git a/pkg/backup/restore/restore_manager.go b/pkg/backup/restore/restore_manager.go index 1a38b7489f..da62c7b029 100644 --- a/pkg/backup/restore/restore_manager.go +++ b/pkg/backup/restore/restore_manager.go @@ -197,7 +197,7 @@ func (rm *restoreManager) makeImportJob(restore *v1alpha1.Restore) (*batchv1.Job Name: label.RestoreJobLabelVal, Image: controller.TidbBackupManagerImage, Args: args, - ImagePullPolicy: corev1.PullAlways, + ImagePullPolicy: corev1.PullIfNotPresent, VolumeMounts: []corev1.VolumeMount{ {Name: label.RestoreJobLabelVal, MountPath: constants.BackupRootPath}, }, @@ -277,6 +277,22 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo }) } + if restore.Spec.To.TLSClient != nil && restore.Spec.To.TLSClient.Enabled { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: "tidb-client-tls", + ReadOnly: true, + MountPath: util.TiDBClientTLSPath, + }) + volumes = append(volumes, corev1.Volume{ + Name: "tidb-client-tls", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster), + }, + }, + }) + } + serviceAccount := constants.DefaultServiceAccountName if restore.Spec.ServiceAccount != "" { serviceAccount = restore.Spec.ServiceAccount @@ -294,7 +310,7 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo Name: label.RestoreJobLabelVal, Image: controller.TidbBackupManagerImage, Args: args, - ImagePullPolicy: corev1.PullAlways, + ImagePullPolicy: corev1.PullIfNotPresent, VolumeMounts: volumeMounts, Env: envVars, }, From 8c2223edcca026e53b03c19f7d73d61ec7842dfb Mon Sep 17 00:00:00 2001 From: shuijing198799 Date: Fri, 20 Mar 2020 17:45:37 +0800 Subject: [PATCH 08/17] delete unused files --- aylei.bk | 20 -------------------- aylei.yaml | 22 ---------------------- backup-export.yaml | 23 ----------------------- backup.yaml | 37 ------------------------------------- dev-base.yaml | 27 --------------------------- 5 files changed, 129 deletions(-) delete mode 100644 aylei.bk delete mode 100644 aylei.yaml delete mode 100644 backup-export.yaml delete mode 100644 backup.yaml delete mode 100644 dev-base.yaml diff --git a/aylei.bk b/aylei.bk deleted file mode 100644 index d8a554587b..0000000000 --- a/aylei.bk +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: pingcap.com/v1alpha1 -kind: Backup -metadata: - name: br-test - namespace: tidb3 -spec: - br: - cluster: db - clusterNamespce: tidb3 - concurrency: 16 - from: - host: db-tidb.tidb3 - secretName: db-secret - user: root - s3: - provider: aws - region: us-west-2 - bucket: dbaas-hibernate - prefix: test2 - secretName: aws-secret diff --git a/aylei.yaml b/aylei.yaml deleted file mode 100644 index 90feb1e2fc..0000000000 --- a/aylei.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -clusters: -- cluster: - certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMwekNDQWJ1Z0F3SUJBZ0lNRmZ6R1FnQ0NZbEQ5NXUzVE1BMEdDU3FHU0liM0RRRUJDd1VBTUJVeEV6QVIKQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13SGhjTk1qQXdNekUwTVRFME5UVTFXaGNOTXpBd016RTBNVEUwTlRVMQpXakFWTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQTJEeUI2RmhDMHhPR245TDRUK2F4SUdTMm4zSzhsWlIwUE1WRzhHazQ3cU1RZjQrSTBadE0KU3ozVURpRk1pQnVKTXl2Rnd6b2Zoek1aTjUzRVBWS1JUL2hodmJxRm5HMGxlTGhremFpNjdHZmJaeDVadmNQOQpFMDZQTTlHMDRLU2ZwczBJaFdiZjJHclVvZlZPZXJZMFF0QUJQREpXM0Vjc1huajkzdml1SVZsaElqSWgzdTNlCnlhSE1GRElEckVrRTFVN2lPYnNlQmFFbFJ2dW4zbWplVTgyd2hjci9TbUJ5M0xpSlFuazVwL2dPY2M3c2UxNXYKaVRqZkwzV1czcTcxY0xGYVFSazF1VnFxT3BJUFgySGtJMC9ReUtWZ2Zud3FxbUQ2OXFPeW9aSm03MXplVnByMwoyTDdKV294ZUZ4dktiR1Q2OWh5NnBleWdCRUdXSk5GRXNRSURBUUFCb3lNd0lUQU9CZ05WSFE4QkFmOEVCQU1DCkFRWXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFHVFF0ZmFWOHc1Wk8KOVBVR3huTGpuWlBibnRXR1hxSy9TZC9YL2JyZlRzSlF0dkJVS3ZvNnBDdThYSG5DVytDZ2NXVnRrZ29HMy8zdQpYNVoxVGRSN1U2eG9vcVV4RnRMSFBPUXE0cm55Mzdya2pNaDViZk1JY1QwcWZ4M0c1QkthVjBwVEk1YmxIa09NClltNllUeHh4MVFOcUZTMXkyaTBOYjE1Z2kyVkQ5cnBaYUlSK2NpSTJ6MkNOOGpIVHRYclBZMGNMeEhreXpkS2IKQzJadlZyM2Y4MzViRW1NYlhldm41a2FFUWlBeG9oYWQrZWZlL0cyNUtINnRsVityc3hidkRGaFhYdTBRSmlJdQo5eGxDd1ZxSFBjejkxOGNLQXFoU1Z3SllaSkQ4Zkd6cWszMkY0cHc5a3Q2OHk3UU1uK2VSYlYwUHBhQTBOOWJoCkRZMU9uWFlqa2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - server: https://api-benchmark-k8s-local-fmeitd-1509208865.us-west-2.elb.amazonaws.com - name: benchmark.k8s.local -contexts: -- context: - cluster: benchmark.k8s.local - namespace: operations - user: benchmark.k8s.local - name: benchmark.k8s.local -current-context: benchmark.k8s.local -kind: Config -preferences: {} -users: -- name: benchmark.k8s.local - user: - client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrekNDQWVPZ0F3SUJBZ0lNRmZ6R1F6eStsMkNzYitmME1BMEdDU3FHU0liM0RRRUJDd1VBTUJVeEV6QVIKQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13SGhjTk1qQXdNekUwTVRFME5qQXhXaGNOTXpBd016RTBNVEUwTmpBeApXakFyTVJjd0ZRWURWUVFLRXc1emVYTjBaVzA2YldGemRHVnljekVRTUE0R0ExVUVBeE1IYTNWaVpXTm1aekNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTGpuNjNNOVkxU0hGM295Q1VQOFBXZ0kKT0NtRzdxNHJZSVVlaW1XZ094SnRCNUxzcG0wSW8ra2VEckc5QUNvOURlN1U0UlExQ1Z6Y3pRaWpxRUJEWHQ0bgpVSkpkODZ5MkRWM2lFY1JEdE1UM2JMazlsK0Q1aE1qWS83WFhUbXp4eDVaMmxOcjY2alA4T080bGhSRXdiSWZtCm5BdW5POGZOS2dFbjhGcGFLdk1PTExKMlV3YnJLRGcxTFZoY3haWG5Jb1FVajNkVDczZUhwOGxvOWMwbExJcUgKaHlVZEZMdjlqQVBUMlVXdk1Rc3VONGRxZ0t0OE1ScmRSRCsxTGZEYjhpem8zQ0xIUytuTElmSUNBanQ2c2ZTagovNjl3SkVYTE55RFRteTNBZlNHdCtiVzZydS90Wk9xNFNCNjcvaHpic0U4aklRNnBDM0ZGOW8weTFsUmZzd2tDCkF3RUFBYU0xTURNd0RnWURWUjBQQVFIL0JBUURBZ2VBTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQ01Bd0cKQTFVZEV3RUIvd1FDTUFBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCVU9TVmhwNHcrcjZTODFNNzNOM0xOKwoxbDNtem5xV2ZGY2R4bUZyQzBrQVR6ZEZlMEJHV3c5am5lMG5uc0RuYzkyMjZtSmMrV1k3dElUTTJha2RNZTNJCkc4VnVCdTBlempqZU1kSFIvMUw5eVJpdFVvN29lMmU1SlVBejd0Y2trdndJbytvV29sVHVSbWoxL1RVL2JHS0oKVUNkSTV5SU0rLytIMXorWHRad1oxTFBWOGVrT1FRdlg4S3pCTCttc1ptN2tQREhmOXFOaGdRejFuUmJyMTVubgpkOXFhcG9CdklhbGRDUzNkYmJ0bkc2UUZZMnRDYlBVU3pHaUg4b2Vndldvck1VN0V3dnRrZlVmckFiVDdwUGcvCnRzMGtqVlF6M0JYNHRFdzhMNjNuSlpJVjNjU1pXcmVsRXV2N0p0MmpIM0hFQnJKQkMwWmJhMi9lTjU4U3RJMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBdU9mcmN6MWpWSWNYZWpJSlEvdzlhQWc0S1lidXJpdGdoUjZLWmFBN0VtMEhrdXltCmJRaWo2UjRPc2IwQUtqME43dFRoRkRVSlhOek5DS09vUUVOZTNpZFFrbDN6ckxZTlhlSVJ4RU8weFBkc3VUMlgKNFBtRXlOai90ZGRPYlBISGxuYVUydnJxTS93NDdpV0ZFVEJzaCthY0M2Yzd4ODBxQVNmd1dsb3E4dzRzc25aVApCdXNvT0RVdFdGekZsZWNpaEJTUGQxUHZkNGVueVdqMXpTVXNpb2VISlIwVXUvMk1BOVBaUmE4eEN5NDNoMnFBCnEzd3hHdDFFUDdVdDhOdnlMT2pjSXNkTDZjc2g4Z0lDTzNxeDlLUC9yM0FrUmNzM0lOT2JMY0I5SWEzNXRicXUKNysxazZyaElIcnYrSE51d1R5TWhEcWtMY1VYMmpUTFdWRit6Q1FJREFRQUJBb0lCQVFDWmFHa1M2anFQOWFqSAp5OTJlRnhkSFNaSjIrYWpxdmJoTm1ZSVBRTG5oMXExeSszNDBkZmV2d0MxR3oxemtybFR4OHBKdTluVzNJc1hGClJpcWdib1MxNFg1YWdUSmE5NHZ0ZVZOdU54SXlYR2xLNHN3d2JqUDVndmZjZ1M1aSt0R3hodDZITTZlOXk2UGMKQ1NyMmtPdHFjU3pFQ2xKeHVVa0JQb2FPSDhNRWRUSzZ6QjFTQUkxeXN3cVh1QzFueDBJcWd4eldMTHFmdElRZAo4UWxhQ3BMME1pWGxTNkRQRm5ELzNVcVZOdTd3RTBuUXlnNHNRak92eVkrc1BjemVKa0J1UjMrY0c4SFlXR1ZHCndMY3BUa3poQmdadEVoYTB5NlFHZlQ0eWszTWY0VzNTbXlWSzlESU1kaEY0S3RpTGFkMWZYeUxwY1V6WXFMZ20KTmw2TGw4ZGxBb0dCQU1jNDFGbGdSVjBZcEFnbE04a3E3dnd6UW5NV0pFVitwYTV3TC8zOXVEeHltYnJodEFlOAorZU1KVHRsclRLOTNiNGcydlEzODVkWk1ERmljVWc2NHhraWVFV0oxL0xLakUrWXY3b3BudFJkQUhVczF1UW5jCk00Z0JQUUg5SXdjeTVpaFhMV3ZmN2czOXNxQzFPN3RmS1VHTmNmWVlRYTRUdEx5MzExampOdzVQQW9HQkFPMmEKbUg4N1pSNkdCUzJSUmhaQWhyMEVlSkJIejVrd3A5WjN4elRtSndlK2N0N2VQTmhGSi9xVzVHb0J4RUMyUW44ago2WkoyQXZnSXdSZ09kc2h2K3VOLzRScW4wVnJ4a2psUmpMVzNkL2NFaUkyZU9aMjJEREwvLytQSWQxcVA4eDdvCnFiRFBoQngvbktnQ1NtalI0a2lGSWU3Yi84T0JlODhpMW8zNUJ1c25Bb0dBVXRCNTNVbGFyQzl4Q0gzR2dDcGIKdS9UbSs0Wkp2Nlc4NDcxNUJjRXhrOWNqdG43YVlwa1kyMXJrTHhjZWdwWklnN3dWYkxvakpLanFQTytHWU41SQpkcWxXbXJKblFDN3dON0RYSFN1dEtLUWJTVWRreXdlQldGa0RiazgyLzJnV0t0REtiZHhoVGVtWEZwMGYzbXpaCmJvbUl4UDhpVm1XVXJScFM1MzFVUnBzQ2dZRUE2b0FlcTh2SjlBTWZqeWFHdnFWMmxZeVpGUVRhdmYxSVdLSWsKaUcveDYzR3FXNDJKRFlYTGZFVjZMNm1Jc0xseERadzdCU0xWc1VpcWtueUwvU3lQdUFKWS8zN0xYKzkxZW42aQoyaUcyRTZSMHhSaDVFczgrWVFOSjROelQ5eHlGUFdjeE91REVLWUJFODRnM09oYVROekcyR05FbUx5VlhOVXJUCjZKRHpwQmNDZ1lFQWtpVVlQdUp2UjZBazg4UHI5NmUvYkdCdmw1dUFURTdGVVF3VDYvOUlBYjRKTnJWZFhKNHYKbUxOY3RnTmVjZnlreXhpNVRHV3FZMG15enhDVEVvU0RGMTNOSjRwTlk1ZmphcmUyNXMvVkQxMCs4WW5oNTIrSgpjaExIV0t2Sk5KcHZwQitIRUN0UjU3RXlvT2JlaUp3VGszRDZIY2V0MXBCSnJWTjVsNGdVT0JNPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= - password: H6oc82ldn9Qkukro1691mUPOmIayitqg - username: admin diff --git a/backup-export.yaml b/backup-export.yaml deleted file mode 100644 index 587eda5c6a..0000000000 --- a/backup-export.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: pingcap.com/v1alpha1 -kind: Backup -metadata: - name: export-backup-s3 - namespace: tidb4 - annotations: - iam.amazonaws.com/role: "arn:aws:iam::385595570414:role/dbaas-kops-jony22-backup" -spec: - backupType: full - useKMS: true - tikvGCLifeTime: 100h - storageClassName: gp2 - storageSize: 1Gi - from: - host: 172.30.2.6 - secretName: mysql-pwd-1584498036384022997 - port: 4000 - user: root - s3: - provider: aws - region: us-west-2 - bucket: backup.jony22.us-west-2.tidbcloud.com diff --git a/backup.yaml b/backup.yaml deleted file mode 100644 index 79f8ef4b4d..0000000000 --- a/backup.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: pingcap.com/v1alpha1 -kind: Backup -metadata: - name: sa-backup-s3 - namespace: cluster -spec: - backupType: full - useKMS: false - br: - cluster: cluster - clusterNamespace: cluster - sendCredToTikv: true - tlsCluster: - enabled: true - # clusterNamespce: - # enableTLSClient: true - # logLevel: info - # statusAddr: - # concurrency: 4 - # rateLimit: 0 - # timeAgo:

TiDBAccessConfig Optional: Defaults to nil

+ + +tlsSecret
+ +string + + + +(Optional) +

Specify a secret for client cert in backup/restore +Optional: Defaults to -tidb-client-secret

+ +

TiDBConfig diff --git a/manifests/backup/backup-aws-s3-br.yaml b/manifests/backup/backup-aws-s3-br.yaml index 51cf56dd19..73166ab904 100644 --- a/manifests/backup/backup-aws-s3-br.yaml +++ b/manifests/backup/backup-aws-s3-br.yaml @@ -29,6 +29,7 @@ spec: # user: root # tlsClient: # enabled: false + # tlsSecret: s3: provider: aws region: us-west-2 diff --git a/manifests/backup/backup-s3-br.yaml b/manifests/backup/backup-s3-br.yaml index db70f75268..56da73c236 100644 --- a/manifests/backup/backup-s3-br.yaml +++ b/manifests/backup/backup-s3-br.yaml @@ -29,6 +29,7 @@ spec: # user: root # tlsClient: # enabled: false + # tlsSecret: s3: provider: ceph endpoint: http://10.233.57.220 diff --git a/manifests/backup/backup-schedule-aws-s3-br.yaml b/manifests/backup/backup-schedule-aws-s3-br.yaml index a1c7c56d99..d0ac2767b9 100644 --- a/manifests/backup/backup-schedule-aws-s3-br.yaml +++ b/manifests/backup/backup-schedule-aws-s3-br.yaml @@ -34,6 +34,7 @@ spec: # user: root # tlsClient: # enabled: false + # tlsSecret: s3: provider: aws region: us-west-2 diff --git a/manifests/backup/backup-schedule-s3-br.yaml b/manifests/backup/backup-schedule-s3-br.yaml index 9e15270d39..f6a7d5908e 100644 --- a/manifests/backup/backup-schedule-s3-br.yaml +++ b/manifests/backup/backup-schedule-s3-br.yaml @@ -34,6 +34,7 @@ spec: # user: root # tlsClient: # enabled: false + # tlsSecret: s3: provider: ceph endpoint: http://10.233.57.220 diff --git a/manifests/backup/restore-aws-s3-br.yaml b/manifests/backup/restore-aws-s3-br.yaml index d576e4d767..4bc1db83bb 100644 --- a/manifests/backup/restore-aws-s3-br.yaml +++ b/manifests/backup/restore-aws-s3-br.yaml @@ -31,6 +31,7 @@ spec: # user: root # tlsClient: # enabled: false + # tlsSecret: s3: provider: aws region: us-west-2 diff --git a/manifests/backup/restore-s3-br.yaml b/manifests/backup/restore-s3-br.yaml index e00bcf70ae..ab2d00464b 100644 --- a/manifests/backup/restore-s3-br.yaml +++ b/manifests/backup/restore-s3-br.yaml @@ -31,6 +31,7 @@ spec: # user: root # tlsClient: # enabled: false + # tlsSecret: s3: provider: ceph endpoint: http://10.233.57.220 diff --git a/manifests/crd.yaml b/manifests/crd.yaml index 2849277203..2dbc8ff636 100644 --- a/manifests/crd.yaml +++ b/manifests/crd.yaml @@ -6814,6 +6814,10 @@ spec: cluster's password. type: string tlsClient: {} + tlsSecret: + description: 'Specify a secret for client cert in backup/restore + Optional: Defaults to -tidb-client-secret' + type: string user: description: User is the user for login tidb cluster type: string @@ -7751,6 +7755,10 @@ spec: cluster's password. type: string tlsClient: {} + tlsSecret: + description: 'Specify a secret for client cert in backup/restore + Optional: Defaults to -tidb-client-secret' + type: string user: description: User is the user for login tidb cluster type: string @@ -8543,6 +8551,10 @@ spec: cluster's password. type: string tlsClient: {} + tlsSecret: + description: 'Specify a secret for client cert in backup/restore + Optional: Defaults to -tidb-client-secret' + type: string user: description: User is the user for login tidb cluster type: string diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go index b6d2fa4e22..4299c06266 100644 --- a/pkg/apis/pingcap/v1alpha1/openapi_generated.go +++ b/pkg/apis/pingcap/v1alpha1/openapi_generated.go @@ -3207,6 +3207,13 @@ func schema_pkg_apis_pingcap_v1alpha1_TiDBAccessConfig(ref common.ReferenceCallb Ref: ref("github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiDBTLSClient"), }, }, + "tlsSecret": { + SchemaProps: spec.SchemaProps{ + Description: "Specify a secret for client cert in backup/restore Optional: Defaults to -tidb-client-secret", + Type: []string{"string"}, + Format: "", + }, + }, }, Required: []string{"host", "secretName"}, }, diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go index 0c6fb806c6..a9b0aef321 100644 --- a/pkg/apis/pingcap/v1alpha1/types.go +++ b/pkg/apis/pingcap/v1alpha1/types.go @@ -785,6 +785,10 @@ type TiDBAccessConfig struct { // Optional: Defaults to nil // +optional TLSClient *TiDBTLSClient `json:"tlsClient,omitempty"` + // Specify a secret for client cert in backup/restore + // Optional: Defaults to -tidb-client-secret + // +optional + TLSSecret string `json:"tlsSecret,omitempty"` } // +k8s:openapi-gen=true diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go index bc5a23cadd..7d8ae2c463 100644 --- a/pkg/backup/backup/backup_manager.go +++ b/pkg/backup/backup/backup_manager.go @@ -292,7 +292,10 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s }, }) } - + clientSecretName := util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster) + if backup.Spec.From.TLSSecret != "" { + clientSecretName = backup.Spec.From.TLSSecret + } if backup.Spec.From.TLSClient != nil && backup.Spec.From.TLSClient.Enabled { volumeMounts = append(volumeMounts, corev1.VolumeMount{ Name: "tidb-client-tls", @@ -303,7 +306,7 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s Name: "tidb-client-tls", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster), + SecretName: clientSecretName, }, }, }) diff --git a/pkg/backup/restore/restore_manager.go b/pkg/backup/restore/restore_manager.go index da62c7b029..bc1ba4d2e8 100644 --- a/pkg/backup/restore/restore_manager.go +++ b/pkg/backup/restore/restore_manager.go @@ -277,6 +277,10 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo }) } + clientSecretName := util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster) + if restore.Spec.To.TLSSecret != "" { + clientSecretName = restore.Spec.To.TLSSecret + } if restore.Spec.To.TLSClient != nil && restore.Spec.To.TLSClient.Enabled { volumeMounts = append(volumeMounts, corev1.VolumeMount{ Name: "tidb-client-tls", @@ -287,7 +291,7 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo Name: "tidb-client-tls", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster), + SecretName: clientSecretName, }, }, }) From 51b8feb99c217ab2352bc8065d2da9d0e86ba156 Mon Sep 17 00:00:00 2001 From: shuijing198799 Date: Mon, 23 Mar 2020 19:01:09 +0800 Subject: [PATCH 15/17] address comment --- docs/api-references/docs.html | 28 ++++++++++--------- manifests/backup/backup-aws-s3-br.yaml | 2 +- manifests/backup/backup-s3-br.yaml | 2 +- .../backup/backup-schedule-aws-s3-br.yaml | 2 +- manifests/backup/backup-schedule-s3-br.yaml | 2 +- manifests/backup/restore-aws-s3-br.yaml | 2 +- manifests/backup/restore-s3-br.yaml | 2 +- manifests/crd.yaml | 12 -------- .../pingcap/v1alpha1/openapi_generated.go | 7 ----- pkg/apis/pingcap/v1alpha1/types.go | 10 ++++--- pkg/backup/backup/backup_manager.go | 8 +++--- pkg/backup/restore/restore_manager.go | 8 +++--- 12 files changed, 35 insertions(+), 50 deletions(-) diff --git a/docs/api-references/docs.html b/docs/api-references/docs.html index 3b135fea2a..cbd9a8f218 100644 --- a/docs/api-references/docs.html +++ b/docs/api-references/docs.html @@ -6777,19 +6777,6 @@

TiDBAccessConfig Optional: Defaults to nil

- - -tlsSecret
- -string - - - -(Optional) -

Specify a secret for client cert in backup/restore -Optional: Defaults to -tidb-client-secret

- -

TiDBConfig @@ -7705,6 +7692,21 @@

TiDBTLSClient 4. Set Enabled to true.

+ + +tlsSecret
+ +string + + + +(Optional) +

Specify a secret for client cert in backup/restore +Optional: Defaults to -tidb-client-secret +If you want specify a secret for backup/restore, Generate a Secret Object according to the third step of the above reference, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret +this field only work in backup/restore process

+ +

TiKVBlockCacheConfig diff --git a/manifests/backup/backup-aws-s3-br.yaml b/manifests/backup/backup-aws-s3-br.yaml index 73166ab904..baf00fa088 100644 --- a/manifests/backup/backup-aws-s3-br.yaml +++ b/manifests/backup/backup-aws-s3-br.yaml @@ -29,7 +29,7 @@ spec: # user: root # tlsClient: # enabled: false - # tlsSecret: + # tlsSecret: s3: provider: aws region: us-west-2 diff --git a/manifests/backup/backup-s3-br.yaml b/manifests/backup/backup-s3-br.yaml index 56da73c236..a99499337e 100644 --- a/manifests/backup/backup-s3-br.yaml +++ b/manifests/backup/backup-s3-br.yaml @@ -29,7 +29,7 @@ spec: # user: root # tlsClient: # enabled: false - # tlsSecret: + # tlsSecret: s3: provider: ceph endpoint: http://10.233.57.220 diff --git a/manifests/backup/backup-schedule-aws-s3-br.yaml b/manifests/backup/backup-schedule-aws-s3-br.yaml index d0ac2767b9..c66c48a99e 100644 --- a/manifests/backup/backup-schedule-aws-s3-br.yaml +++ b/manifests/backup/backup-schedule-aws-s3-br.yaml @@ -34,7 +34,7 @@ spec: # user: root # tlsClient: # enabled: false - # tlsSecret: + # tlsSecret: s3: provider: aws region: us-west-2 diff --git a/manifests/backup/backup-schedule-s3-br.yaml b/manifests/backup/backup-schedule-s3-br.yaml index f6a7d5908e..14898e84da 100644 --- a/manifests/backup/backup-schedule-s3-br.yaml +++ b/manifests/backup/backup-schedule-s3-br.yaml @@ -34,7 +34,7 @@ spec: # user: root # tlsClient: # enabled: false - # tlsSecret: + # tlsSecret: s3: provider: ceph endpoint: http://10.233.57.220 diff --git a/manifests/backup/restore-aws-s3-br.yaml b/manifests/backup/restore-aws-s3-br.yaml index 4bc1db83bb..1aea2fdb28 100644 --- a/manifests/backup/restore-aws-s3-br.yaml +++ b/manifests/backup/restore-aws-s3-br.yaml @@ -31,7 +31,7 @@ spec: # user: root # tlsClient: # enabled: false - # tlsSecret: + # tlsSecret: s3: provider: aws region: us-west-2 diff --git a/manifests/backup/restore-s3-br.yaml b/manifests/backup/restore-s3-br.yaml index ab2d00464b..6c86a605f6 100644 --- a/manifests/backup/restore-s3-br.yaml +++ b/manifests/backup/restore-s3-br.yaml @@ -31,7 +31,7 @@ spec: # user: root # tlsClient: # enabled: false - # tlsSecret: + # tlsSecret: s3: provider: ceph endpoint: http://10.233.57.220 diff --git a/manifests/crd.yaml b/manifests/crd.yaml index 2dbc8ff636..2849277203 100644 --- a/manifests/crd.yaml +++ b/manifests/crd.yaml @@ -6814,10 +6814,6 @@ spec: cluster's password. type: string tlsClient: {} - tlsSecret: - description: 'Specify a secret for client cert in backup/restore - Optional: Defaults to -tidb-client-secret' - type: string user: description: User is the user for login tidb cluster type: string @@ -7755,10 +7751,6 @@ spec: cluster's password. type: string tlsClient: {} - tlsSecret: - description: 'Specify a secret for client cert in backup/restore - Optional: Defaults to -tidb-client-secret' - type: string user: description: User is the user for login tidb cluster type: string @@ -8551,10 +8543,6 @@ spec: cluster's password. type: string tlsClient: {} - tlsSecret: - description: 'Specify a secret for client cert in backup/restore - Optional: Defaults to -tidb-client-secret' - type: string user: description: User is the user for login tidb cluster type: string diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go index 4299c06266..b6d2fa4e22 100644 --- a/pkg/apis/pingcap/v1alpha1/openapi_generated.go +++ b/pkg/apis/pingcap/v1alpha1/openapi_generated.go @@ -3207,13 +3207,6 @@ func schema_pkg_apis_pingcap_v1alpha1_TiDBAccessConfig(ref common.ReferenceCallb Ref: ref("github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiDBTLSClient"), }, }, - "tlsSecret": { - SchemaProps: spec.SchemaProps{ - Description: "Specify a secret for client cert in backup/restore Optional: Defaults to -tidb-client-secret", - Type: []string{"string"}, - Format: "", - }, - }, }, Required: []string{"host", "secretName"}, }, diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go index a9b0aef321..c8fc9eb732 100644 --- a/pkg/apis/pingcap/v1alpha1/types.go +++ b/pkg/apis/pingcap/v1alpha1/types.go @@ -622,6 +622,12 @@ type TiDBTLSClient struct { // 4. Set Enabled to `true`. // +optional Enabled bool `json:"enabled,omitempty"` + // Specify a secret for client cert in backup/restore + // Optional: Defaults to -tidb-client-secret + // +optional + // If you want specify a secret for backup/restore, Generate a Secret Object according to the third step of the above reference, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret + // this field only work in backup/restore process + TLSSecret string `json:"tlsSecret,omitempty"` } // TLSCluster can enable TLS connection between TiDB server components @@ -785,10 +791,6 @@ type TiDBAccessConfig struct { // Optional: Defaults to nil // +optional TLSClient *TiDBTLSClient `json:"tlsClient,omitempty"` - // Specify a secret for client cert in backup/restore - // Optional: Defaults to -tidb-client-secret - // +optional - TLSSecret string `json:"tlsSecret,omitempty"` } // +k8s:openapi-gen=true diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go index 7d8ae2c463..bf10dd5dce 100644 --- a/pkg/backup/backup/backup_manager.go +++ b/pkg/backup/backup/backup_manager.go @@ -292,11 +292,11 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s }, }) } - clientSecretName := util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster) - if backup.Spec.From.TLSSecret != "" { - clientSecretName = backup.Spec.From.TLSSecret - } if backup.Spec.From.TLSClient != nil && backup.Spec.From.TLSClient.Enabled { + clientSecretName := util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster) + if backup.Spec.From.TLSClient.TLSSecret != "" { + clientSecretName = backup.Spec.From.TLSClient.TLSSecret + } volumeMounts = append(volumeMounts, corev1.VolumeMount{ Name: "tidb-client-tls", ReadOnly: true, diff --git a/pkg/backup/restore/restore_manager.go b/pkg/backup/restore/restore_manager.go index bc1ba4d2e8..f1407ba3ec 100644 --- a/pkg/backup/restore/restore_manager.go +++ b/pkg/backup/restore/restore_manager.go @@ -277,11 +277,11 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo }) } - clientSecretName := util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster) - if restore.Spec.To.TLSSecret != "" { - clientSecretName = restore.Spec.To.TLSSecret - } if restore.Spec.To.TLSClient != nil && restore.Spec.To.TLSClient.Enabled { + clientSecretName := util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster) + if restore.Spec.To.TLSClient.TLSSecret != "" { + clientSecretName = restore.Spec.To.TLSClient.TLSSecret + } volumeMounts = append(volumeMounts, corev1.VolumeMount{ Name: "tidb-client-tls", ReadOnly: true, From 309f1a4f1d6dae6d644a946b67ba8fd8fad7d0d9 Mon Sep 17 00:00:00 2001 From: shuijing198799 Date: Mon, 23 Mar 2020 20:54:32 +0800 Subject: [PATCH 16/17] address comment --- pkg/apis/pingcap/v1alpha1/types.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go index c8fc9eb732..ba5fefcbd2 100644 --- a/pkg/apis/pingcap/v1alpha1/types.go +++ b/pkg/apis/pingcap/v1alpha1/types.go @@ -622,10 +622,10 @@ type TiDBTLSClient struct { // 4. Set Enabled to `true`. // +optional Enabled bool `json:"enabled,omitempty"` - // Specify a secret for client cert in backup/restore + // Specify a secret of client cert for backup/restore // Optional: Defaults to -tidb-client-secret // +optional - // If you want specify a secret for backup/restore, Generate a Secret Object according to the third step of the above reference, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret + // If you want to specify a secret for backup/restore, generate a Secret Object according to the third step of the above procedure, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret // this field only work in backup/restore process TLSSecret string `json:"tlsSecret,omitempty"` } From a64c5eae7ada7c276e360ad4cceccbdad32e395d Mon Sep 17 00:00:00 2001 From: shuijing198799 Date: Mon, 23 Mar 2020 21:32:22 +0800 Subject: [PATCH 17/17] make check --- docs/api-references/docs.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/api-references/docs.html b/docs/api-references/docs.html index cbd9a8f218..92e530d969 100644 --- a/docs/api-references/docs.html +++ b/docs/api-references/docs.html @@ -7701,9 +7701,9 @@

TiDBTLSClient (Optional) -

Specify a secret for client cert in backup/restore +

Specify a secret of client cert for backup/restore Optional: Defaults to -tidb-client-secret -If you want specify a secret for backup/restore, Generate a Secret Object according to the third step of the above reference, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret +If you want to specify a secret for backup/restore, generate a Secret Object according to the third step of the above procedure, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret this field only work in backup/restore process