pingcap · shuijing198799 · Mar 4, 2020 · Feb 28, 2020 · Mar 2, 2020 · Mar 2, 2020
diff --git a/cmd/backup-manager/app/backup/backup.go b/cmd/backup-manager/app/backup/backup.go
@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"io"
 	"os/exec"
+	"path"
 
 	"github.com/gogo/protobuf/proto"
 	"k8s.io/klog"
@@ -26,6 +27,7 @@ import (
 	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants"
 	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
 	"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
 )
 
 // Options contains the input arguments to the backup command
@@ -39,10 +41,21 @@ func (bo *Options) String() string {
 }
 
 func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) {
-	args, path, err := constructOptions(backup)
+	clusterNamespace := backup.Spec.BR.ClusterNamespace
+	if backup.Spec.BR.ClusterNamespace == "" {
+		clusterNamespace = backup.Namespace
+	}
+	args, remotePath, err := constructOptions(backup)
 	if err != nil {
 		return "", err
 	}
+	args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", backup.Spec.BR.Cluster, clusterNamespace))
+	if backup.Spec.BR.EnableTLSClient {
+		args = append(args, fmt.Sprintf("--ca=%s", constants.ServiceAccountCAPath))
+		args = append(args, fmt.Sprintf("--cert=%s", path.Join(constants.BRCertPath, corev1.TLSCertKey)))
+		args = append(args, fmt.Sprintf("--key=%s", path.Join(constants.BRCertPath, corev1.TLSPrivateKeyKey)))
+	}
+
 	var btype string
 	if backup.Spec.Type == "" {
 		btype = string(v1alpha1.BackupTypeFull)
@@ -57,10 +70,10 @@ func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) {
 	klog.Infof("Running br command with args: %v", fullArgs)
 	output, err := exec.Command("br", fullArgs...).CombinedOutput()
 	if err != nil {
-		return path, fmt.Errorf("cluster %s, execute br command %v failed, output: %s, err: %v", bo, fullArgs, string(output), err)
+		return remotePath, fmt.Errorf("cluster %s, execute br command %v failed, output: %s, err: %v", bo, fullArgs, string(output), err)
 	}
 	klog.Infof("Backup data for cluster %s successfully, output: %s", bo, string(output))
-	return path, nil
+	return remotePath, nil
 }
 
 // getCommitTs get backup position from `EndVersion` in BR backup meta
@@ -94,9 +107,9 @@ func getCommitTs(backup *v1alpha1.Backup) (uint64, error) {
 
 // constructOptions constructs options for BR and also return the remote path
 func constructOptions(backup *v1alpha1.Backup) ([]string, string, error) {
-	args, path, err := util.ConstructBRGlobalOptionsForBackup(backup)
+	args, remotePath, err := util.ConstructBRGlobalOptionsForBackup(backup)
 	if err != nil {
-		return args, path, err
+		return args, remotePath, err
 	}
 	config := backup.Spec.BR
 	if config.Concurrency != nil {
@@ -111,7 +124,7 @@ func constructOptions(backup *v1alpha1.Backup) ([]string, string, error) {
 	if config.Checksum != nil {
 		args = append(args, fmt.Sprintf("--checksum=%t", *config.Checksum))
 	}
-	return args, path, nil
+	return args, remotePath, nil
 }
 
 // getBackupSize get the backup data size from remote

diff --git a/cmd/backup-manager/app/constants/constants.go b/cmd/backup-manager/app/constants/constants.go
@@ -56,4 +56,10 @@ const (
 
 	// MetaFile is the file name for meta data of backup with BR
 	MetaFile = "backupmeta"
+
+	// BR certificate storage path
+	BRCertPath = "/var/lib/br-tls"
+
+	// ServiceAccountCAPath is where is CABundle of serviceaccount locates
+	ServiceAccountCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 )
diff --git a/cmd/backup-manager/app/restore/restore.go b/cmd/backup-manager/app/restore/restore.go
@@ -16,11 +16,14 @@ package restore
 import (
 	"fmt"
 	"os/exec"
+	"path"
 
 	"k8s.io/klog"
 
+	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants"
 	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
 	"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
 )
 
 type Options struct {
@@ -33,10 +36,21 @@ func (ro *Options) String() string {
 }
 
 func (ro *Options) restoreData(restore *v1alpha1.Restore) error {
+	clusterNamespace := restore.Spec.BR.ClusterNamespace
+	if restore.Spec.BR.ClusterNamespace == "" {
+		clusterNamespace = restore.Namespace
+	}
 	args, err := constructBROptions(restore)
 	if err != nil {
 		return err
 	}
+	args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", restore.Spec.BR.Cluster, clusterNamespace))
+	if restore.Spec.BR.EnableTLSClient {
+		args = append(args, fmt.Sprintf("--ca=%s", constants.ServiceAccountCAPath))
+		args = append(args, fmt.Sprintf("--cert=%s", path.Join(constants.BRCertPath, corev1.TLSCertKey)))
+		args = append(args, fmt.Sprintf("--key=%s", path.Join(constants.BRCertPath, corev1.TLSPrivateKeyKey)))
+	}
+
 	var restoreType string
 	if restore.Spec.Type == "" {
 		restoreType = string(v1alpha1.BackupTypeFull)

diff --git a/cmd/backup-manager/app/util/util.go b/cmd/backup-manager/app/util/util.go
@@ -119,7 +119,7 @@ func ConstructBRGlobalOptionsForBackup(backup *v1alpha1.Backup) ([]string, strin
 		return nil, "", fmt.Errorf("no config for br in backup %s/%s", backup.Namespace, backup.Name)
 	}
 	args = append(args, constructBRGlobalOptions(config)...)
-	storageArgs, path, err := getRemoteStorage(backup.Spec.StorageProvider)
+	storageArgs, remotePath, err := getRemoteStorage(backup.Spec.StorageProvider)
 	if err != nil {
 		return nil, "", err
 	}
@@ -130,7 +130,7 @@ func ConstructBRGlobalOptionsForBackup(backup *v1alpha1.Backup) ([]string, strin
 	if backup.Spec.Type == v1alpha1.BackupTypeTable && config.Table != "" {
 		args = append(args, fmt.Sprintf("--table=%s", config.Table))
 	}
-	return args, path, nil
+	return args, remotePath, nil
 }
 
 // ConstructBRGlobalOptionsForRestore constructs BR global options for restore.
@@ -158,16 +158,6 @@ func ConstructBRGlobalOptionsForRestore(restore *v1alpha1.Restore) ([]string, er
 // constructBRGlobalOptions constructs BR basic global options.
 func constructBRGlobalOptions(config *v1alpha1.BRConfig) []string {
 	var args []string
-	args = append(args, fmt.Sprintf("--pd=%s", config.PDAddress))
-	if config.CA != "" {
-		args = append(args, fmt.Sprintf("--ca=%s", config.CA))
-	}
-	if config.Cert != "" {
-		args = append(args, fmt.Sprintf("--cert=%s", config.Cert))
-	}
-	if config.Key != "" {
-		args = append(args, fmt.Sprintf("--key=%s", config.Key))
-	}
 	if config.LogLevel != "" {
 		args = append(args, fmt.Sprintf("--log-level=%s", config.LogLevel))
 	}

diff --git a/manifests/crd.yaml b/manifests/crd.yaml
@@ -6745,15 +6745,15 @@ spec:
             br:
               description: BRConfig contains config for BR
               properties:
-                ca:
-                  description: CA is the CA certificate path for TLS connection
-                  type: string
-                cert:
-                  description: Cert is the certificate path for TLS connection
-                  type: string
                 checksum:
                   description: Checksum specifies whether to run checksum after backup
                   type: boolean
+                cluster:
+                  description: ClusterName of backup cluster
+                  type: string
+                clusterNamespace:
+                  description: Namespace of backup/restore cluster
+                  type: string
                 concurrency:
                   description: Concurrency is the size of thread pool on each node
                     that execute the backup task
@@ -6762,18 +6762,15 @@ spec:
                 db:
                   description: DB is the specific DB which will be backed-up or restored
                   type: string
-                key:
-                  description: Key is the private key path for TLS connection
-                  type: string
+                enableTLSClient:
+                  description: Whether enable TLS in TiDBCluster
+                  type: boolean
                 logLevel:
                   description: LogLevel is the log level
                   type: string
                 onLine:
                   description: OnLine specifies whether online during restore
                   type: boolean
-                pd:
-                  description: PDAddress is the PD address of the tidb cluster
-                  type: string
                 rateLimit:
                   description: RateLimit is the rate limit of the backup task, MB/s
                     per node
@@ -6795,8 +6792,6 @@ spec:
                   description: TimeAgo is the history version of the backup task,
                     e.g. 1m, 1h
                   type: string
-              required:
-              - pd
               type: object
             from:
               description: TiDBAccessConfig defines the configuration for access tidb
@@ -7581,15 +7576,15 @@ spec:
             br:
               description: BRConfig contains config for BR
               properties:
-                ca:
-                  description: CA is the CA certificate path for TLS connection
-                  type: string
-                cert:
-                  description: Cert is the certificate path for TLS connection
-                  type: string
                 checksum:
                   description: Checksum specifies whether to run checksum after backup
                   type: boolean
+                cluster:
+                  description: ClusterName of backup cluster
+                  type: string
+                clusterNamespace:
+                  description: Namespace of backup/restore cluster
+                  type: string
                 concurrency:
                   description: Concurrency is the size of thread pool on each node
                     that execute the backup task
@@ -7598,18 +7593,15 @@ spec:
                 db:
                   description: DB is the specific DB which will be backed-up or restored
                   type: string
-                key:
-                  description: Key is the private key path for TLS connection
-                  type: string
+                enableTLSClient:
+                  description: Whether enable TLS in TiDBCluster
+                  type: boolean
                 logLevel:
                   description: LogLevel is the log level
                   type: string
                 onLine:
                   description: OnLine specifies whether online during restore
                   type: boolean
-                pd:
-                  description: PDAddress is the PD address of the tidb cluster
-                  type: string
                 rateLimit:
                   description: RateLimit is the rate limit of the backup task, MB/s
                     per node
@@ -7631,8 +7623,6 @@ spec:
                   description: TimeAgo is the history version of the backup task,
                     e.g. 1m, 1h
                   type: string
-              required:
-              - pd
               type: object
             gcs:
               description: GcsStorageProvider represents the google cloud storage
@@ -8458,16 +8448,16 @@ spec:
                 br:
                   description: BRConfig contains config for BR
                   properties:
-                    ca:
-                      description: CA is the CA certificate path for TLS connection
-                      type: string
-                    cert:
-                      description: Cert is the certificate path for TLS connection
-                      type: string
                     checksum:
                       description: Checksum specifies whether to run checksum after
                         backup
                       type: boolean
+                    cluster:
+                      description: ClusterName of backup cluster
+                      type: string
+                    clusterNamespace:
+                      description: Namespace of backup/restore cluster
+                      type: string
                     concurrency:
                       description: Concurrency is the size of thread pool on each
                         node that execute the backup task
@@ -8477,18 +8467,15 @@ spec:
                       description: DB is the specific DB which will be backed-up or
                         restored
                       type: string
-                    key:
-                      description: Key is the private key path for TLS connection
-                      type: string
+                    enableTLSClient:
+                      description: Whether enable TLS in TiDBCluster
+                      type: boolean
                     logLevel:
                       description: LogLevel is the log level
                       type: string
                     onLine:
                       description: OnLine specifies whether online during restore
                       type: boolean
-                    pd:
-                      description: PDAddress is the PD address of the tidb cluster
-                      type: string
                     rateLimit:
                       description: RateLimit is the rate limit of the backup task,
                         MB/s per node
@@ -8510,8 +8497,6 @@ spec:
                       description: TimeAgo is the history version of the backup task,
                         e.g. 1m, 1h
                       type: string
-                  required:
-                  - pd
                   type: object
                 from:
                   description: TiDBAccessConfig defines the configuration for access

diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go