BR: support Azure blob storage sas token (#5720)

[ti-chi-bot]

This is an automated cherry-pick of #5720

What problem does this PR solve?

Previously, tidb-operator only supports access key and AAD authentication for Azure blob storage. The SAS (Shared Access Signature) token is also commonly used, especially for cross Azure tenant scenario. The BR kernel already supports SAS token authentication. This PR adds SAS token support in tidb-operator.

On Azure, the storage account is a namespace for Azure storage. In this respect, it's similar to S3 and GCS bucket. Though Azure blob storage has another hierarchy container. So the storage account should also be in the Backup CR spec. The BR kernel should also re-organize the storage account as normal argument.

What is changed and how does it work?

I add two new fields (StorageAccount, SasToken) in AzblobStorageProvider and concatenate the br command arguments with these two new fields. Now the authentication for Azure is as follows:

• If Backup.Spec.StorageProvider.Azblob.SasToken is specified, then use SAS token authentication
• If Backup.Spec.StorageProvider.Azblob.StorageAccount is specified, then use this to set backup-manager pod env. Otherwise get storage account from secret as before.
• If sas token is unspecified, then try to use access key or AAD authentication.

Code changes

• Has Go code change
• Has CI related scripts change

Tests

• Unit test
• E2E test
• Manual test
• No code

I've tested this PR manually in local kind environment with Azure blob storage SAS token. The backup job finished successfully. The storage account and sas token are all set in Backup CR spec without specifying spec.azblob.secretName

I've also tested backup via access key with following two cases:

• Specifying a secret with only AZURE_STORAGE_KEY and specifying the storage account in the spec.azblob.storageAccount
• Specifying both AZURE_STORAGE_KEY and AZURE_STORAGE_ACCOUNT in secret, but not specifying spec.azblob.storageAccount

Both cases succeeded as expected.

Side effects

• Breaking backward compatibility
• Other side effects:

Related changes

• Need to cherry-pick to the release branch
• Need to update the documentation

Release Notes

Please refer to Release Notes Language Style Guide before writing the release note.

Support Backup & Restore using Azure blob storage SAS token authentication

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign liubog2008 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment