From c7941135e94f7acc1bb718dad1343ac4a4b3eda0 Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Thu, 19 Mar 2020 15:56:34 +0800
Subject: [PATCH 01/17] backup: support br compatiable with new TLS interface

---
 cmd/backup-manager/app/backup/backup.go       | 19 ++++++++++---------
 cmd/backup-manager/app/restore/restore.go     | 15 ++++++++-------
 docs/api-references/docs.html                 | 11 ++++++++---
 manifests/crd.yaml                            | 12 +++---------
 .../pingcap/v1alpha1/openapi_generated.go     |  9 +++++----
 pkg/apis/pingcap/v1alpha1/types.go            |  6 ++++--
 pkg/backup/backup/backup_manager.go           | 12 ++++++++----
 pkg/backup/restore/restore_manager.go         | 12 ++++++++----
 8 files changed, 54 insertions(+), 42 deletions(-)

diff --git a/cmd/backup-manager/app/backup/backup.go b/cmd/backup-manager/app/backup/backup.go
index 5e9ab4210d..ac7178fd3d 100644
--- a/cmd/backup-manager/app/backup/backup.go
+++ b/cmd/backup-manager/app/backup/backup.go
@@ -23,15 +23,16 @@ import (
 	"github.com/gogo/protobuf/proto"
 	kvbackup "github.com/pingcap/kvproto/pkg/backup"
 	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants"
-	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
+	backupUtil "github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
 	"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
+	"github.com/pingcap/tidb-operator/pkg/util"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/klog"
 )
 
 // Options contains the input arguments to the backup command
 type Options struct {
-	util.GenericOptions
+	backupUtil.GenericOptions
 }
 
 func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) {
@@ -44,10 +45,10 @@ func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) {
 		return "", err
 	}
 	args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", backup.Spec.BR.Cluster, clusterNamespace))
-	if backup.Spec.BR.EnableTLSClient {
-		args = append(args, fmt.Sprintf("--ca=%s", constants.ServiceAccountCAPath))
-		args = append(args, fmt.Sprintf("--cert=%s", path.Join(constants.BRCertPath, corev1.TLSCertKey)))
-		args = append(args, fmt.Sprintf("--key=%s", path.Join(constants.BRCertPath, corev1.TLSPrivateKeyKey)))
+	if backup.Spec.BR.TLSCluster != nil && backup.Spec.BR.TLSCluster.Enabled {
+		args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, constants.ServiceAccountCAPath)))
+		args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey)))
+		args = append(args, fmt.Sprintf("--key=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey)))
 	}
 
 	var btype string
@@ -73,7 +74,7 @@ func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) {
 // getCommitTs get backup position from `EndVersion` in BR backup meta
 func getCommitTs(backup *v1alpha1.Backup) (uint64, error) {
 	var commitTs uint64
-	s, err := util.NewRemoteStorage(backup)
+	s, err := backupUtil.NewRemoteStorage(backup)
 	if err != nil {
 		return commitTs, err
 	}
@@ -101,7 +102,7 @@ func getCommitTs(backup *v1alpha1.Backup) (uint64, error) {
 
 // constructOptions constructs options for BR and also return the remote path
 func constructOptions(backup *v1alpha1.Backup) ([]string, string, error) {
-	args, remotePath, err := util.ConstructBRGlobalOptionsForBackup(backup)
+	args, remotePath, err := backupUtil.ConstructBRGlobalOptionsForBackup(backup)
 	if err != nil {
 		return args, remotePath, err
 	}
@@ -124,7 +125,7 @@ func constructOptions(backup *v1alpha1.Backup) ([]string, string, error) {
 // getBackupSize get the backup data size from remote
 func getBackupSize(backup *v1alpha1.Backup) (int64, error) {
 	var size int64
-	s, err := util.NewRemoteStorage(backup)
+	s, err := backupUtil.NewRemoteStorage(backup)
 	if err != nil {
 		return size, err
 	}
diff --git a/cmd/backup-manager/app/restore/restore.go b/cmd/backup-manager/app/restore/restore.go
index 90d0667ee0..3a7abe1f9b 100644
--- a/cmd/backup-manager/app/restore/restore.go
+++ b/cmd/backup-manager/app/restore/restore.go
@@ -19,14 +19,15 @@ import (
 	"path"
 
 	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants"
-	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
+	backupUtil "github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
 	"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
+	"github.com/pingcap/tidb-operator/pkg/util"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/klog"
 )
 
 type Options struct {
-	util.GenericOptions
+	backupUtil.GenericOptions
 }
 
 func (ro *Options) restoreData(restore *v1alpha1.Restore) error {
@@ -39,10 +40,10 @@ func (ro *Options) restoreData(restore *v1alpha1.Restore) error {
 		return err
 	}
 	args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", restore.Spec.BR.Cluster, clusterNamespace))
-	if restore.Spec.BR.EnableTLSClient {
-		args = append(args, fmt.Sprintf("--ca=%s", constants.ServiceAccountCAPath))
-		args = append(args, fmt.Sprintf("--cert=%s", path.Join(constants.BRCertPath, corev1.TLSCertKey)))
-		args = append(args, fmt.Sprintf("--key=%s", path.Join(constants.BRCertPath, corev1.TLSPrivateKeyKey)))
+	if restore.Spec.BR.TLSCluster != nil && restore.Spec.BR.TLSCluster.Enabled {
+		args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, constants.ServiceAccountCAPath)))
+		args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey)))
+		args = append(args, fmt.Sprintf("--key=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey)))
 	}
 
 	var restoreType string
@@ -66,7 +67,7 @@ func (ro *Options) restoreData(restore *v1alpha1.Restore) error {
 }
 
 func constructBROptions(restore *v1alpha1.Restore) ([]string, error) {
-	args, err := util.ConstructBRGlobalOptionsForRestore(restore)
+	args, err := backupUtil.ConstructBRGlobalOptionsForRestore(restore)
 	if err != nil {
 		return nil, err
 	}
diff --git a/docs/api-references/docs.html b/docs/api-references/docs.html
index 41c5be1b10..286be033d2 100644
--- a/docs/api-references/docs.html
+++ b/docs/api-references/docs.html
@@ -1546,13 +1546,17 @@ <h3 id="pingcap.com/v1alpha1.BRConfig">BRConfig
 <tbody>
 <tr>
 <td>
-<code>enableTLSClient</code></br>
+<code>tlsCluster</code></br>
 <em>
-bool
+<a href="#pingcap.com/v1alpha1.TLSCluster">
+TLSCluster
+</a>
 </em>
 </td>
 <td>
-<p>Whether enable TLS in TiDBCluster</p>
+<em>(Optional)</em>
+<p>Whether enable the TLS connection between TiDB server components
+Optional: Defaults to nil</p>
 </td>
 </tr>
 <tr>
@@ -6652,6 +6656,7 @@ <h3 id="pingcap.com/v1alpha1.TLSCluster">TLSCluster
 </h3>
 <p>
 (<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.BRConfig">BRConfig</a>, 
 <a href="#pingcap.com/v1alpha1.TidbClusterSpec">TidbClusterSpec</a>)
 </p>
 <p>
diff --git a/manifests/crd.yaml b/manifests/crd.yaml
index d69a3a1d49..0caffeaec2 100644
--- a/manifests/crd.yaml
+++ b/manifests/crd.yaml
@@ -6766,9 +6766,6 @@ spec:
                 db:
                   description: DB is the specific DB which will be backed-up or restored
                   type: string
-                enableTLSClient:
-                  description: Whether enable TLS in TiDBCluster
-                  type: boolean
                 logLevel:
                   description: LogLevel is the log level
                   type: string
@@ -6796,6 +6793,7 @@ spec:
                   description: TimeAgo is the history version of the backup task,
                     e.g. 1m, 1h
                   type: string
+                tlsCluster: {}
               required:
               - cluster
               type: object
@@ -7610,9 +7608,6 @@ spec:
                 db:
                   description: DB is the specific DB which will be backed-up or restored
                   type: string
-                enableTLSClient:
-                  description: Whether enable TLS in TiDBCluster
-                  type: boolean
                 logLevel:
                   description: LogLevel is the log level
                   type: string
@@ -7640,6 +7635,7 @@ spec:
                   description: TimeAgo is the history version of the backup task,
                     e.g. 1m, 1h
                   type: string
+                tlsCluster: {}
               required:
               - cluster
               type: object
@@ -8497,9 +8493,6 @@ spec:
                       description: DB is the specific DB which will be backed-up or
                         restored
                       type: string
-                    enableTLSClient:
-                      description: Whether enable TLS in TiDBCluster
-                      type: boolean
                     logLevel:
                       description: LogLevel is the log level
                       type: string
@@ -8527,6 +8520,7 @@ spec:
                       description: TimeAgo is the history version of the backup task,
                         e.g. 1m, 1h
                       type: string
+                    tlsCluster: {}
                   required:
                   - cluster
                   type: object
diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
index 077d8ddad4..ae26ed35e2 100644
--- a/pkg/apis/pingcap/v1alpha1/openapi_generated.go
+++ b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
@@ -375,11 +375,10 @@ func schema_pkg_apis_pingcap_v1alpha1_BRConfig(ref common.ReferenceCallback) com
 				Description: "BRConfig contains config for BR",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
-					"enableTLSClient": {
+					"tlsCluster": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Whether enable TLS in TiDBCluster",
-							Type:        []string{"boolean"},
-							Format:      "",
+							Description: "Whether enable the TLS connection between TiDB server components Optional: Defaults to nil",
+							Ref:         ref("github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TLSCluster"),
 						},
 					},
 					"cluster": {
@@ -470,6 +469,8 @@ func schema_pkg_apis_pingcap_v1alpha1_BRConfig(ref common.ReferenceCallback) com
 				Required: []string{"cluster"},
 			},
 		},
+		Dependencies: []string{
+			"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TLSCluster"},
 	}
 }
 
diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go
index ee2f3813a8..499bb65e30 100644
--- a/pkg/apis/pingcap/v1alpha1/types.go
+++ b/pkg/apis/pingcap/v1alpha1/types.go
@@ -819,8 +819,10 @@ type BackupSpec struct {
 // +k8s:openapi-gen=true
 // BRConfig contains config for BR
 type BRConfig struct {
-	// Whether enable TLS in TiDBCluster
-	EnableTLSClient bool `json:"enableTLSClient,omitempty"`
+	// Whether enable the TLS connection between TiDB server components
+	// Optional: Defaults to nil
+	// +optional
+	TLSCluster *TLSCluster `json:"tlsCluster,omitempty"`
 	// ClusterName of backup/restore cluster
 	Cluster string `json:"cluster"`
 	// Namespace of backup/restore cluster
diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go
index cf8d94e5f5..95d1881948 100644
--- a/pkg/backup/backup/backup_manager.go
+++ b/pkg/backup/backup/backup_manager.go
@@ -22,6 +22,7 @@ import (
 	backuputil "github.com/pingcap/tidb-operator/pkg/backup/util"
 	"github.com/pingcap/tidb-operator/pkg/controller"
 	"github.com/pingcap/tidb-operator/pkg/label"
+	"github.com/pingcap/tidb-operator/pkg/util"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -276,14 +277,17 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 	backupLabel := label.NewBackup().Instance(backup.GetInstanceName()).BackupJob().Backup(name)
 	volumeMounts := []corev1.VolumeMount{}
 	volumes := []corev1.Volume{}
-	if backup.Spec.BR.EnableTLSClient {
+	if backup.Spec.BR.TLSCluster != nil && backup.Spec.BR.TLSCluster.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name: "br-tls", ReadOnly: true, MountPath: constants.BRCertPath,
+			Name:      "tidb-client-tls",
+			ReadOnly:  true,
+			MountPath: util.TiDBClientTLSPath,
 		})
 		volumes = append(volumes, corev1.Volume{
-			Name: "br-tls", VolumeSource: corev1.VolumeSource{
+			Name: "tidb-client-tls",
+			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: fmt.Sprintf("%s-client", controller.PDMemberName(backup.Spec.BR.Cluster)),
+					SecretName: util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster),
 				},
 			},
 		})
diff --git a/pkg/backup/restore/restore_manager.go b/pkg/backup/restore/restore_manager.go
index cdbcec11e8..cb31a234b6 100644
--- a/pkg/backup/restore/restore_manager.go
+++ b/pkg/backup/restore/restore_manager.go
@@ -23,6 +23,7 @@ import (
 	listers "github.com/pingcap/tidb-operator/pkg/client/listers/pingcap/v1alpha1"
 	"github.com/pingcap/tidb-operator/pkg/controller"
 	"github.com/pingcap/tidb-operator/pkg/label"
+	"github.com/pingcap/tidb-operator/pkg/util"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -260,14 +261,17 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo
 	restoreLabel := label.NewBackup().Instance(restore.GetInstanceName()).RestoreJob().Restore(name)
 	volumeMounts := []corev1.VolumeMount{}
 	volumes := []corev1.Volume{}
-	if restore.Spec.BR.EnableTLSClient {
+	if restore.Spec.BR.TLSCluster != nil && restore.Spec.BR.TLSCluster.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name: "br-tls", ReadOnly: true, MountPath: constants.BRCertPath,
+			Name:      "tidb-client-tls",
+			ReadOnly:  true,
+			MountPath: util.TiDBClientTLSPath,
 		})
 		volumes = append(volumes, corev1.Volume{
-			Name: "br-tls", VolumeSource: corev1.VolumeSource{
+			Name: "tidb-client-tls",
+			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: fmt.Sprintf("%s-client", controller.PDMemberName(restore.Spec.BR.Cluster)),
+					SecretName: util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster),
 				},
 			},
 		})

From 0076590c57dcfc2400795644c7f85ab215b4b847 Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Thu, 19 Mar 2020 16:00:52 +0800
Subject: [PATCH 02/17] backup: fix ca name, use k8s core one

---
 cmd/backup-manager/app/backup/backup.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/backup-manager/app/backup/backup.go b/cmd/backup-manager/app/backup/backup.go
index ac7178fd3d..8fb99f4c89 100644
--- a/cmd/backup-manager/app/backup/backup.go
+++ b/cmd/backup-manager/app/backup/backup.go
@@ -46,7 +46,7 @@ func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) {
 	}
 	args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", backup.Spec.BR.Cluster, clusterNamespace))
 	if backup.Spec.BR.TLSCluster != nil && backup.Spec.BR.TLSCluster.Enabled {
-		args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, constants.ServiceAccountCAPath)))
+		args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey)))
 		args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey)))
 		args = append(args, fmt.Sprintf("--key=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey)))
 	}

From 14c9d8f9368d3c3902b612f82b05d0b0e2ee02a6 Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Thu, 19 Mar 2020 16:00:59 +0800
Subject: [PATCH 03/17] backup: fix ca name, use k8s core one

---
 cmd/backup-manager/app/restore/restore.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/backup-manager/app/restore/restore.go b/cmd/backup-manager/app/restore/restore.go
index 3a7abe1f9b..a0fef0fd6f 100644
--- a/cmd/backup-manager/app/restore/restore.go
+++ b/cmd/backup-manager/app/restore/restore.go
@@ -41,7 +41,7 @@ func (ro *Options) restoreData(restore *v1alpha1.Restore) error {
 	}
 	args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", restore.Spec.BR.Cluster, clusterNamespace))
 	if restore.Spec.BR.TLSCluster != nil && restore.Spec.BR.TLSCluster.Enabled {
-		args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, constants.ServiceAccountCAPath)))
+		args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey)))
 		args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey)))
 		args = append(args, fmt.Sprintf("--key=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey)))
 	}

From ba2284f5c16596c4c6724b9ab1c326725e5c0e71 Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Thu, 19 Mar 2020 20:07:37 +0800
Subject: [PATCH 04/17] fix tiny

---
 cmd/backup-manager/app/restore/restore.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cmd/backup-manager/app/restore/restore.go b/cmd/backup-manager/app/restore/restore.go
index a0fef0fd6f..9a73e21e5f 100644
--- a/cmd/backup-manager/app/restore/restore.go
+++ b/cmd/backup-manager/app/restore/restore.go
@@ -18,7 +18,6 @@ import (
 	"os/exec"
 	"path"
 
-	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants"
 	backupUtil "github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
 	"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
 	"github.com/pingcap/tidb-operator/pkg/util"

From cc8b9d7c422ae2b03035187ef95c2f1138b26e03 Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Thu, 19 Mar 2020 20:27:26 +0800
Subject: [PATCH 05/17] gen code

---
 pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
index e8ed1ac39c..88e7aed5d1 100644
--- a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
@@ -28,6 +28,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BRConfig) DeepCopyInto(out *BRConfig) {
 	*out = *in
+	if in.TLSCluster != nil {
+		in, out := &in.TLSCluster, &out.TLSCluster
+		*out = new(TLSCluster)
+		**out = **in
+	}
 	if in.Concurrency != nil {
 		in, out := &in.Concurrency, &out.Concurrency
 		*out = new(uint32)

From 67ade573ee01f42305accd3b631b5c492a721911 Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Fri, 20 Mar 2020 12:09:46 +0800
Subject: [PATCH 06/17] fix tls path error

---
 cmd/backup-manager/app/backup/backup.go   | 6 +++---
 cmd/backup-manager/app/restore/restore.go | 6 +++---
 pkg/backup/backup/backup_manager.go       | 8 ++++----
 pkg/backup/restore/restore_manager.go     | 8 ++++----
 4 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/cmd/backup-manager/app/backup/backup.go b/cmd/backup-manager/app/backup/backup.go
index 8fb99f4c89..2becef8bf6 100644
--- a/cmd/backup-manager/app/backup/backup.go
+++ b/cmd/backup-manager/app/backup/backup.go
@@ -46,9 +46,9 @@ func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) {
 	}
 	args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", backup.Spec.BR.Cluster, clusterNamespace))
 	if backup.Spec.BR.TLSCluster != nil && backup.Spec.BR.TLSCluster.Enabled {
-		args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey)))
-		args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey)))
-		args = append(args, fmt.Sprintf("--key=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey)))
+		args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.ClusterClientTLSPath, corev1.ServiceAccountRootCAKey)))
+		args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.ClusterClientTLSPath, corev1.TLSCertKey)))
+		args = append(args, fmt.Sprintf("--key=%s", path.Join(util.ClusterClientTLSPath, corev1.TLSPrivateKeyKey)))
 	}
 
 	var btype string
diff --git a/cmd/backup-manager/app/restore/restore.go b/cmd/backup-manager/app/restore/restore.go
index 9a73e21e5f..d2e5a643d8 100644
--- a/cmd/backup-manager/app/restore/restore.go
+++ b/cmd/backup-manager/app/restore/restore.go
@@ -40,9 +40,9 @@ func (ro *Options) restoreData(restore *v1alpha1.Restore) error {
 	}
 	args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", restore.Spec.BR.Cluster, clusterNamespace))
 	if restore.Spec.BR.TLSCluster != nil && restore.Spec.BR.TLSCluster.Enabled {
-		args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey)))
-		args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey)))
-		args = append(args, fmt.Sprintf("--key=%s", path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey)))
+		args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.ClusterClientTLSPath, corev1.ServiceAccountRootCAKey)))
+		args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.ClusterClientTLSPath, corev1.TLSCertKey)))
+		args = append(args, fmt.Sprintf("--key=%s", path.Join(util.ClusterClientTLSPath, corev1.TLSPrivateKeyKey)))
 	}
 
 	var restoreType string
diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go
index 95d1881948..fa162fba9c 100644
--- a/pkg/backup/backup/backup_manager.go
+++ b/pkg/backup/backup/backup_manager.go
@@ -279,15 +279,15 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 	volumes := []corev1.Volume{}
 	if backup.Spec.BR.TLSCluster != nil && backup.Spec.BR.TLSCluster.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name:      "tidb-client-tls",
+			Name:      "cluster-client-tls",
 			ReadOnly:  true,
-			MountPath: util.TiDBClientTLSPath,
+			MountPath: util.ClusterClientTLSPath,
 		})
 		volumes = append(volumes, corev1.Volume{
-			Name: "tidb-client-tls",
+			Name: "cluster-client-tls",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster),
+					SecretName: util.ClusterClientTLSSecretName(backup.Spec.BR.Cluster),
 				},
 			},
 		})
diff --git a/pkg/backup/restore/restore_manager.go b/pkg/backup/restore/restore_manager.go
index cb31a234b6..1a38b7489f 100644
--- a/pkg/backup/restore/restore_manager.go
+++ b/pkg/backup/restore/restore_manager.go
@@ -263,15 +263,15 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo
 	volumes := []corev1.Volume{}
 	if restore.Spec.BR.TLSCluster != nil && restore.Spec.BR.TLSCluster.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name:      "tidb-client-tls",
+			Name:      "cluster-client-tls",
 			ReadOnly:  true,
-			MountPath: util.TiDBClientTLSPath,
+			MountPath: util.ClusterClientTLSPath,
 		})
 		volumes = append(volumes, corev1.Volume{
-			Name: "tidb-client-tls",
+			Name: "cluster-client-tls",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster),
+					SecretName: util.ClusterClientTLSSecretName(restore.Spec.BR.Cluster),
 				},
 			},
 		})

From 8036fa0ab09a7cbb94c728ad261cf16a6cac8c9c Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Fri, 20 Mar 2020 17:41:02 +0800
Subject: [PATCH 07/17] backup: add enable client tls in backup

---
 cmd/backup-manager/app/backup/manager.go      | 14 ++++++-
 cmd/backup-manager/app/export/manager.go      | 10 ++++-
 cmd/backup-manager/app/import/manager.go      |  9 ++++-
 cmd/backup-manager/app/restore/manager.go     | 15 +++++++-
 cmd/backup-manager/app/util/generic.go        | 37 ++++++++++++++++++-
 docs/api-references/docs.html                 | 16 ++++++++
 manifests/crd.yaml                            |  3 ++
 .../pingcap/v1alpha1/openapi_generated.go     |  8 ++++
 pkg/apis/pingcap/v1alpha1/types.go            |  4 ++
 .../pingcap/v1alpha1/zz_generated.deepcopy.go |  9 ++++-
 pkg/backup/backup/backup_cleaner.go           |  2 +-
 pkg/backup/backup/backup_manager.go           | 20 +++++++++-
 pkg/backup/restore/restore_manager.go         | 20 +++++++++-
 13 files changed, 154 insertions(+), 13 deletions(-)

diff --git a/cmd/backup-manager/app/backup/manager.go b/cmd/backup-manager/app/backup/manager.go
index f4389b1d48..b060153394 100644
--- a/cmd/backup-manager/app/backup/manager.go
+++ b/cmd/backup-manager/app/backup/manager.go
@@ -80,6 +80,12 @@ func (bm *Manager) ProcessBackup() error {
 		})
 	}
 
+	var enableTLSClient bool
+	enableTLSClient = false
+	if backup.Spec.From.TLSClient != nil && backup.Spec.From.TLSClient.Enabled {
+		enableTLSClient = true
+	}
+
 	if backup.Spec.BR == nil {
 		return fmt.Errorf("no br config in %s", bm)
 	}
@@ -87,8 +93,14 @@ func (bm *Manager) ProcessBackup() error {
 	bm.setOptions(backup)
 
 	var db *sql.DB
+	var dsn string
 	err = wait.PollImmediate(constants.PollInterval, constants.CheckTimeout, func() (done bool, err error) {
-		db, err = util.OpenDB(bm.GetDSN())
+		dsn, err = bm.GetDSN(enableTLSClient)
+		if err != nil {
+			klog.Errorf("can't get dsn of tidb cluster %s, err: %s", bm, err)
+			return false, err
+		}
+		db, err = util.OpenDB(dsn)
 		if err != nil {
 			klog.Warningf("can't connect to tidb cluster %s, err: %s", bm, err)
 			return false, nil
diff --git a/cmd/backup-manager/app/export/manager.go b/cmd/backup-manager/app/export/manager.go
index b4a488e6ef..544dd75598 100644
--- a/cmd/backup-manager/app/export/manager.go
+++ b/cmd/backup-manager/app/export/manager.go
@@ -83,8 +83,16 @@ func (bm *BackupManager) ProcessBackup() error {
 	bm.setOptions(backup)
 
 	var db *sql.DB
+	var dsn string
 	err = wait.PollImmediate(constants.PollInterval, constants.CheckTimeout, func() (done bool, err error) {
-		db, err = util.OpenDB(bm.GetDSN())
+		// TLS is not currently supported
+		dsn, err = bm.GetDSN(false)
+		if err != nil {
+			klog.Errorf("can't get dsn of tidb cluster %s, err: %s", bm, err)
+			return false, err
+		}
+
+		db, err = util.OpenDB(dsn)
 		if err != nil {
 			klog.Warningf("can't connect to tidb cluster %s, err: %s", bm, err)
 			return false, nil
diff --git a/cmd/backup-manager/app/import/manager.go b/cmd/backup-manager/app/import/manager.go
index 3d6ac2ce31..f7c2c7c9ed 100644
--- a/cmd/backup-manager/app/import/manager.go
+++ b/cmd/backup-manager/app/import/manager.go
@@ -84,8 +84,15 @@ func (rm *RestoreManager) ProcessRestore() error {
 	rm.setOptions(restore)
 
 	var db *sql.DB
+	var dsn string
 	err = wait.PollImmediate(constants.PollInterval, constants.CheckTimeout, func() (done bool, err error) {
-		db, err = util.OpenDB(rm.GetDSN())
+		// TLS is not currently supported
+		dsn, err = rm.GetDSN(false)
+		if err != nil {
+			klog.Errorf("can't get dsn of tidb cluster %s, err: %s", rm, err)
+			return false, err
+		}
+
 		if err != nil {
 			klog.Warningf("can't connect to tidb cluster %s, err: %s", rm, err)
 			return false, nil
diff --git a/cmd/backup-manager/app/restore/manager.go b/cmd/backup-manager/app/restore/manager.go
index 56b06b66f5..990b31cd5d 100644
--- a/cmd/backup-manager/app/restore/manager.go
+++ b/cmd/backup-manager/app/restore/manager.go
@@ -82,11 +82,24 @@ func (rm *Manager) ProcessRestore() error {
 		return fmt.Errorf("no br config in %s", rm)
 	}
 
+	var enableTLSClient bool
+	enableTLSClient = false
+	if restore.Spec.To.TLSClient != nil && restore.Spec.To.TLSClient.Enabled {
+		enableTLSClient = true
+	}
+
 	rm.setOptions(restore)
 
 	var db *sql.DB
+	var dsn string
 	err = wait.PollImmediate(constants.PollInterval, constants.CheckTimeout, func() (done bool, err error) {
-		db, err = util.OpenDB(rm.GetDSN())
+		dsn, err = rm.GetDSN(enableTLSClient)
+		if err != nil {
+			klog.Errorf("can't get dsn of tidb cluster %s, err: %s", rm, err)
+			return false, err
+		}
+
+		db, err = util.OpenDB(dsn)
 		if err != nil {
 			klog.Warningf("can't connect to tidb cluster %s, err: %s", rm, err)
 			return false, nil
diff --git a/cmd/backup-manager/app/util/generic.go b/cmd/backup-manager/app/util/generic.go
index 04bebc5b3b..17a98aa61f 100644
--- a/cmd/backup-manager/app/util/generic.go
+++ b/cmd/backup-manager/app/util/generic.go
@@ -14,10 +14,18 @@
 package util
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"database/sql"
+	"errors"
 	"fmt"
+	"io/ioutil"
+	"path"
 
+	"github.com/go-sql-driver/mysql"
 	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants"
+	"github.com/pingcap/tidb-operator/pkg/util"
+	corev1 "k8s.io/api/core/v1"
 )
 
 // GenericOptions contains the generic input arguments to the backup/restore command
@@ -35,8 +43,33 @@ func (bo *GenericOptions) String() string {
 	return fmt.Sprintf("%s/%s", bo.Namespace, bo.ResourceName)
 }
 
-func (bo *GenericOptions) GetDSN() string {
-	return fmt.Sprintf("%s:%s@(%s:%d)/%s?charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB)
+func (bo *GenericOptions) GetDSN(enabledTLSClient bool) (string, error) {
+	if enabledTLSClient {
+		rootCertPool := x509.NewCertPool()
+		pem, err := ioutil.ReadFile(path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey))
+		if err != nil {
+			return "", err
+		}
+		if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
+			return "", errors.New("Failed to append PEM.")
+		}
+		clientCert := make([]tls.Certificate, 0, 1)
+		certs, err := tls.LoadX509KeyPair(
+			path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey),
+			path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey))
+		if err != nil {
+			return "", err
+		}
+		clientCert = append(clientCert, certs)
+		mysql.RegisterTLSConfig("customer", &tls.Config{
+			RootCAs:      rootCertPool,
+			Certificates: clientCert,
+			ServerName:   bo.Host,
+		})
+		return fmt.Sprintf("%s:%s@(%s:%d)/%s?tls=customer&charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil
+	} else {
+		return fmt.Sprintf("%s:%s@(%s:%d)/%s?charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil
+	}
 }
 
 func (bo *GenericOptions) GetTikvGCLifeTime(db *sql.DB) (string, error) {
diff --git a/docs/api-references/docs.html b/docs/api-references/docs.html
index 286be033d2..4293d852c8 100644
--- a/docs/api-references/docs.html
+++ b/docs/api-references/docs.html
@@ -6762,6 +6762,21 @@ <h3 id="pingcap.com/v1alpha1.TiDBAccessConfig">TiDBAccessConfig
 <p>SecretName is the name of secret which stores tidb cluster&rsquo;s password.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>tlsClient</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.TiDBTLSClient">
+TiDBTLSClient
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Whether enable the TLS connection between the SQL client and TiDB server
+Optional: Defaults to nil</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="pingcap.com/v1alpha1.TiDBConfig">TiDBConfig
@@ -7638,6 +7653,7 @@ <h3 id="pingcap.com/v1alpha1.TiDBTLSClient">TiDBTLSClient
 </h3>
 <p>
 (<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiDBAccessConfig">TiDBAccessConfig</a>, 
 <a href="#pingcap.com/v1alpha1.TiDBSpec">TiDBSpec</a>)
 </p>
 <p>
diff --git a/manifests/crd.yaml b/manifests/crd.yaml
index 0caffeaec2..2849277203 100644
--- a/manifests/crd.yaml
+++ b/manifests/crd.yaml
@@ -6813,6 +6813,7 @@ spec:
                   description: SecretName is the name of secret which stores tidb
                     cluster's password.
                   type: string
+                tlsClient: {}
                 user:
                   description: User is the user for login tidb cluster
                   type: string
@@ -7749,6 +7750,7 @@ spec:
                   description: SecretName is the name of secret which stores tidb
                     cluster's password.
                   type: string
+                tlsClient: {}
                 user:
                   description: User is the user for login tidb cluster
                   type: string
@@ -8540,6 +8542,7 @@ spec:
                       description: SecretName is the name of secret which stores tidb
                         cluster's password.
                       type: string
+                    tlsClient: {}
                     user:
                       description: User is the user for login tidb cluster
                       type: string
diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
index ae26ed35e2..b6d2fa4e22 100644
--- a/pkg/apis/pingcap/v1alpha1/openapi_generated.go
+++ b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
@@ -3201,10 +3201,18 @@ func schema_pkg_apis_pingcap_v1alpha1_TiDBAccessConfig(ref common.ReferenceCallb
 							Format:      "",
 						},
 					},
+					"tlsClient": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Whether enable the TLS connection between the SQL client and TiDB server Optional: Defaults to nil",
+							Ref:         ref("github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiDBTLSClient"),
+						},
+					},
 				},
 				Required: []string{"host", "secretName"},
 			},
 		},
+		Dependencies: []string{
+			"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiDBTLSClient"},
 	}
 }
 
diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go
index 499bb65e30..0c6fb806c6 100644
--- a/pkg/apis/pingcap/v1alpha1/types.go
+++ b/pkg/apis/pingcap/v1alpha1/types.go
@@ -781,6 +781,10 @@ type TiDBAccessConfig struct {
 	User string `json:"user,omitempty"`
 	// SecretName is the name of secret which stores tidb cluster's password.
 	SecretName string `json:"secretName"`
+	// Whether enable the TLS connection between the SQL client and TiDB server
+	// Optional: Defaults to nil
+	// +optional
+	TLSClient *TiDBTLSClient `json:"tlsClient,omitempty"`
 }
 
 // +k8s:openapi-gen=true
diff --git a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
index 88e7aed5d1..96bd867ff7 100644
--- a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
@@ -269,7 +269,7 @@ func (in *BackupScheduleStatus) DeepCopy() *BackupScheduleStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackupSpec) DeepCopyInto(out *BackupSpec) {
 	*out = *in
-	out.From = in.From
+	in.From.DeepCopyInto(&out.From)
 	if in.TikvGCLifeTime != nil {
 		in, out := &in.TikvGCLifeTime, &out.TikvGCLifeTime
 		*out = new(string)
@@ -1924,7 +1924,7 @@ func (in *RestoreList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RestoreSpec) DeepCopyInto(out *RestoreSpec) {
 	*out = *in
-	out.To = in.To
+	in.To.DeepCopyInto(&out.To)
 	if in.TikvGCLifeTime != nil {
 		in, out := &in.TikvGCLifeTime, &out.TikvGCLifeTime
 		*out = new(string)
@@ -2239,6 +2239,11 @@ func (in *TLSCluster) DeepCopy() *TLSCluster {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TiDBAccessConfig) DeepCopyInto(out *TiDBAccessConfig) {
 	*out = *in
+	if in.TLSClient != nil {
+		in, out := &in.TLSClient, &out.TLSClient
+		*out = new(TiDBTLSClient)
+		**out = **in
+	}
 	return
 }
 
diff --git a/pkg/backup/backup/backup_cleaner.go b/pkg/backup/backup/backup_cleaner.go
index 001406da15..3f29ab65f6 100644
--- a/pkg/backup/backup/backup_cleaner.go
+++ b/pkg/backup/backup/backup_cleaner.go
@@ -140,7 +140,7 @@ func (bc *backupCleaner) makeCleanJob(backup *v1alpha1.Backup) (*batchv1.Job, st
 					Name:            label.BackupJobLabelVal,
 					Image:           controller.TidbBackupManagerImage,
 					Args:            args,
-					ImagePullPolicy: corev1.PullAlways,
+					ImagePullPolicy: corev1.PullIfNotPresent,
 					Env:             storageEnv,
 				},
 			},
diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go
index fa162fba9c..bc5a23cadd 100644
--- a/pkg/backup/backup/backup_manager.go
+++ b/pkg/backup/backup/backup_manager.go
@@ -211,7 +211,7 @@ func (bm *backupManager) makeExportJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 					Name:            label.BackupJobLabelVal,
 					Image:           controller.TidbBackupManagerImage,
 					Args:            args,
-					ImagePullPolicy: corev1.PullAlways,
+					ImagePullPolicy: corev1.PullIfNotPresent,
 					VolumeMounts: []corev1.VolumeMount{
 						{Name: label.BackupJobLabelVal, MountPath: constants.BackupRootPath},
 					},
@@ -293,6 +293,22 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 		})
 	}
 
+	if backup.Spec.From.TLSClient != nil && backup.Spec.From.TLSClient.Enabled {
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      "tidb-client-tls",
+			ReadOnly:  true,
+			MountPath: util.TiDBClientTLSPath,
+		})
+		volumes = append(volumes, corev1.Volume{
+			Name: "tidb-client-tls",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster),
+				},
+			},
+		})
+	}
+
 	serviceAccount := constants.DefaultServiceAccountName
 	if backup.Spec.ServiceAccount != "" {
 		serviceAccount = backup.Spec.ServiceAccount
@@ -309,7 +325,7 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 					Name:            label.BackupJobLabelVal,
 					Image:           controller.TidbBackupManagerImage,
 					Args:            args,
-					ImagePullPolicy: corev1.PullAlways,
+					ImagePullPolicy: corev1.PullIfNotPresent,
 					VolumeMounts:    volumeMounts,
 					Env:             envVars,
 				},
diff --git a/pkg/backup/restore/restore_manager.go b/pkg/backup/restore/restore_manager.go
index 1a38b7489f..da62c7b029 100644
--- a/pkg/backup/restore/restore_manager.go
+++ b/pkg/backup/restore/restore_manager.go
@@ -197,7 +197,7 @@ func (rm *restoreManager) makeImportJob(restore *v1alpha1.Restore) (*batchv1.Job
 					Name:            label.RestoreJobLabelVal,
 					Image:           controller.TidbBackupManagerImage,
 					Args:            args,
-					ImagePullPolicy: corev1.PullAlways,
+					ImagePullPolicy: corev1.PullIfNotPresent,
 					VolumeMounts: []corev1.VolumeMount{
 						{Name: label.RestoreJobLabelVal, MountPath: constants.BackupRootPath},
 					},
@@ -277,6 +277,22 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo
 		})
 	}
 
+	if restore.Spec.To.TLSClient != nil && restore.Spec.To.TLSClient.Enabled {
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      "tidb-client-tls",
+			ReadOnly:  true,
+			MountPath: util.TiDBClientTLSPath,
+		})
+		volumes = append(volumes, corev1.Volume{
+			Name: "tidb-client-tls",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster),
+				},
+			},
+		})
+	}
+
 	serviceAccount := constants.DefaultServiceAccountName
 	if restore.Spec.ServiceAccount != "" {
 		serviceAccount = restore.Spec.ServiceAccount
@@ -294,7 +310,7 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo
 					Name:            label.RestoreJobLabelVal,
 					Image:           controller.TidbBackupManagerImage,
 					Args:            args,
-					ImagePullPolicy: corev1.PullAlways,
+					ImagePullPolicy: corev1.PullIfNotPresent,
 					VolumeMounts:    volumeMounts,
 					Env:             envVars,
 				},

From 8c2223edcca026e53b03c19f7d73d61ec7842dfb Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Fri, 20 Mar 2020 17:45:37 +0800
Subject: [PATCH 08/17] delete unused files

---
 aylei.bk           | 20 --------------------
 aylei.yaml         | 22 ----------------------
 backup-export.yaml | 23 -----------------------
 backup.yaml        | 37 -------------------------------------
 dev-base.yaml      | 27 ---------------------------
 5 files changed, 129 deletions(-)
 delete mode 100644 aylei.bk
 delete mode 100644 aylei.yaml
 delete mode 100644 backup-export.yaml
 delete mode 100644 backup.yaml
 delete mode 100644 dev-base.yaml

diff --git a/aylei.bk b/aylei.bk
deleted file mode 100644
index d8a554587b..0000000000
--- a/aylei.bk
+++ /dev/null
@@ -1,20 +0,0 @@
-apiVersion: pingcap.com/v1alpha1
-kind: Backup
-metadata:
-  name: br-test
-  namespace: tidb3
-spec:
-  br:
-    cluster: db
-    clusterNamespce: tidb3
-    concurrency: 16
-  from:
-    host: db-tidb.tidb3
-    secretName: db-secret
-    user: root
-  s3:
-    provider: aws
-    region: us-west-2
-    bucket: dbaas-hibernate
-    prefix: test2
-    secretName: aws-secret
diff --git a/aylei.yaml b/aylei.yaml
deleted file mode 100644
index 90feb1e2fc..0000000000
--- a/aylei.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-apiVersion: v1
-clusters:
-- cluster:
-    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMwekNDQWJ1Z0F3SUJBZ0lNRmZ6R1FnQ0NZbEQ5NXUzVE1BMEdDU3FHU0liM0RRRUJDd1VBTUJVeEV6QVIKQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13SGhjTk1qQXdNekUwTVRFME5UVTFXaGNOTXpBd016RTBNVEUwTlRVMQpXakFWTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQTJEeUI2RmhDMHhPR245TDRUK2F4SUdTMm4zSzhsWlIwUE1WRzhHazQ3cU1RZjQrSTBadE0KU3ozVURpRk1pQnVKTXl2Rnd6b2Zoek1aTjUzRVBWS1JUL2hodmJxRm5HMGxlTGhremFpNjdHZmJaeDVadmNQOQpFMDZQTTlHMDRLU2ZwczBJaFdiZjJHclVvZlZPZXJZMFF0QUJQREpXM0Vjc1huajkzdml1SVZsaElqSWgzdTNlCnlhSE1GRElEckVrRTFVN2lPYnNlQmFFbFJ2dW4zbWplVTgyd2hjci9TbUJ5M0xpSlFuazVwL2dPY2M3c2UxNXYKaVRqZkwzV1czcTcxY0xGYVFSazF1VnFxT3BJUFgySGtJMC9ReUtWZ2Zud3FxbUQ2OXFPeW9aSm03MXplVnByMwoyTDdKV294ZUZ4dktiR1Q2OWh5NnBleWdCRUdXSk5GRXNRSURBUUFCb3lNd0lUQU9CZ05WSFE4QkFmOEVCQU1DCkFRWXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFHVFF0ZmFWOHc1Wk8KOVBVR3huTGpuWlBibnRXR1hxSy9TZC9YL2JyZlRzSlF0dkJVS3ZvNnBDdThYSG5DVytDZ2NXVnRrZ29HMy8zdQpYNVoxVGRSN1U2eG9vcVV4RnRMSFBPUXE0cm55Mzdya2pNaDViZk1JY1QwcWZ4M0c1QkthVjBwVEk1YmxIa09NClltNllUeHh4MVFOcUZTMXkyaTBOYjE1Z2kyVkQ5cnBaYUlSK2NpSTJ6MkNOOGpIVHRYclBZMGNMeEhreXpkS2IKQzJadlZyM2Y4MzViRW1NYlhldm41a2FFUWlBeG9oYWQrZWZlL0cyNUtINnRsVityc3hidkRGaFhYdTBRSmlJdQo5eGxDd1ZxSFBjejkxOGNLQXFoU1Z3SllaSkQ4Zkd6cWszMkY0cHc5a3Q2OHk3UU1uK2VSYlYwUHBhQTBOOWJoCkRZMU9uWFlqa2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-    server: https://api-benchmark-k8s-local-fmeitd-1509208865.us-west-2.elb.amazonaws.com
-  name: benchmark.k8s.local
-contexts:
-- context:
-    cluster: benchmark.k8s.local
-    namespace: operations
-    user: benchmark.k8s.local
-  name: benchmark.k8s.local
-current-context: benchmark.k8s.local
-kind: Config
-preferences: {}
-users:
-- name: benchmark.k8s.local
-  user:
-    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrekNDQWVPZ0F3SUJBZ0lNRmZ6R1F6eStsMkNzYitmME1BMEdDU3FHU0liM0RRRUJDd1VBTUJVeEV6QVIKQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13SGhjTk1qQXdNekUwTVRFME5qQXhXaGNOTXpBd016RTBNVEUwTmpBeApXakFyTVJjd0ZRWURWUVFLRXc1emVYTjBaVzA2YldGemRHVnljekVRTUE0R0ExVUVBeE1IYTNWaVpXTm1aekNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTGpuNjNNOVkxU0hGM295Q1VQOFBXZ0kKT0NtRzdxNHJZSVVlaW1XZ094SnRCNUxzcG0wSW8ra2VEckc5QUNvOURlN1U0UlExQ1Z6Y3pRaWpxRUJEWHQ0bgpVSkpkODZ5MkRWM2lFY1JEdE1UM2JMazlsK0Q1aE1qWS83WFhUbXp4eDVaMmxOcjY2alA4T080bGhSRXdiSWZtCm5BdW5POGZOS2dFbjhGcGFLdk1PTExKMlV3YnJLRGcxTFZoY3haWG5Jb1FVajNkVDczZUhwOGxvOWMwbExJcUgKaHlVZEZMdjlqQVBUMlVXdk1Rc3VONGRxZ0t0OE1ScmRSRCsxTGZEYjhpem8zQ0xIUytuTElmSUNBanQ2c2ZTagovNjl3SkVYTE55RFRteTNBZlNHdCtiVzZydS90Wk9xNFNCNjcvaHpic0U4aklRNnBDM0ZGOW8weTFsUmZzd2tDCkF3RUFBYU0xTURNd0RnWURWUjBQQVFIL0JBUURBZ2VBTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQ01Bd0cKQTFVZEV3RUIvd1FDTUFBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCVU9TVmhwNHcrcjZTODFNNzNOM0xOKwoxbDNtem5xV2ZGY2R4bUZyQzBrQVR6ZEZlMEJHV3c5am5lMG5uc0RuYzkyMjZtSmMrV1k3dElUTTJha2RNZTNJCkc4VnVCdTBlempqZU1kSFIvMUw5eVJpdFVvN29lMmU1SlVBejd0Y2trdndJbytvV29sVHVSbWoxL1RVL2JHS0oKVUNkSTV5SU0rLytIMXorWHRad1oxTFBWOGVrT1FRdlg4S3pCTCttc1ptN2tQREhmOXFOaGdRejFuUmJyMTVubgpkOXFhcG9CdklhbGRDUzNkYmJ0bkc2UUZZMnRDYlBVU3pHaUg4b2Vndldvck1VN0V3dnRrZlVmckFiVDdwUGcvCnRzMGtqVlF6M0JYNHRFdzhMNjNuSlpJVjNjU1pXcmVsRXV2N0p0MmpIM0hFQnJKQkMwWmJhMi9lTjU4U3RJMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBdU9mcmN6MWpWSWNYZWpJSlEvdzlhQWc0S1lidXJpdGdoUjZLWmFBN0VtMEhrdXltCmJRaWo2UjRPc2IwQUtqME43dFRoRkRVSlhOek5DS09vUUVOZTNpZFFrbDN6ckxZTlhlSVJ4RU8weFBkc3VUMlgKNFBtRXlOai90ZGRPYlBISGxuYVUydnJxTS93NDdpV0ZFVEJzaCthY0M2Yzd4ODBxQVNmd1dsb3E4dzRzc25aVApCdXNvT0RVdFdGekZsZWNpaEJTUGQxUHZkNGVueVdqMXpTVXNpb2VISlIwVXUvMk1BOVBaUmE4eEN5NDNoMnFBCnEzd3hHdDFFUDdVdDhOdnlMT2pjSXNkTDZjc2g4Z0lDTzNxeDlLUC9yM0FrUmNzM0lOT2JMY0I5SWEzNXRicXUKNysxazZyaElIcnYrSE51d1R5TWhEcWtMY1VYMmpUTFdWRit6Q1FJREFRQUJBb0lCQVFDWmFHa1M2anFQOWFqSAp5OTJlRnhkSFNaSjIrYWpxdmJoTm1ZSVBRTG5oMXExeSszNDBkZmV2d0MxR3oxemtybFR4OHBKdTluVzNJc1hGClJpcWdib1MxNFg1YWdUSmE5NHZ0ZVZOdU54SXlYR2xLNHN3d2JqUDVndmZjZ1M1aSt0R3hodDZITTZlOXk2UGMKQ1NyMmtPdHFjU3pFQ2xKeHVVa0JQb2FPSDhNRWRUSzZ6QjFTQUkxeXN3cVh1QzFueDBJcWd4eldMTHFmdElRZAo4UWxhQ3BMME1pWGxTNkRQRm5ELzNVcVZOdTd3RTBuUXlnNHNRak92eVkrc1BjemVKa0J1UjMrY0c4SFlXR1ZHCndMY3BUa3poQmdadEVoYTB5NlFHZlQ0eWszTWY0VzNTbXlWSzlESU1kaEY0S3RpTGFkMWZYeUxwY1V6WXFMZ20KTmw2TGw4ZGxBb0dCQU1jNDFGbGdSVjBZcEFnbE04a3E3dnd6UW5NV0pFVitwYTV3TC8zOXVEeHltYnJodEFlOAorZU1KVHRsclRLOTNiNGcydlEzODVkWk1ERmljVWc2NHhraWVFV0oxL0xLakUrWXY3b3BudFJkQUhVczF1UW5jCk00Z0JQUUg5SXdjeTVpaFhMV3ZmN2czOXNxQzFPN3RmS1VHTmNmWVlRYTRUdEx5MzExampOdzVQQW9HQkFPMmEKbUg4N1pSNkdCUzJSUmhaQWhyMEVlSkJIejVrd3A5WjN4elRtSndlK2N0N2VQTmhGSi9xVzVHb0J4RUMyUW44ago2WkoyQXZnSXdSZ09kc2h2K3VOLzRScW4wVnJ4a2psUmpMVzNkL2NFaUkyZU9aMjJEREwvLytQSWQxcVA4eDdvCnFiRFBoQngvbktnQ1NtalI0a2lGSWU3Yi84T0JlODhpMW8zNUJ1c25Bb0dBVXRCNTNVbGFyQzl4Q0gzR2dDcGIKdS9UbSs0Wkp2Nlc4NDcxNUJjRXhrOWNqdG43YVlwa1kyMXJrTHhjZWdwWklnN3dWYkxvakpLanFQTytHWU41SQpkcWxXbXJKblFDN3dON0RYSFN1dEtLUWJTVWRreXdlQldGa0RiazgyLzJnV0t0REtiZHhoVGVtWEZwMGYzbXpaCmJvbUl4UDhpVm1XVXJScFM1MzFVUnBzQ2dZRUE2b0FlcTh2SjlBTWZqeWFHdnFWMmxZeVpGUVRhdmYxSVdLSWsKaUcveDYzR3FXNDJKRFlYTGZFVjZMNm1Jc0xseERadzdCU0xWc1VpcWtueUwvU3lQdUFKWS8zN0xYKzkxZW42aQoyaUcyRTZSMHhSaDVFczgrWVFOSjROelQ5eHlGUFdjeE91REVLWUJFODRnM09oYVROekcyR05FbUx5VlhOVXJUCjZKRHpwQmNDZ1lFQWtpVVlQdUp2UjZBazg4UHI5NmUvYkdCdmw1dUFURTdGVVF3VDYvOUlBYjRKTnJWZFhKNHYKbUxOY3RnTmVjZnlreXhpNVRHV3FZMG15enhDVEVvU0RGMTNOSjRwTlk1ZmphcmUyNXMvVkQxMCs4WW5oNTIrSgpjaExIV0t2Sk5KcHZwQitIRUN0UjU3RXlvT2JlaUp3VGszRDZIY2V0MXBCSnJWTjVsNGdVT0JNPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
-    password: H6oc82ldn9Qkukro1691mUPOmIayitqg
-    username: admin
diff --git a/backup-export.yaml b/backup-export.yaml
deleted file mode 100644
index 587eda5c6a..0000000000
--- a/backup-export.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-apiVersion: pingcap.com/v1alpha1
-kind: Backup
-metadata:
-  name: export-backup-s3
-  namespace: tidb4
-  annotations:
-    iam.amazonaws.com/role: "arn:aws:iam::385595570414:role/dbaas-kops-jony22-backup"
-spec:
-  backupType: full
-  useKMS: true
-  tikvGCLifeTime: 100h
-  storageClassName: gp2
-  storageSize: 1Gi
-  from:
-    host: 172.30.2.6
-    secretName: mysql-pwd-1584498036384022997
-    port: 4000
-    user: root
-  s3:
-    provider: aws
-    region: us-west-2
-    bucket: backup.jony22.us-west-2.tidbcloud.com
diff --git a/backup.yaml b/backup.yaml
deleted file mode 100644
index 79f8ef4b4d..0000000000
--- a/backup.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-apiVersion: pingcap.com/v1alpha1
-kind: Backup
-metadata:
-  name: sa-backup-s3
-  namespace: cluster
-spec:
-  backupType: full
-  useKMS: false
-  br:
-    cluster: cluster
-    clusterNamespace: cluster
-    sendCredToTikv: true
-    tlsCluster:
-      enabled: true
-    # clusterNamespce: <backup-namespace>
-    # enableTLSClient: true
-    # logLevel: info
-    # statusAddr: <status-addr>
-    # concurrency: 4
-    # rateLimit: 0
-    # timeAgo: <time>
-    # checksum: true
-    # sendCredToTikv: true
-  from:
-    host: cluster-tidb.cluster
-    secretName: backup-demo1-tidb-secret
-    port: 4000
-    user: root
-    tlsClient:
-      enabled: true
-  s3:
-    provider: aws
-    region: us-west-2
-    secretName: s3-secret
-    bucket: backup.jony22.us-west-2.tidbcloud.com
-    prefix: backup-sa
diff --git a/dev-base.yaml b/dev-base.yaml
deleted file mode 100644
index 5821fd1c64..0000000000
--- a/dev-base.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-apiVersion: v1
-clusters:
-- cluster:
-    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ETXhNVEF6TWpNME9Wb1hEVE13TURNd09UQXpNak0wT1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHJICmh2WnhsN0MwTDYrcXg4R1M3UEtPQjdCeUZUWGxySjJmZXlINy9FSG9CR1ZxRHN2eHl0TzBreU5GWEk4bFg2czcKQmNFbE84Ni9zLzFJQmx1MEd0UnUraHlnWHgzZ3c0ZldxNDNUdWdzdTBoem8zV3dpYUtwc3NxTkhMWWpoeHpBVwpEVFBrWWN4eVZKOGc0ZTdUYnB0SzZhdWs0RlltNFh4K3lQK3UxWjc4TlhYelBsVVV0bUNRUm9SSkRIZlVFR1l6CkRhZEE3cVBmYUZRMUJQd2YxZ2pGaVpUQlZiN0o4QnVaejZDUE5vY3dDYllQMkl0TENvcDNLU2RqWnpEUkpwcW4KVmxiYTJOUkRST0JsMmVhTFIvWEgyTmxod29tenZTUjExczFMWTlJZ1RqTGtzbm83VkJMMkY3Zk11NTh0eEhqKwpNa1V3ZFpwTHYxWVhqN3lHTmZjQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDZjZFYW9Mbm41d0VsUE9zMEsyYmM4M2FEZVAKUEI0Umh4d0JmZGJIc1JKQTZvWHlURmd2dFFvc29nUVdoeFlOMHRKRzlFdEZXcVRaRWFEcm5iamtES2VHKzNCRAo1aDcxNWNnQkpibG5WQ3ZYaTd2Mysva3pCbzBXeXU3YjlRVkVoY3N2SHZMZGF0ak5abC9WS2psSVcyL0Q3UmEyCnh1Mm9TT0NWM2ZVajE4M3dQdmVCYmQwS2dkdjRwY0kvTUNNUWx6SVJxVFhRaWUwbGlLSHJaS3kxOWZNNjlNVkEKQ2w5Ky9rcnF6Qzd3KzJrd2g3eXdLQ3J4RTRZMFBTampxUWN4Y1UvdTlNcklWK2FSaWhzbS9obGlId3BrV3pqbApDVXo5Szd6dk1jcS9ZaXdTVUlBZDUxU0E5K1RUaG44NG1WZXZ3ZGZrSmZWMlBZTXhkK2JWQ2FVYTBVST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-    server: https://3EC1E40428945479FDF2FC344F9165E6.gr7.us-west-2.eks.amazonaws.com
-  name: arn:aws:eks:us-west-2:385595570414:cluster/eks-gardener
-contexts:
-- context:
-    cluster: arn:aws:eks:us-west-2:385595570414:cluster/eks-gardener
-    user: arn:aws:eks:us-west-2:385595570414:cluster/eks-gardener
-  name: arn:aws:eks:us-west-2:385595570414:cluster/eks-gardener
-current-context: arn:aws:eks:us-west-2:385595570414:cluster/eks-gardener
-kind: Config
-preferences: {}
-users:
-- name: arn:aws:eks:us-west-2:385595570414:cluster/eks-gardener
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1alpha1
-      args:
-      - --region
-      - us-west-2
-      - eks
-      - get-token
-      - --cluster-name
-      - eks-gardener
-      command: aws

From 7c49195634c31daead3941e828d8df679bd5057f Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Fri, 20 Mar 2020 17:46:46 +0800
Subject: [PATCH 09/17] delete unused file

---
 images/tidb-backup-manager/tc.yaml | 73 ------------------------------
 1 file changed, 73 deletions(-)
 delete mode 100644 images/tidb-backup-manager/tc.yaml

diff --git a/images/tidb-backup-manager/tc.yaml b/images/tidb-backup-manager/tc.yaml
deleted file mode 100644
index 9199a4b91b..0000000000
--- a/images/tidb-backup-manager/tc.yaml
+++ /dev/null
@@ -1,73 +0,0 @@
-apiVersion: pingcap.com/v1alpha1
-kind: TidbCluster
-metadata:
-  annotations:
-    pingcap.com/pd.cluster-pd.sha: 3fff04ec
-    pingcap.com/tidb.cluster-tidb.sha: 6444ca57
-    pingcap.com/tikv.cluster-tikv.sha: ef2e15d9
-  creationTimestamp: "2020-03-19T10:38:55Z"
-  generation: 1
-  labels:
-    app.kubernetes.io/component: tidb-cluster
-    app.kubernetes.io/instance: cluster
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: tidb-cluster
-    helm.sh/chart: tidb-cluster-dev
-  name: cluster
-  namespace: cluster
-  resourceVersion: "104342"
-  selfLink: /apis/pingcap.com/v1alpha1/namespaces/cluster/tidbclusters/cluster
-  uid: d565b650-69cd-11ea-9a0f-0242ac110004
-spec:
-  enablePVReclaim: false
-  pd:
-    affinity: {}
-    baseImage: ""
-    hostNetwork: false
-    image: 385595570414.dkr.ecr.us-west-2.amazonaws.com/dbaas/jony8/pd:v4.0.0-beta.1
-    imagePullPolicy: IfNotPresent
-    replicas: 1
-    requests:
-      storage: 1Gi
-    storageClassName: local-storage
-  pvReclaimPolicy: Retain
-  schedulerName: tidb-scheduler
-  services:
-  - name: pd
-    type: ClusterIP
-  tidb:
-    affinity: {}
-    baseImage: ""
-    binlogEnabled: false
-    hostNetwork: false
-    image: 385595570414.dkr.ecr.us-west-2.amazonaws.com/dbaas/jony8/tidb:v4.0.0-beta.1
-    imagePullPolicy: IfNotPresent
-    maxFailoverCount: 3
-    replicas: 1
-    separateSlowLog: true
-    slowLogTailer:
-      image: busybox:1.26.2
-      imagePullPolicy: IfNotPresent
-      limits:
-        cpu: 100m
-        memory: 50Mi
-      requests:
-        cpu: 20m
-        memory: 5Mi
-    tlsClient:
-      enabled: true
-  tikv:
-    affinity: {}
-    baseImage: ""
-    hostNetwork: false
-    image: 385595570414.dkr.ecr.us-west-2.amazonaws.com/dbaas/jony8/tikv:v4.0.0-beta.1
-    imagePullPolicy: IfNotPresent
-    maxFailoverCount: 3
-    replicas: 1
-    requests:
-      storage: 10Gi
-    storageClassName: local-storage
-  timezone: UTC
-  tlsCluster:
-    enabled: true
-  version: ""

From 178d338b0c266ee99c0c4674ff47b7500001f3d9 Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Fri, 20 Mar 2020 17:47:32 +0800
Subject: [PATCH 10/17] delete unused file

---
 restore-import.yaml | 23 -----------------------
 restore.yaml        | 35 -----------------------------------
 2 files changed, 58 deletions(-)
 delete mode 100644 restore-import.yaml
 delete mode 100644 restore.yaml

diff --git a/restore-import.yaml b/restore-import.yaml
deleted file mode 100644
index 79601d7a23..0000000000
--- a/restore-import.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-apiVersion: pingcap.com/v1alpha1
-kind: Restore
-metadata:
-  name: import-backup-s3
-  namespace: tidb4
-  annotations:
-    iam.amazonaws.com/role: "arn:aws:iam::385595570414:role/dbaas-kops-jony22-backup"
-spec:
-  backupType: full
-  useKMS: true
-  tikvGCLifeTime: 100h
-  storageClassName: gp2
-  storageSize: 1Gi
-  to:
-    host: 172.30.2.6
-    secretName: mysql-pwd-1584498036384022997
-    port: 4000
-    user: root
-  s3:
-    provider: aws
-    region: us-west-2
-    path: s3://backup.jony22.us-west-2.tidbcloud.com/backup-2020-03-18T07:06:23Z.tgz
diff --git a/restore.yaml b/restore.yaml
deleted file mode 100644
index 1dbcb1cc9c..0000000000
--- a/restore.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
----
-apiVersion: pingcap.com/v1alpha1
-kind: Restore
-metadata:
-  name: sa-restore-s3
-  namespace: cluster
-spec:
-  backupType: full
-  useKMS: false
-  br:
-    cluster: cluster
-    clusterNamespace: cluster
-    sendCredToTikv: true
-    tlsCluster:
-      enabled: true
-    # clusterNamespce: <backup-namespace>
-    # enableTLSClient: true
-    # logLevel: info
-    # statusAddr: <status-addr>
-    # concurrency: 4
-    # rateLimit: 0
-    # timeAgo: <time>
-    # checksum: true
-    # sendCredToTikv: true
-  to:
-    host: cluster-tidb.cluster
-    secretName: backup-demo1-tidb-secret
-    port: 4000
-    user: root
-  s3:
-    provider: aws
-    region: us-west-2
-    secretName: s3-secret
-    bucket: backup.jony22.us-west-2.tidbcloud.com
-    prefix: backup-sa

From 5ebb8178b78f5ce54ec70ef808f58ac21f2f794d Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Fri, 20 Mar 2020 18:06:39 +0800
Subject: [PATCH 11/17] fix lint

---
 cmd/backup-manager/app/import/manager.go | 1 +
 cmd/backup-manager/app/util/generic.go   | 5 ++---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cmd/backup-manager/app/import/manager.go b/cmd/backup-manager/app/import/manager.go
index f7c2c7c9ed..624d24e156 100644
--- a/cmd/backup-manager/app/import/manager.go
+++ b/cmd/backup-manager/app/import/manager.go
@@ -93,6 +93,7 @@ func (rm *RestoreManager) ProcessRestore() error {
 			return false, err
 		}
 
+		db, err = util.OpenDB(dsn)
 		if err != nil {
 			klog.Warningf("can't connect to tidb cluster %s, err: %s", rm, err)
 			return false, nil
diff --git a/cmd/backup-manager/app/util/generic.go b/cmd/backup-manager/app/util/generic.go
index 17a98aa61f..ee32e0e3a8 100644
--- a/cmd/backup-manager/app/util/generic.go
+++ b/cmd/backup-manager/app/util/generic.go
@@ -51,7 +51,7 @@ func (bo *GenericOptions) GetDSN(enabledTLSClient bool) (string, error) {
 			return "", err
 		}
 		if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
-			return "", errors.New("Failed to append PEM.")
+			return "", errors.New("Failed to append PEM")
 		}
 		clientCert := make([]tls.Certificate, 0, 1)
 		certs, err := tls.LoadX509KeyPair(
@@ -67,9 +67,8 @@ func (bo *GenericOptions) GetDSN(enabledTLSClient bool) (string, error) {
 			ServerName:   bo.Host,
 		})
 		return fmt.Sprintf("%s:%s@(%s:%d)/%s?tls=customer&charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil
-	} else {
-		return fmt.Sprintf("%s:%s@(%s:%d)/%s?charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil
 	}
+	return fmt.Sprintf("%s:%s@(%s:%d)/%s?charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil
 }
 
 func (bo *GenericOptions) GetTikvGCLifeTime(db *sql.DB) (string, error) {

From 57c0baef8fe49e24dc6785f5600104196367778f Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Mon, 23 Mar 2020 10:17:42 +0800
Subject: [PATCH 12/17] add example template

---
 manifests/backup/backup-aws-s3-br.yaml  | 5 ++++-
 manifests/backup/backup-s3-br.yaml      | 5 ++++-
 manifests/backup/restore-aws-s3-br.yaml | 5 ++++-
 manifests/backup/restore-s3-br.yaml     | 5 ++++-
 4 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/manifests/backup/backup-aws-s3-br.yaml b/manifests/backup/backup-aws-s3-br.yaml
index 1efec57a76..51cf56dd19 100644
--- a/manifests/backup/backup-aws-s3-br.yaml
+++ b/manifests/backup/backup-aws-s3-br.yaml
@@ -13,7 +13,8 @@ spec:
   br:
     cluster: myCluster
     # clusterNamespce: <backup-namespace>
-    # enableTLSClient: true
+    # tlsCluster:
+    #   enabled: false
     # logLevel: info
     # statusAddr: <status-addr>
     # concurrency: 4
@@ -26,6 +27,8 @@ spec:
     secretName: mySecret
     # port: 4000
     # user: root
+    # tlsClient:
+    #   enabled: false
   s3:
     provider: aws
     region: us-west-2
diff --git a/manifests/backup/backup-s3-br.yaml b/manifests/backup/backup-s3-br.yaml
index d57c23beb7..db70f75268 100644
--- a/manifests/backup/backup-s3-br.yaml
+++ b/manifests/backup/backup-s3-br.yaml
@@ -13,7 +13,8 @@ spec:
   br:
     cluster: myCluster
     # clusterNamespce: <backup-namespace>
-    # enableTLSClient: true
+    # tlsCluster:
+    #   enabled: false
     # logLevel: info
     # statusAddr: <status-addr>
     # concurrency: 4
@@ -26,6 +27,8 @@ spec:
     secretName: mySecret
     # port: 4000
     # user: root
+    # tlsClient:
+    #   enabled: false
   s3:
     provider: ceph
     endpoint: http://10.233.57.220
diff --git a/manifests/backup/restore-aws-s3-br.yaml b/manifests/backup/restore-aws-s3-br.yaml
index de5edeedb7..d576e4d767 100644
--- a/manifests/backup/restore-aws-s3-br.yaml
+++ b/manifests/backup/restore-aws-s3-br.yaml
@@ -13,7 +13,8 @@ spec:
   br:
     cluster: myCluster
     # clusterNamespce: <restore-namespace>
-    # enableTLSClient: true
+    # tlsCluster:
+    #   enabled: false
     # db: <db-name>
     # table: <table-name>
     # logLevel: info
@@ -28,6 +29,8 @@ spec:
     secretName: mySecret
     # port: 4000
     # user: root
+    # tlsClient:
+    #   enabled: false
   s3:
     provider: aws
     region: us-west-2
diff --git a/manifests/backup/restore-s3-br.yaml b/manifests/backup/restore-s3-br.yaml
index 9ce686f63e..e00bcf70ae 100644
--- a/manifests/backup/restore-s3-br.yaml
+++ b/manifests/backup/restore-s3-br.yaml
@@ -13,7 +13,8 @@ spec:
   br:
     cluster: myCluster
     # clusterNamespce: <restore-namespace>
-    # enableTLSClient: true
+    # tlsCluster:
+    #   enabled: false
     # db: <db-name>
     # table: <table-name>
     # logLevel: info
@@ -28,6 +29,8 @@ spec:
     secretName: mySecret
     # port: 4000
     # user: root
+    # tlsClient:
+    #   enabled: false
   s3:
     provider: ceph
     endpoint: http://10.233.57.220

From 5b66518801137b69532c85cebc839b6c6f8d9261 Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Mon, 23 Mar 2020 10:34:25 +0800
Subject: [PATCH 13/17] add schedule example

---
 manifests/backup/backup-schedule-aws-s3-br.yaml | 5 ++++-
 manifests/backup/backup-schedule-s3-br.yaml     | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/manifests/backup/backup-schedule-aws-s3-br.yaml b/manifests/backup/backup-schedule-aws-s3-br.yaml
index bf9501f784..a1c7c56d99 100644
--- a/manifests/backup/backup-schedule-aws-s3-br.yaml
+++ b/manifests/backup/backup-schedule-aws-s3-br.yaml
@@ -18,7 +18,8 @@ spec:
     br:
       cluster: myCluster
       # clusterNamespce: backupNamespace
-      # enableTLSClient:  true
+      # tlsCluster:
+      #   enabled: false
       # logLevel: info
       # statusAddr: <status-addr>
       # concurrency: 4
@@ -31,6 +32,8 @@ spec:
       secretName:   mysecret
       # port:         4000
       # user:         root
+      # tlsClient:
+      #   enabled: false
     s3:
       provider: aws
       region: us-west-2
diff --git a/manifests/backup/backup-schedule-s3-br.yaml b/manifests/backup/backup-schedule-s3-br.yaml
index 9cfda351e2..9e15270d39 100644
--- a/manifests/backup/backup-schedule-s3-br.yaml
+++ b/manifests/backup/backup-schedule-s3-br.yaml
@@ -18,7 +18,8 @@ spec:
     br:
       cluster: myCluster
       # clusterNamespce: backupNamespace
-      # enableTLSClient:  true
+      # tlsCluster:
+      #   enabled: false
       # logLevel: info
       # statusAddr: <status-addr>
       # concurrency: 4
@@ -31,6 +32,8 @@ spec:
       secretName:   mysecret
       # port:         4000
       # user:         root
+      # tlsClient:
+      #   enabled: false
     s3:
       provider: ceph
       endpoint: http://10.233.57.220

From 029f661ea94bfae82957d14684fce9f885d531f2 Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Mon, 23 Mar 2020 17:21:46 +0800
Subject: [PATCH 14/17] specify a secret name for client TLS in backup and
 restore

---
 cmd/backup-manager/app/backup/manager.go      |  3 +-
 cmd/backup-manager/app/restore/manager.go     |  3 +-
 cmd/backup-manager/app/util/generic.go        | 48 +++++++++----------
 docs/api-references/docs.html                 | 13 +++++
 manifests/backup/backup-aws-s3-br.yaml        |  1 +
 manifests/backup/backup-s3-br.yaml            |  1 +
 .../backup/backup-schedule-aws-s3-br.yaml     |  1 +
 manifests/backup/backup-schedule-s3-br.yaml   |  1 +
 manifests/backup/restore-aws-s3-br.yaml       |  1 +
 manifests/backup/restore-s3-br.yaml           |  1 +
 manifests/crd.yaml                            | 12 +++++
 .../pingcap/v1alpha1/openapi_generated.go     |  7 +++
 pkg/apis/pingcap/v1alpha1/types.go            |  4 ++
 pkg/backup/backup/backup_manager.go           |  7 ++-
 pkg/backup/restore/restore_manager.go         |  6 ++-
 15 files changed, 78 insertions(+), 31 deletions(-)

diff --git a/cmd/backup-manager/app/backup/manager.go b/cmd/backup-manager/app/backup/manager.go
index b060153394..1bd3d2f829 100644
--- a/cmd/backup-manager/app/backup/manager.go
+++ b/cmd/backup-manager/app/backup/manager.go
@@ -80,8 +80,7 @@ func (bm *Manager) ProcessBackup() error {
 		})
 	}
 
-	var enableTLSClient bool
-	enableTLSClient = false
+	enableTLSClient := false
 	if backup.Spec.From.TLSClient != nil && backup.Spec.From.TLSClient.Enabled {
 		enableTLSClient = true
 	}
diff --git a/cmd/backup-manager/app/restore/manager.go b/cmd/backup-manager/app/restore/manager.go
index 990b31cd5d..5003865f95 100644
--- a/cmd/backup-manager/app/restore/manager.go
+++ b/cmd/backup-manager/app/restore/manager.go
@@ -82,8 +82,7 @@ func (rm *Manager) ProcessRestore() error {
 		return fmt.Errorf("no br config in %s", rm)
 	}
 
-	var enableTLSClient bool
-	enableTLSClient = false
+	enableTLSClient := false
 	if restore.Spec.To.TLSClient != nil && restore.Spec.To.TLSClient.Enabled {
 		enableTLSClient = true
 	}
diff --git a/cmd/backup-manager/app/util/generic.go b/cmd/backup-manager/app/util/generic.go
index ee32e0e3a8..97b6e2fe0d 100644
--- a/cmd/backup-manager/app/util/generic.go
+++ b/cmd/backup-manager/app/util/generic.go
@@ -44,31 +44,31 @@ func (bo *GenericOptions) String() string {
 }
 
 func (bo *GenericOptions) GetDSN(enabledTLSClient bool) (string, error) {
-	if enabledTLSClient {
-		rootCertPool := x509.NewCertPool()
-		pem, err := ioutil.ReadFile(path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey))
-		if err != nil {
-			return "", err
-		}
-		if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
-			return "", errors.New("Failed to append PEM")
-		}
-		clientCert := make([]tls.Certificate, 0, 1)
-		certs, err := tls.LoadX509KeyPair(
-			path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey),
-			path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey))
-		if err != nil {
-			return "", err
-		}
-		clientCert = append(clientCert, certs)
-		mysql.RegisterTLSConfig("customer", &tls.Config{
-			RootCAs:      rootCertPool,
-			Certificates: clientCert,
-			ServerName:   bo.Host,
-		})
-		return fmt.Sprintf("%s:%s@(%s:%d)/%s?tls=customer&charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil
+	if !enabledTLSClient {
+		return fmt.Sprintf("%s:%s@(%s:%d)/%s?charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil
 	}
-	return fmt.Sprintf("%s:%s@(%s:%d)/%s?charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil
+	rootCertPool := x509.NewCertPool()
+	pem, err := ioutil.ReadFile(path.Join(util.TiDBClientTLSPath, corev1.ServiceAccountRootCAKey))
+	if err != nil {
+		return "", err
+	}
+	if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
+		return "", errors.New("Failed to append PEM")
+	}
+	clientCert := make([]tls.Certificate, 0, 1)
+	certs, err := tls.LoadX509KeyPair(
+		path.Join(util.TiDBClientTLSPath, corev1.TLSCertKey),
+		path.Join(util.TiDBClientTLSPath, corev1.TLSPrivateKeyKey))
+	if err != nil {
+		return "", err
+	}
+	clientCert = append(clientCert, certs)
+	mysql.RegisterTLSConfig("customer", &tls.Config{
+		RootCAs:      rootCertPool,
+		Certificates: clientCert,
+		ServerName:   bo.Host,
+	})
+	return fmt.Sprintf("%s:%s@(%s:%d)/%s?tls=customer&charset=utf8", bo.User, bo.Password, bo.Host, bo.Port, constants.TidbMetaDB), nil
 }
 
 func (bo *GenericOptions) GetTikvGCLifeTime(db *sql.DB) (string, error) {
diff --git a/docs/api-references/docs.html b/docs/api-references/docs.html
index 4293d852c8..3b135fea2a 100644
--- a/docs/api-references/docs.html
+++ b/docs/api-references/docs.html
@@ -6777,6 +6777,19 @@ <h3 id="pingcap.com/v1alpha1.TiDBAccessConfig">TiDBAccessConfig
 Optional: Defaults to nil</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>tlsSecret</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Specify a secret for client cert in backup/restore
+Optional: Defaults to <cluster>-tidb-client-secret</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="pingcap.com/v1alpha1.TiDBConfig">TiDBConfig
diff --git a/manifests/backup/backup-aws-s3-br.yaml b/manifests/backup/backup-aws-s3-br.yaml
index 51cf56dd19..73166ab904 100644
--- a/manifests/backup/backup-aws-s3-br.yaml
+++ b/manifests/backup/backup-aws-s3-br.yaml
@@ -29,6 +29,7 @@ spec:
     # user: root
     # tlsClient:
     #   enabled: false
+    # tlsSecret: <backup-tls-secretname>
   s3:
     provider: aws
     region: us-west-2
diff --git a/manifests/backup/backup-s3-br.yaml b/manifests/backup/backup-s3-br.yaml
index db70f75268..56da73c236 100644
--- a/manifests/backup/backup-s3-br.yaml
+++ b/manifests/backup/backup-s3-br.yaml
@@ -29,6 +29,7 @@ spec:
     # user: root
     # tlsClient:
     #   enabled: false
+    # tlsSecret: <backup-tls-secretname>
   s3:
     provider: ceph
     endpoint: http://10.233.57.220
diff --git a/manifests/backup/backup-schedule-aws-s3-br.yaml b/manifests/backup/backup-schedule-aws-s3-br.yaml
index a1c7c56d99..d0ac2767b9 100644
--- a/manifests/backup/backup-schedule-aws-s3-br.yaml
+++ b/manifests/backup/backup-schedule-aws-s3-br.yaml
@@ -34,6 +34,7 @@ spec:
       # user:         root
       # tlsClient:
       #   enabled: false
+      # tlsSecret: <backup-tls-secretname>
     s3:
       provider: aws
       region: us-west-2
diff --git a/manifests/backup/backup-schedule-s3-br.yaml b/manifests/backup/backup-schedule-s3-br.yaml
index 9e15270d39..f6a7d5908e 100644
--- a/manifests/backup/backup-schedule-s3-br.yaml
+++ b/manifests/backup/backup-schedule-s3-br.yaml
@@ -34,6 +34,7 @@ spec:
       # user:         root
       # tlsClient:
       #   enabled: false
+      # tlsSecret: <backup-tls-secretname>
     s3:
       provider: ceph
       endpoint: http://10.233.57.220
diff --git a/manifests/backup/restore-aws-s3-br.yaml b/manifests/backup/restore-aws-s3-br.yaml
index d576e4d767..4bc1db83bb 100644
--- a/manifests/backup/restore-aws-s3-br.yaml
+++ b/manifests/backup/restore-aws-s3-br.yaml
@@ -31,6 +31,7 @@ spec:
     # user: root
     # tlsClient:
     #   enabled: false
+    # tlsSecret: <restore-tls-secretname>
   s3:
     provider: aws
     region: us-west-2
diff --git a/manifests/backup/restore-s3-br.yaml b/manifests/backup/restore-s3-br.yaml
index e00bcf70ae..ab2d00464b 100644
--- a/manifests/backup/restore-s3-br.yaml
+++ b/manifests/backup/restore-s3-br.yaml
@@ -31,6 +31,7 @@ spec:
     # user: root
     # tlsClient:
     #   enabled: false
+    # tlsSecret: <restore-tls-secretname>
   s3:
     provider: ceph
     endpoint: http://10.233.57.220
diff --git a/manifests/crd.yaml b/manifests/crd.yaml
index 2849277203..2dbc8ff636 100644
--- a/manifests/crd.yaml
+++ b/manifests/crd.yaml
@@ -6814,6 +6814,10 @@ spec:
                     cluster's password.
                   type: string
                 tlsClient: {}
+                tlsSecret:
+                  description: 'Specify a secret for client cert in backup/restore
+                    Optional: Defaults to <cluster>-tidb-client-secret'
+                  type: string
                 user:
                   description: User is the user for login tidb cluster
                   type: string
@@ -7751,6 +7755,10 @@ spec:
                     cluster's password.
                   type: string
                 tlsClient: {}
+                tlsSecret:
+                  description: 'Specify a secret for client cert in backup/restore
+                    Optional: Defaults to <cluster>-tidb-client-secret'
+                  type: string
                 user:
                   description: User is the user for login tidb cluster
                   type: string
@@ -8543,6 +8551,10 @@ spec:
                         cluster's password.
                       type: string
                     tlsClient: {}
+                    tlsSecret:
+                      description: 'Specify a secret for client cert in backup/restore
+                        Optional: Defaults to <cluster>-tidb-client-secret'
+                      type: string
                     user:
                       description: User is the user for login tidb cluster
                       type: string
diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
index b6d2fa4e22..4299c06266 100644
--- a/pkg/apis/pingcap/v1alpha1/openapi_generated.go
+++ b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
@@ -3207,6 +3207,13 @@ func schema_pkg_apis_pingcap_v1alpha1_TiDBAccessConfig(ref common.ReferenceCallb
 							Ref:         ref("github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiDBTLSClient"),
 						},
 					},
+					"tlsSecret": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Specify a secret for client cert in backup/restore Optional: Defaults to <cluster>-tidb-client-secret",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
 				},
 				Required: []string{"host", "secretName"},
 			},
diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go
index 0c6fb806c6..a9b0aef321 100644
--- a/pkg/apis/pingcap/v1alpha1/types.go
+++ b/pkg/apis/pingcap/v1alpha1/types.go
@@ -785,6 +785,10 @@ type TiDBAccessConfig struct {
 	// Optional: Defaults to nil
 	// +optional
 	TLSClient *TiDBTLSClient `json:"tlsClient,omitempty"`
+	// Specify a secret for client cert in backup/restore
+	// Optional: Defaults to <cluster>-tidb-client-secret
+	// +optional
+	TLSSecret string `json:"tlsSecret,omitempty"`
 }
 
 // +k8s:openapi-gen=true
diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go
index bc5a23cadd..7d8ae2c463 100644
--- a/pkg/backup/backup/backup_manager.go
+++ b/pkg/backup/backup/backup_manager.go
@@ -292,7 +292,10 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 			},
 		})
 	}
-
+	clientSecretName := util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster)
+	if backup.Spec.From.TLSSecret != "" {
+		clientSecretName = backup.Spec.From.TLSSecret
+	}
 	if backup.Spec.From.TLSClient != nil && backup.Spec.From.TLSClient.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
 			Name:      "tidb-client-tls",
@@ -303,7 +306,7 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 			Name: "tidb-client-tls",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster),
+					SecretName: clientSecretName,
 				},
 			},
 		})
diff --git a/pkg/backup/restore/restore_manager.go b/pkg/backup/restore/restore_manager.go
index da62c7b029..bc1ba4d2e8 100644
--- a/pkg/backup/restore/restore_manager.go
+++ b/pkg/backup/restore/restore_manager.go
@@ -277,6 +277,10 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo
 		})
 	}
 
+	clientSecretName := util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster)
+	if restore.Spec.To.TLSSecret != "" {
+		clientSecretName = restore.Spec.To.TLSSecret
+	}
 	if restore.Spec.To.TLSClient != nil && restore.Spec.To.TLSClient.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
 			Name:      "tidb-client-tls",
@@ -287,7 +291,7 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo
 			Name: "tidb-client-tls",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster),
+					SecretName: clientSecretName,
 				},
 			},
 		})

From 51b8feb99c217ab2352bc8065d2da9d0e86ba156 Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Mon, 23 Mar 2020 19:01:09 +0800
Subject: [PATCH 15/17] address comment

---
 docs/api-references/docs.html                 | 28 ++++++++++---------
 manifests/backup/backup-aws-s3-br.yaml        |  2 +-
 manifests/backup/backup-s3-br.yaml            |  2 +-
 .../backup/backup-schedule-aws-s3-br.yaml     |  2 +-
 manifests/backup/backup-schedule-s3-br.yaml   |  2 +-
 manifests/backup/restore-aws-s3-br.yaml       |  2 +-
 manifests/backup/restore-s3-br.yaml           |  2 +-
 manifests/crd.yaml                            | 12 --------
 .../pingcap/v1alpha1/openapi_generated.go     |  7 -----
 pkg/apis/pingcap/v1alpha1/types.go            | 10 ++++---
 pkg/backup/backup/backup_manager.go           |  8 +++---
 pkg/backup/restore/restore_manager.go         |  8 +++---
 12 files changed, 35 insertions(+), 50 deletions(-)

diff --git a/docs/api-references/docs.html b/docs/api-references/docs.html
index 3b135fea2a..cbd9a8f218 100644
--- a/docs/api-references/docs.html
+++ b/docs/api-references/docs.html
@@ -6777,19 +6777,6 @@ <h3 id="pingcap.com/v1alpha1.TiDBAccessConfig">TiDBAccessConfig
 Optional: Defaults to nil</p>
 </td>
 </tr>
-<tr>
-<td>
-<code>tlsSecret</code></br>
-<em>
-string
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>Specify a secret for client cert in backup/restore
-Optional: Defaults to <cluster>-tidb-client-secret</p>
-</td>
-</tr>
 </tbody>
 </table>
 <h3 id="pingcap.com/v1alpha1.TiDBConfig">TiDBConfig
@@ -7705,6 +7692,21 @@ <h3 id="pingcap.com/v1alpha1.TiDBTLSClient">TiDBTLSClient
 4. Set Enabled to <code>true</code>.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>tlsSecret</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Specify a secret for client cert in backup/restore
+Optional: Defaults to <cluster>-tidb-client-secret
+If you want specify a secret for backup/restore, Generate a Secret Object according to the third step of the above reference, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret
+this field only work in backup/restore process</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="pingcap.com/v1alpha1.TiKVBlockCacheConfig">TiKVBlockCacheConfig
diff --git a/manifests/backup/backup-aws-s3-br.yaml b/manifests/backup/backup-aws-s3-br.yaml
index 73166ab904..baf00fa088 100644
--- a/manifests/backup/backup-aws-s3-br.yaml
+++ b/manifests/backup/backup-aws-s3-br.yaml
@@ -29,7 +29,7 @@ spec:
     # user: root
     # tlsClient:
     #   enabled: false
-    # tlsSecret: <backup-tls-secretname>
+    #   tlsSecret: <backup-tls-secretname>
   s3:
     provider: aws
     region: us-west-2
diff --git a/manifests/backup/backup-s3-br.yaml b/manifests/backup/backup-s3-br.yaml
index 56da73c236..a99499337e 100644
--- a/manifests/backup/backup-s3-br.yaml
+++ b/manifests/backup/backup-s3-br.yaml
@@ -29,7 +29,7 @@ spec:
     # user: root
     # tlsClient:
     #   enabled: false
-    # tlsSecret: <backup-tls-secretname>
+    #   tlsSecret: <backup-tls-secretname>
   s3:
     provider: ceph
     endpoint: http://10.233.57.220
diff --git a/manifests/backup/backup-schedule-aws-s3-br.yaml b/manifests/backup/backup-schedule-aws-s3-br.yaml
index d0ac2767b9..c66c48a99e 100644
--- a/manifests/backup/backup-schedule-aws-s3-br.yaml
+++ b/manifests/backup/backup-schedule-aws-s3-br.yaml
@@ -34,7 +34,7 @@ spec:
       # user:         root
       # tlsClient:
       #   enabled: false
-      # tlsSecret: <backup-tls-secretname>
+      #   tlsSecret: <backup-tls-secretname>
     s3:
       provider: aws
       region: us-west-2
diff --git a/manifests/backup/backup-schedule-s3-br.yaml b/manifests/backup/backup-schedule-s3-br.yaml
index f6a7d5908e..14898e84da 100644
--- a/manifests/backup/backup-schedule-s3-br.yaml
+++ b/manifests/backup/backup-schedule-s3-br.yaml
@@ -34,7 +34,7 @@ spec:
       # user:         root
       # tlsClient:
       #   enabled: false
-      # tlsSecret: <backup-tls-secretname>
+      #   tlsSecret: <backup-tls-secretname>
     s3:
       provider: ceph
       endpoint: http://10.233.57.220
diff --git a/manifests/backup/restore-aws-s3-br.yaml b/manifests/backup/restore-aws-s3-br.yaml
index 4bc1db83bb..1aea2fdb28 100644
--- a/manifests/backup/restore-aws-s3-br.yaml
+++ b/manifests/backup/restore-aws-s3-br.yaml
@@ -31,7 +31,7 @@ spec:
     # user: root
     # tlsClient:
     #   enabled: false
-    # tlsSecret: <restore-tls-secretname>
+    #   tlsSecret: <restore-tls-secretname>
   s3:
     provider: aws
     region: us-west-2
diff --git a/manifests/backup/restore-s3-br.yaml b/manifests/backup/restore-s3-br.yaml
index ab2d00464b..6c86a605f6 100644
--- a/manifests/backup/restore-s3-br.yaml
+++ b/manifests/backup/restore-s3-br.yaml
@@ -31,7 +31,7 @@ spec:
     # user: root
     # tlsClient:
     #   enabled: false
-    # tlsSecret: <restore-tls-secretname>
+    #   tlsSecret: <restore-tls-secretname>
   s3:
     provider: ceph
     endpoint: http://10.233.57.220
diff --git a/manifests/crd.yaml b/manifests/crd.yaml
index 2dbc8ff636..2849277203 100644
--- a/manifests/crd.yaml
+++ b/manifests/crd.yaml
@@ -6814,10 +6814,6 @@ spec:
                     cluster's password.
                   type: string
                 tlsClient: {}
-                tlsSecret:
-                  description: 'Specify a secret for client cert in backup/restore
-                    Optional: Defaults to <cluster>-tidb-client-secret'
-                  type: string
                 user:
                   description: User is the user for login tidb cluster
                   type: string
@@ -7755,10 +7751,6 @@ spec:
                     cluster's password.
                   type: string
                 tlsClient: {}
-                tlsSecret:
-                  description: 'Specify a secret for client cert in backup/restore
-                    Optional: Defaults to <cluster>-tidb-client-secret'
-                  type: string
                 user:
                   description: User is the user for login tidb cluster
                   type: string
@@ -8551,10 +8543,6 @@ spec:
                         cluster's password.
                       type: string
                     tlsClient: {}
-                    tlsSecret:
-                      description: 'Specify a secret for client cert in backup/restore
-                        Optional: Defaults to <cluster>-tidb-client-secret'
-                      type: string
                     user:
                       description: User is the user for login tidb cluster
                       type: string
diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
index 4299c06266..b6d2fa4e22 100644
--- a/pkg/apis/pingcap/v1alpha1/openapi_generated.go
+++ b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
@@ -3207,13 +3207,6 @@ func schema_pkg_apis_pingcap_v1alpha1_TiDBAccessConfig(ref common.ReferenceCallb
 							Ref:         ref("github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiDBTLSClient"),
 						},
 					},
-					"tlsSecret": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Specify a secret for client cert in backup/restore Optional: Defaults to <cluster>-tidb-client-secret",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
 				},
 				Required: []string{"host", "secretName"},
 			},
diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go
index a9b0aef321..c8fc9eb732 100644
--- a/pkg/apis/pingcap/v1alpha1/types.go
+++ b/pkg/apis/pingcap/v1alpha1/types.go
@@ -622,6 +622,12 @@ type TiDBTLSClient struct {
 	//   4. Set Enabled to `true`.
 	// +optional
 	Enabled bool `json:"enabled,omitempty"`
+	// Specify a secret for client cert in backup/restore
+	// Optional: Defaults to <cluster>-tidb-client-secret
+	// +optional
+	// If you want specify a secret for backup/restore, Generate a Secret Object according to the third step of the above reference, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret
+	// this field only work in backup/restore process
+	TLSSecret string `json:"tlsSecret,omitempty"`
 }
 
 // TLSCluster can enable TLS connection between TiDB server components
@@ -785,10 +791,6 @@ type TiDBAccessConfig struct {
 	// Optional: Defaults to nil
 	// +optional
 	TLSClient *TiDBTLSClient `json:"tlsClient,omitempty"`
-	// Specify a secret for client cert in backup/restore
-	// Optional: Defaults to <cluster>-tidb-client-secret
-	// +optional
-	TLSSecret string `json:"tlsSecret,omitempty"`
 }
 
 // +k8s:openapi-gen=true
diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go
index 7d8ae2c463..bf10dd5dce 100644
--- a/pkg/backup/backup/backup_manager.go
+++ b/pkg/backup/backup/backup_manager.go
@@ -292,11 +292,11 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 			},
 		})
 	}
-	clientSecretName := util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster)
-	if backup.Spec.From.TLSSecret != "" {
-		clientSecretName = backup.Spec.From.TLSSecret
-	}
 	if backup.Spec.From.TLSClient != nil && backup.Spec.From.TLSClient.Enabled {
+		clientSecretName := util.TiDBClientTLSSecretName(backup.Spec.BR.Cluster)
+		if backup.Spec.From.TLSClient.TLSSecret != "" {
+			clientSecretName = backup.Spec.From.TLSClient.TLSSecret
+		}
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
 			Name:      "tidb-client-tls",
 			ReadOnly:  true,
diff --git a/pkg/backup/restore/restore_manager.go b/pkg/backup/restore/restore_manager.go
index bc1ba4d2e8..f1407ba3ec 100644
--- a/pkg/backup/restore/restore_manager.go
+++ b/pkg/backup/restore/restore_manager.go
@@ -277,11 +277,11 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo
 		})
 	}
 
-	clientSecretName := util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster)
-	if restore.Spec.To.TLSSecret != "" {
-		clientSecretName = restore.Spec.To.TLSSecret
-	}
 	if restore.Spec.To.TLSClient != nil && restore.Spec.To.TLSClient.Enabled {
+		clientSecretName := util.TiDBClientTLSSecretName(restore.Spec.BR.Cluster)
+		if restore.Spec.To.TLSClient.TLSSecret != "" {
+			clientSecretName = restore.Spec.To.TLSClient.TLSSecret
+		}
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
 			Name:      "tidb-client-tls",
 			ReadOnly:  true,

From 309f1a4f1d6dae6d644a946b67ba8fd8fad7d0d9 Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Mon, 23 Mar 2020 20:54:32 +0800
Subject: [PATCH 16/17] address comment

---
 pkg/apis/pingcap/v1alpha1/types.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go
index c8fc9eb732..ba5fefcbd2 100644
--- a/pkg/apis/pingcap/v1alpha1/types.go
+++ b/pkg/apis/pingcap/v1alpha1/types.go
@@ -622,10 +622,10 @@ type TiDBTLSClient struct {
 	//   4. Set Enabled to `true`.
 	// +optional
 	Enabled bool `json:"enabled,omitempty"`
-	// Specify a secret for client cert in backup/restore
+	// Specify a secret of client cert for backup/restore
 	// Optional: Defaults to <cluster>-tidb-client-secret
 	// +optional
-	// If you want specify a secret for backup/restore, Generate a Secret Object according to the third step of the above reference, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret
+	// If you want to specify a secret for backup/restore, generate a Secret Object according to the third step of the above procedure, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret
 	// this field only work in backup/restore process
 	TLSSecret string `json:"tlsSecret,omitempty"`
 }

From a64c5eae7ada7c276e360ad4cceccbdad32e395d Mon Sep 17 00:00:00 2001
From: shuijing198799 <yinliang@pingcap.com>
Date: Mon, 23 Mar 2020 21:32:22 +0800
Subject: [PATCH 17/17] make check

---
 docs/api-references/docs.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/api-references/docs.html b/docs/api-references/docs.html
index cbd9a8f218..92e530d969 100644
--- a/docs/api-references/docs.html
+++ b/docs/api-references/docs.html
@@ -7701,9 +7701,9 @@ <h3 id="pingcap.com/v1alpha1.TiDBTLSClient">TiDBTLSClient
 </td>
 <td>
 <em>(Optional)</em>
-<p>Specify a secret for client cert in backup/restore
+<p>Specify a secret of client cert for backup/restore
 Optional: Defaults to <cluster>-tidb-client-secret
-If you want specify a secret for backup/restore, Generate a Secret Object according to the third step of the above reference, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret
+If you want to specify a secret for backup/restore, generate a Secret Object according to the third step of the above procedure, The difference is the Secret Name can be freely defined, and then copy the Secret Name to TLSSecret
 this field only work in backup/restore process</p>
 </td>
 </tr>