pingcap · sre-bot · Mar 11, 2020 · Mar 3, 2020 · Mar 4, 2020 · Mar 5, 2020
diff --git a/images/tidb-backup-manager/Dockerfile b/images/tidb-backup-manager/Dockerfile
@@ -1,6 +1,5 @@
 FROM pingcap/tidb-enterprise-tools:latest
-
-ARG VERSION=v1.48.0
+ARG VERSION=v1.51.0
 RUN apk update && apk add ca-certificates
 
 RUN wget -nv https://github.com/ncw/rclone/releases/download/${VERSION}/rclone-${VERSION}-linux-amd64.zip \

diff --git a/manifests/backup/backup-aws-s3-br.yaml b/manifests/backup/backup-aws-s3-br.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: pingcap.com/v1alpha1
+kind: Backup
+metadata:
+  name: demo1-backup-s3
+  namespace: test1
+  # annotations:
+    # iam.amazonaws.com/role: "arn:aws:iam::123456789:role"
+spec:
+  # backupType: full
+  # serviceAccount: myServiceAccount
+  br:
+    cluster: myCluster
+    # clusterNamespce: <backup-namespace>
+    # enableTLSClient: true
+    # logLevel: info
+    # statusAddr: <status-addr>
+    # concurrency: 4
+    # rateLimit: 0
+    # timeAgo: <time>
+    # checksum: true
+    # sendCredToTikv: true
+  from:
+    host: 172.30.6.56
+    secretName: mySecret
+    # port: 4000
+    # user: root
+  s3:
+    provider: aws
+    region: us-west-2
+    bucket: backup
+    prefix: test1-demo1
+    # secretName: aws-secret
diff --git a/manifests/backup/backup-s3-br.yaml b/manifests/backup/backup-s3-br.yaml
@@ -4,20 +4,27 @@ kind: Backup
 metadata:
   name: demo1-backup-s3
   namespace: test1
+  # annotations:
+    # iam.amazonaws.com/role: "arn:aws:iam::123456789:role"
 spec:
-  #backupType: full
+  # backupType: full
+  # serviceAccount: myServiceAccount
   br:
-    pd: 10.233.40.168:2379
-    # ca: <ca>
-    # cert: <cert>
-    # key: <key>
+    cluster: myCluster
+    # clusterNamespce: <backup-namespace>
+    # enableTLSClient: true
     # logLevel: info
     # statusAddr: <status-addr>
     # concurrency: 4
     # rateLimit: 0
     # timeAgo: <time>
     # checksum: true
     # sendCredToTikv: true
+  from:
+    host: 172.30.6.56
+    secretName: mySecret
+    # port: 4000
+    # user: root
   s3:
     provider: ceph
     endpoint: http://10.233.57.220

diff --git a/manifests/backup/backup-schedule-aws-s3-br.yaml b/manifests/backup/backup-schedule-aws-s3-br.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: pingcap.com/v1alpha1
+kind: BackupSchedule
+metadata:
+  name: demo1-backup-schedule-s3
+  namespace: test1
+  # annotations:
+    # iam.amazonaws.com/role: "arn:aws:iam::123456789:role"
+spec:
+  #maxBackups: 5
+  #pause: true
+  maxReservedTime: "3h"
+  schedule: "*/2 * * * *"
+  backupTemplate:
+    #backupType: full
+    # serviceAccount: myServiceAccount
+    br:
+      cluster: myCluster
+      # clusterNamespce: backupNamespace
+      # enableTLSClient:  true
+      # logLevel: info
+      # statusAddr: <status-addr>
+      # concurrency: 4
+      # rateLimit: 0
+      # timeAgo: <time>
+      # checksum: true
+      # sendCredToTikv: true
+    from:
+      host:         172.30.6.56
+      secretName:   mysecret
+      # port:         4000
+      # user:         root
+    s3:
+      provider: aws
+      region: us-west-2
+      bucket: backup
+      prefix: test1-demo1
+      # secretName: aws-secret
diff --git a/manifests/backup/backup-schedule-s3-br.yaml b/manifests/backup/backup-schedule-s3-br.yaml
@@ -4,25 +4,32 @@ kind: BackupSchedule
 metadata:
   name: demo1-backup-schedule-s3
   namespace: test1
+  # annotations:
+    # iam.amazonaws.com/role: "arn:aws:iam::123456789:role"
 spec:
   #maxBackups: 5
   #pause: true
   maxReservedTime: "3h"
   schedule: "*/2 * * * *"
   backupTemplate:
     #backupType: full
+    # serviceAccount: myServiceAccount
     br:
-      pd: 10.233.40.168:2379
-      # ca: <ca>
-      # cert: <cert>
-      # key: <key>
+      cluster: myCluster
+      # clusterNamespce: backupNamespace
+      # enableTLSClient:  true
       # logLevel: info
       # statusAddr: <status-addr>
       # concurrency: 4
       # rateLimit: 0
       # timeAgo: <time>
       # checksum: true
       # sendCredToTikv: true
+    from:
+      host:         172.30.6.56
+      secretName:   mysecret
+      # port:         4000
+      # user:         root
     s3:
       provider: ceph
       endpoint: http://10.233.57.220

diff --git a/manifests/backup/restore-aws-s3-br.yaml b/manifests/backup/restore-aws-s3-br.yaml
@@ -0,0 +1,35 @@
+---
+apiVersion: pingcap.com/v1alpha1
+kind: Restore
+metadata:
+  name: demo1-restore-s3-br
+  namespace: test1
+  # annotations:
+    # iam.amazonaws.com/role: "arn:aws:iam::123456789:role"
+spec:
+  # backupType: full
+  # serviceAccount: myServiceAccount
+  br:
+    cluster: myCluster
+    # clusterNamespce: <restore-namespace>
+    # enableTLSClient: true
+    # db: <db-name>
+    # table: <table-name>
+    # logLevel: info
+    # statusAddr: <status-addr>
+    # concurrency: 4
+    # rateLimit: 0
+    # timeAgo: <time>
+    # checksum: true
+    # sendCredToTikv: true
+  to:
+    host: 172.30.6.56
+    secretName: mySecret
+    # port: 4000
+    # user: root
+  s3:
+    provider: aws
+    region: us-west-2
+    bucket: backup
+    prefix: test1-demo1
+    # secretName: aws-secret
diff --git a/manifests/backup/restore-s3-br.yaml b/manifests/backup/restore-s3-br.yaml
@@ -4,22 +4,29 @@ kind: Restore
 metadata:
   name: demo1-restore-s3-br
   namespace: test1
+  # annotations:
+    # iam.amazonaws.com/role: "arn:aws:iam::123456789:role"
 spec:
   # backupType: full
+  # serviceAccount: myServiceAccount
   br:
-    pd: 10.233.40.168:2379
+    cluster: myCluster
+    # clusterNamespce: <restore-namespace>
+    # enableTLSClient: true
     # db: <db-name>
     # table: <table-name>
-    # ca: <ca>
-    # cert: <cert>
-    # key: <key>
     # logLevel: info
     # statusAddr: <status-addr>
     # concurrency: 4
     # rateLimit: 0
     # timeAgo: <time>
     # checksum: true
     # sendCredToTikv: true
+  to:
+    host: 172.30.6.56
+    secretName: mySecret
+    # port: 4000
+    # user: root
   s3:
     provider: ceph
     endpoint: http://10.233.57.220

diff --git a/manifests/crd.yaml b/manifests/crd.yaml
@@ -6899,8 +6899,10 @@ spec:
                   type: string
               required:
               - provider
-              - secretName
               type: object
+            serviceAccount:
+              description: Specify service account of backup
+              type: string
             storageClassName:
               description: The storageClassName of the persistent volume for Backup
                 data storage. Defaults to Kubernetes default storage class.
@@ -7715,8 +7717,10 @@ spec:
                   type: string
               required:
               - provider
-              - secretName
               type: object
+            serviceAccount:
+              description: Specify service account of restore
+              type: string
             storageClassName:
               description: The storageClassName of the persistent volume for Restore
                 data storage. Defaults to Kubernetes default storage class.
@@ -8620,8 +8624,10 @@ spec:
                       type: string
                   required:
                   - provider
-                  - secretName
                   type: object
+                serviceAccount:
+                  description: Specify service account of backup
+                  type: string
                 storageClassName:
                   description: The storageClassName of the persistent volume for Backup
                     data storage. Defaults to Kubernetes default storage class.

diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go
@@ -696,7 +696,7 @@ type S3StorageProvider struct {
 	Acl string `json:"acl,omitempty"`
 	// SecretName is the name of secret which stores
 	// S3 compliant storage access key and secret key.
-	SecretName string `json:"secretName"`
+	SecretName string `json:"secretName,omitempty"`
 	// Prefix for the keys.
 	Prefix string `json:"prefix,omitempty"`
 	// SSE Sever-Side Encryption.
@@ -781,6 +781,8 @@ type BackupSpec struct {
 	// Affinity of backup Pods
 	// +optional
 	Affinity *corev1.Affinity `json:"affinity,omitempty"`
+	// Specify service account of backup
+	ServiceAccount string `json:"serviceAccount,omitempty"`
 }
 
 // +k8s:openapi-gen=true
@@ -999,6 +1001,8 @@ type RestoreSpec struct {
 	// Affinity of restore Pods
 	// +optional
 	Affinity *corev1.Affinity `json:"affinity,omitempty"`
+	// Specify service account of restore
+	ServiceAccount string `json:"serviceAccount,omitempty"`
 }
 
 // RestoreStatus represents the current status of a tidb cluster restore.

diff --git a/pkg/backup/backup/backup_cleaner.go b/pkg/backup/backup/backup_cleaner.go
@@ -123,14 +123,19 @@ func (bc *backupCleaner) makeCleanJob(backup *v1alpha1.Backup) (*batchv1.Job, st
 		fmt.Sprintf("--backupName=%s", name),
 	}
 
+	serviceAccount := constants.DefaultServiceAccountName
+	if backup.Spec.ServiceAccount != "" {
+		serviceAccount = backup.Spec.ServiceAccount
+	}
 	backupLabel := label.NewBackup().Instance(backup.GetInstanceName()).CleanJob().Backup(name)
 
 	podSpec := &corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
-			Labels: backupLabel.Labels(),
+			Labels:      backupLabel.Labels(),
+			Annotations: backup.Annotations,
 		},
 		Spec: corev1.PodSpec{
-			ServiceAccountName: constants.DefaultServiceAccountName,
+			ServiceAccountName: serviceAccount,
 			Containers: []corev1.Container{
 				{
 					Name:            label.BackupJobLabelVal,

diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go
@@ -172,7 +172,6 @@ func (bm *backupManager) makeExportJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 	if err != nil {
 		return nil, reason, fmt.Errorf("backup %s/%s, %v", ns, name, err)
 	}
-
 	envVars = append(envVars, storageEnv...)
 	// TODO: make pvc request storage size configurable
 	reason, err = bm.ensureBackupPVCExist(backup)
@@ -193,14 +192,19 @@ func (bm *backupManager) makeExportJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 		fmt.Sprintf("--storageType=%s", backuputil.GetStorageType(backup.Spec.StorageProvider)),
 	}
 
+	serviceAccount := constants.DefaultServiceAccountName
+	if backup.Spec.ServiceAccount != "" {
+		serviceAccount = backup.Spec.ServiceAccount
+	}
 	backupLabel := label.NewBackup().Instance(backup.GetInstanceName()).BackupJob().Backup(name)
 	// TODO: need add ResourceRequirement for backup job
 	podSpec := &corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
-			Labels: backupLabel.Labels(),
+			Labels:      backupLabel.Labels(),
+			Annotations: backup.Annotations,
 		},
 		Spec: corev1.PodSpec{
-			ServiceAccountName: constants.DefaultServiceAccountName,
+			ServiceAccountName: serviceAccount,
 			Containers: []corev1.Container{
 				{
 					Name:            label.BackupJobLabelVal,
@@ -285,12 +289,17 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 		})
 	}
 
+	serviceAccount := constants.DefaultServiceAccountName
+	if backup.Spec.ServiceAccount != "" {
+		serviceAccount = backup.Spec.ServiceAccount
+	}
 	podSpec := &corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
-			Labels: backupLabel.Labels(),
+			Labels:      backupLabel.Labels(),
+			Annotations: backup.Annotations,
 		},
 		Spec: corev1.PodSpec{
-			ServiceAccountName: constants.DefaultServiceAccountName,
+			ServiceAccountName: serviceAccount,
 			Containers: []corev1.Container{
 				{
 					Name:            label.BackupJobLabelVal,