BR: support Azure blob storage sas token

[tennix]

What problem does this PR solve?

Previously, tidb-operator only supports access key and AAD authentication for Azure blob storage. The SAS (Shared Access Signature) token is also commonly used, especially for cross Azure tenant scenario. The BR kernel already supports SAS token authentication. This PR adds SAS token support in tidb-operator.

On Azure, the storage account is a namespace for Azure storage. In this respect, it's similar to S3 and GCS bucket. Though Azure blob storage has another hierarchy container. So the storage account should also be in the Backup CR spec. The BR kernel should also re-organize the storage account as normal argument.

What is changed and how does it work?

I add two new fields (StorageAccount, SasToken) in AzblobStorageProvider and concatenate the br command arguments with these two new fields. Now the authentication for Azure is as follows:

• If Backup.Spec.StorageProvider.Azblob.SasToken is specified, then use SAS token authentication
• If Backup.Spec.StorageProvider.Azblob.StorageAccount is specified, then use this to set backup-manager pod env. Otherwise get storage account from secret as before.
• If sas token is unspecified, then try to use access key or AAD authentication.

Code changes

• Has Go code change
• Has CI related scripts change

Tests

• Unit test
• E2E test
• Manual test
• No code

I've tested this PR manually in local kind environment with Azure blob storage SAS token. The backup job finished successfully. The storage account and sas token are all set in Backup CR spec without specifying spec.azblob.secretName

I've also tested backup via access key with following two cases:

• Specifying a secret with only AZURE_STORAGE_KEY and specifying the storage account in the spec.azblob.storageAccount
• Specifying both AZURE_STORAGE_KEY and AZURE_STORAGE_ACCOUNT in secret, but not specifying spec.azblob.storageAccount

Both cases succeeded as expected.

Side effects

• Breaking backward compatibility
• Other side effects:

Related changes

• Need to cherry-pick to the release branch
• Need to update the documentation

Release Notes

Please refer to Release Notes Language Style Guide before writing the release note.

Support Backup & Restore using Azure blob storage SAS token authentication

[tennix]

Ref: https://docs.pingcap.com/tidb/stable/backup-and-restore-storages#uri-examples

[csuzhangxc]

/run-pull-e2e-kind-br

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 0% with 56 lines in your changes missing coverage. Please review.

Project coverage is 21.02%. Comparing base (9ef26f8) to head (c03faac).
Report is 17 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (9ef26f8) and HEAD (c03faac). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (9ef26f8)	HEAD (c03faac)
unittest	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #5720       +/-   ##
===========================================
- Coverage   61.47%   21.02%   -40.45%     
===========================================
  Files         235      219       -16     
  Lines       30653    30618       -35     
===========================================
- Hits        18843     6437    -12406     
- Misses       9920    23269    +13349     
+ Partials     1890      912      -978     

Flag	Coverage Δ
e2e	21.02% <0.00%> (?)
unittest	?

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csuzhangxc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [csuzhangxc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2024-08-28 06:36:32.155973707 +0000 UTC m=+938587.290423830: ☑️ agreed by csuzhangxc.
• 2024-08-28 06:36:38.86317897 +0000 UTC m=+938593.997629083: ✖️🔁 reset by csuzhangxc.

[ti-chi-bot]

New changes are detected. LGTM label has been removed.

[csuzhangxc]

/cherry-pick release-1.6

[ti-chi-bot]

@csuzhangxc: once the present PR merges, I will cherry-pick it on top of release-1.6 in the new PR and assign it to you.

In response to this:

/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

[ti-chi-bot]

@csuzhangxc: new pull request created to branch release-1.6: #5724.

In response to this:

/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.