Skip to content

Commit

Permalink
Backup: support TLS for br component (#1836)
Browse files Browse the repository at this point in the history 
* backup: add TLS to backup br
  • Loading branch information
@shuijing198799
shuijing198799 authored Mar 4, 2020
1 parent 1a18bdc commit 7360679
Show file tree
Hide file tree
Showing 12 changed files with 139 additions and 91 deletions.
25 changes: 19 additions & 6 deletions cmd/backup-manager/app/backup/backup.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,14 @@ import (
"fmt"
"io"
"os/exec"
"path"

"github.com/gogo/protobuf/proto"
kvbackup "github.com/pingcap/kvproto/pkg/backup"
"github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants"
"github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
corev1 "k8s.io/api/core/v1"
"k8s.io/klog"
)

Expand All @@ -33,10 +35,21 @@ type Options struct {
}

func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) {
args, path, err := constructOptions(backup)
clusterNamespace := backup.Spec.BR.ClusterNamespace
if backup.Spec.BR.ClusterNamespace == "" {
clusterNamespace = backup.Namespace
}
args, remotePath, err := constructOptions(backup)
if err != nil {
return "", err
}
args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", backup.Spec.BR.Cluster, clusterNamespace))
if backup.Spec.BR.EnableTLSClient {
args = append(args, fmt.Sprintf("--ca=%s", constants.ServiceAccountCAPath))
args = append(args, fmt.Sprintf("--cert=%s", path.Join(constants.BRCertPath, corev1.TLSCertKey)))
args = append(args, fmt.Sprintf("--key=%s", path.Join(constants.BRCertPath, corev1.TLSPrivateKeyKey)))
}

var btype string
if backup.Spec.Type == "" {
btype = string(v1alpha1.BackupTypeFull)
Expand All @@ -51,10 +64,10 @@ func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) {
klog.Infof("Running br command with args: %v", fullArgs)
output, err := exec.Command("br", fullArgs...).CombinedOutput()
if err != nil {
return path, fmt.Errorf("cluster %s, execute br command %v failed, output: %s, err: %v", bo, fullArgs, string(output), err)
return remotePath, fmt.Errorf("cluster %s, execute br command %v failed, output: %s, err: %v", bo, fullArgs, string(output), err)
}
klog.Infof("Backup data for cluster %s successfully, output: %s", bo, string(output))
return path, nil
return remotePath, nil
}

// getCommitTs get backup position from `EndVersion` in BR backup meta
Expand Down Expand Up @@ -88,9 +101,9 @@ func getCommitTs(backup *v1alpha1.Backup) (uint64, error) {

// constructOptions constructs options for BR and also return the remote path
func constructOptions(backup *v1alpha1.Backup) ([]string, string, error) {
args, path, err := util.ConstructBRGlobalOptionsForBackup(backup)
args, remotePath, err := util.ConstructBRGlobalOptionsForBackup(backup)
if err != nil {
return args, path, err
return args, remotePath, err
}
config := backup.Spec.BR
if config.Concurrency != nil {
Expand All @@ -105,7 +118,7 @@ func constructOptions(backup *v1alpha1.Backup) ([]string, string, error) {
if config.Checksum != nil {
args = append(args, fmt.Sprintf("--checksum=%t", *config.Checksum))
}
return args, path, nil
return args, remotePath, nil
}

// getBackupSize get the backup data size from remote
Expand Down
6 changes: 6 additions & 0 deletions cmd/backup-manager/app/constants/constants.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,4 +56,10 @@ const (

// MetaFile is the file name for meta data of backup with BR
MetaFile = "backupmeta"

// BR certificate storage path
BRCertPath = "/var/lib/br-tls"

// ServiceAccountCAPath is where is CABundle of serviceaccount locates
ServiceAccountCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
)
14 changes: 14 additions & 0 deletions cmd/backup-manager/app/restore/restore.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,12 @@ package restore
import (
"fmt"
"os/exec"
"path"

"github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants"
"github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
corev1 "k8s.io/api/core/v1"
"k8s.io/klog"
)

Expand All @@ -27,10 +30,21 @@ type Options struct {
}

func (ro *Options) restoreData(restore *v1alpha1.Restore) error {
clusterNamespace := restore.Spec.BR.ClusterNamespace
if restore.Spec.BR.ClusterNamespace == "" {
clusterNamespace = restore.Namespace
}
args, err := constructBROptions(restore)
if err != nil {
return err
}
args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", restore.Spec.BR.Cluster, clusterNamespace))
if restore.Spec.BR.EnableTLSClient {
args = append(args, fmt.Sprintf("--ca=%s", constants.ServiceAccountCAPath))
args = append(args, fmt.Sprintf("--cert=%s", path.Join(constants.BRCertPath, corev1.TLSCertKey)))
args = append(args, fmt.Sprintf("--key=%s", path.Join(constants.BRCertPath, corev1.TLSPrivateKeyKey)))
}

var restoreType string
if restore.Spec.Type == "" {
restoreType = string(v1alpha1.BackupTypeFull)
Expand Down
14 changes: 2 additions & 12 deletions cmd/backup-manager/app/util/util.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ func ConstructBRGlobalOptionsForBackup(backup *v1alpha1.Backup) ([]string, strin
return nil, "", fmt.Errorf("no config for br in backup %s/%s", backup.Namespace, backup.Name)
}
args = append(args, constructBRGlobalOptions(config)...)
storageArgs, path, err := getRemoteStorage(backup.Spec.StorageProvider)
storageArgs, remotePath, err := getRemoteStorage(backup.Spec.StorageProvider)
if err != nil {
return nil, "", err
}
Expand All @@ -123,7 +123,7 @@ func ConstructBRGlobalOptionsForBackup(backup *v1alpha1.Backup) ([]string, strin
if backup.Spec.Type == v1alpha1.BackupTypeTable && config.Table != "" {
args = append(args, fmt.Sprintf("--table=%s", config.Table))
}
return args, path, nil
return args, remotePath, nil
}

// ConstructBRGlobalOptionsForRestore constructs BR global options for restore.
Expand Down Expand Up @@ -151,16 +151,6 @@ func ConstructBRGlobalOptionsForRestore(restore *v1alpha1.Restore) ([]string, er
// constructBRGlobalOptions constructs BR basic global options.
func constructBRGlobalOptions(config *v1alpha1.BRConfig) []string {
var args []string
args = append(args, fmt.Sprintf("--pd=%s", config.PDAddress))
if config.CA != "" {
args = append(args, fmt.Sprintf("--ca=%s", config.CA))
}
if config.Cert != "" {
args = append(args, fmt.Sprintf("--cert=%s", config.Cert))
}
if config.Key != "" {
args = append(args, fmt.Sprintf("--key=%s", config.Key))
}
if config.LogLevel != "" {
args = append(args, fmt.Sprintf("--log-level=%s", config.LogLevel))
}
Expand Down
69 changes: 30 additions & 39 deletions manifests/crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6745,15 +6745,15 @@ spec:
br:
description: BRConfig contains config for BR
properties:
ca:
description: CA is the CA certificate path for TLS connection
type: string
cert:
description: Cert is the certificate path for TLS connection
type: string
checksum:
description: Checksum specifies whether to run checksum after backup
type: boolean
cluster:
description: ClusterName of backup/restore cluster
type: string
clusterNamespace:
description: Namespace of backup/restore cluster
type: string
concurrency:
description: Concurrency is the size of thread pool on each node
that execute the backup task
Expand All @@ -6762,18 +6762,15 @@ spec:
db:
description: DB is the specific DB which will be backed-up or restored
type: string
key:
description: Key is the private key path for TLS connection
type: string
enableTLSClient:
description: Whether enable TLS in TiDBCluster
type: boolean
logLevel:
description: LogLevel is the log level
type: string
onLine:
description: OnLine specifies whether online during restore
type: boolean
pd:
description: PDAddress is the PD address of the tidb cluster
type: string
rateLimit:
description: RateLimit is the rate limit of the backup task, MB/s
per node
Expand All @@ -6796,7 +6793,7 @@ spec:
e.g. 1m, 1h
type: string
required:
- pd
- cluster
type: object
from:
description: TiDBAccessConfig defines the configuration for access tidb
Expand Down Expand Up @@ -7587,15 +7584,15 @@ spec:
br:
description: BRConfig contains config for BR
properties:
ca:
description: CA is the CA certificate path for TLS connection
type: string
cert:
description: Cert is the certificate path for TLS connection
type: string
checksum:
description: Checksum specifies whether to run checksum after backup
type: boolean
cluster:
description: ClusterName of backup/restore cluster
type: string
clusterNamespace:
description: Namespace of backup/restore cluster
type: string
concurrency:
description: Concurrency is the size of thread pool on each node
that execute the backup task
Expand All @@ -7604,18 +7601,15 @@ spec:
db:
description: DB is the specific DB which will be backed-up or restored
type: string
key:
description: Key is the private key path for TLS connection
type: string
enableTLSClient:
description: Whether enable TLS in TiDBCluster
type: boolean
logLevel:
description: LogLevel is the log level
type: string
onLine:
description: OnLine specifies whether online during restore
type: boolean
pd:
description: PDAddress is the PD address of the tidb cluster
type: string
rateLimit:
description: RateLimit is the rate limit of the backup task, MB/s
per node
Expand All @@ -7638,7 +7632,7 @@ spec:
e.g. 1m, 1h
type: string
required:
- pd
- cluster
type: object
gcs:
description: GcsStorageProvider represents the google cloud storage
Expand Down Expand Up @@ -8470,16 +8464,16 @@ spec:
br:
description: BRConfig contains config for BR
properties:
ca:
description: CA is the CA certificate path for TLS connection
type: string
cert:
description: Cert is the certificate path for TLS connection
type: string
checksum:
description: Checksum specifies whether to run checksum after
backup
type: boolean
cluster:
description: ClusterName of backup/restore cluster
type: string
clusterNamespace:
description: Namespace of backup/restore cluster
type: string
concurrency:
description: Concurrency is the size of thread pool on each
node that execute the backup task
Expand All @@ -8489,18 +8483,15 @@ spec:
description: DB is the specific DB which will be backed-up or
restored
type: string
key:
description: Key is the private key path for TLS connection
type: string
enableTLSClient:
description: Whether enable TLS in TiDBCluster
type: boolean
logLevel:
description: LogLevel is the log level
type: string
onLine:
description: OnLine specifies whether online during restore
type: boolean
pd:
description: PDAddress is the PD address of the tidb cluster
type: string
rateLimit:
description: RateLimit is the rate limit of the backup task,
MB/s per node
Expand All @@ -8523,7 +8514,7 @@ spec:
e.g. 1m, 1h
type: string
required:
- pd
- cluster
type: object
from:
description: TiDBAccessConfig defines the configuration for access
Expand Down
31 changes: 12 additions & 19 deletions pkg/apis/pingcap/v1alpha1/openapi_generated.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 7360679

Please sign in to comment.