Doc Menu

Restore Data from GCS Using BR

This document describes how to restore the TiDB cluster data backed up using TiDB Operator in Kubernetes. BR is used to perform the restore.

The restore method described in this document is implemented based on Custom Resource Definition (CRD) in TiDB Operator v1.1 or later versions.

This document shows an example in which the backup data stored in the specified path on Google Cloud Storage (GCS) is restored to the TiDB cluster.

Required database account privileges

  • The SELECT and UPDATE privileges of the mysql.tidb table: Before and after the restoration, the Restore CR needs a database account with these privileges to adjust the GC time.


  1. Download backup-rbac.yaml, and execute the following command to create the role-based access control (RBAC) resources in the test2 namespace:

    kubectl apply -f backup-rbac.yaml -n test2
  2. Create the gcs-secret secret which stores the credential used to access the GCS:

    kubectl create secret generic gcs-secret --from-file=credentials=./google-credentials.json -n test1

    The google-credentials.json file stores the service account key that you download from the GCP console. Refer to GCP Documentation for details.

  3. Create the restore-demo2-tidb-secret secret which stores the root account and password needed to access the TiDB cluster:

    kubectl create secret generic restore-demo2-tidb-secret --from-literal=user=root --from-literal=password=<password> --namespace=test2

Process of restore

  1. Create the Restore custom resource (CR), and restore the specified data to your cluster:

    kubectl apply -f restore.yaml

    The content of restore.yaml file is as follows:

    kind: Restore
      name: demo2-restore-gcs
      namespace: test2
      # backupType: full
        cluster: demo2
        clusterNamespace: test2
        # logLevel: info
        # statusAddr: ${status-addr}
        # concurrency: 4
        # rateLimit: 0
        # checksum: true
        # sendCredToTikv: true
        host: ${tidb_host}
        port: ${tidb_port}
        user: ${tidb_user}
        secretName: restore-demo2-tidb-secret
        projectId: ${project-id}
        secretName: gcs-secret
        bucket: ${bucket}
        prefix: ${prefix}
        # location: us-east1
        # storageClass: STANDARD_IA
        # objectAcl: private
  2. After creating the Restore CR, execute the following command to check the restore status:

    kubectl get rt -n test2 -owide

This example restores the backup data stored in the spec.gcs.prefix folder of the spec.gcs.bucket bucket on GCS to the TiDB cluster For more information on the configuration items of BR and GCS, refer to backup-gcs.yaml.

More descriptions of fields in the Restore CR are as follows:

  • .spec.metadata.namespace: The namespace where the Restore CR is located.

  • The address of the TiDB cluster to be restored.

  • The port of the TiDB cluster to be restored.

  • The accessing user of the TiDB cluster to be restored.

  • The secret containg the password of the in the TiDB cluster.

  • The secret of the certificate used during the restore.

    If TLS is enabled for the TiDB cluster, but you do not want to restore data using the ${cluster_name}-cluster-client-secret as described in Enable TLS between TiDB Components, you can use the parameter to specify a secret for the restore. To generate the secret, run the following command:

    kubectl create secret generic ${secret_name} --namespace=${namespace} --from-file=tls.crt=${cert_path} --from-file=tls.key=${key_path} --from-file=ca.crt=${ca_path}
  • .spec.tableFilter: BR only restores tables that match the table filter rules. This field can be ignored by default. If the field is not configured, BR restores all schemas except the system schemas.


    To use the table filter to exclude db.table, you need to add the *.* rule to include all tables first. For example:

    - "*.*"
    - "!db.table"

In the examples above, some parameters in can be ignored, such as logLevel, statusAddr, concurrency, rateLimit, checksum, timeAgo, and sendCredToTikv.

  • The name of the cluster to be backed up.
  • The namespace of the cluster to be backed up.
  • The log level (info by default).
  • The listening address through which BR provides statistics. If not specified, BR does not listen on any status address by default.
  • The number of threads used by each TiKV process during backup. Defaults to 4 for backup and 128 for restore.
  • The speed limit, in MB/s. If set to 4, the speed limit is 4 MB/s. The speed limit is not set by default.
  • Whether to verify the files after the backup is completed. Defaults to true.
  • Backs up the data before timeAgo. If the parameter value is not specified (empty by default), it means backing up the current data. It supports data formats such as "1.5h" and "2h45m". See ParseDuration for more information.
  • Whether the BR process passes its GCP privileges to the TiKV process. Defaults to true.


If you encounter any problem during the restore process, refer to Common Deployment Failures.