tidb-operator icon indicating copy to clipboard operation
tidb-operator copied to clipboard
verified publisher icon pingcap

Store DM source config in k8s secret

Open tirsen opened this issue 4 years ago • 1 comments

Feature Request

Passwords are currently configured using an encryption with a hard coded secret key. This is not a good idea.

Instead it would be better if we can store the passwords as a k8s secret. Maybe we can store the entire source db config as a k8s secret?

Something like this:

# MySQL1 Configuration.

source-id: "mysql-replica-01"

# Indicates whether GTID is enabled
enable-gtid: true

from:
  k8s-secret: "mysql-replica-01"

Not sure if this is the best design... We should discuss alternatives. :-) In particular it would be good to avoid having dm-master/dm-worker explicitly call out the kubeapi. Maybe this should instead be a feature of the tidb-operator so that we have a DMSource CRD where this can be configured?

tirsen avatar Feb 22 '21 15:02 tirsen

@tirsen From DM v2.0.1, get-config subcommand is supported to retrieve the source and task configuration, you can refer to the doc. In this case, no need to keep the original yaml files of the sources and tasks, and it should be acceptable with the encryption with a hardcoded secret key, right?

DanielZhangQD avatar Feb 24 '21 12:02 DanielZhangQD