search

pingcap / tidb-operator

TiDB operator creates and manages TiDB clusters running in Kubernetes.
https://docs.pingcap.com/tidb-in-kubernetes/
Apache License 2.0
1.23k stars 498 forks source link

secretKey parameter for GCP backups on tidb cluster #2090

Closed vDMG closed 4 years ago

vDMG commented 4 years ago

Feature Request

Is your feature request related to a problem? Please describe:

At this moment if I need to push TiDB backups on GCS I need a secret with a service account referenced on the key credentials.json like this 

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: tidb-serviceaccount
  namespace: default
data:
  credentials.json: osdifhosdfhosdhfodshfofcovunrobnvifsnviqsfnvoqdofojqsfjsdijfosdijfosdijfosdjfojsdofjisqodjfqsodjfosdjfoisdjfqosjdfosdjfosdjfojsdofijsdoifjqsodjfoqsdjfilovetidb

regarding the actual backup-job spec.

https://github.com/pingcap/tidb-operator/blob/271cad3259fab5e26123a38888c90edcb7cdec10/charts/tidb-backup/templates/backup-job.yaml#L68

Describe the feature you'd like: What do you think if we could use and specify our own key instead of a fixed and strict credentials.json adding a secretKey parameters which would override, if present, the actual default value credentials.json ?

I'm volunteer to make the PR if you think this can bring value to TiDB. 😄

Teachability, Documentation, Adoption, Migration Strategy:

We could have our own standard names for secret key and prefer using google-key as secretKey insteand of credentials.json.

Continue to do this awesome work guys 🎆

Be safe

gregwebs commented 4 years ago

GKE users should prefer the workload identity features.

DanielZhangQD commented 4 years ago

@vDMG Thanks for reporting this issue! Please make the PR for the request, thanks! BTW, you can try the feature that Greg mentioned above which is more secure on GKE.

github-actions[bot] commented 4 years ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days