Skip to content

BR: support Azure blob storage sas token #5720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
csuzhangxc merged 5 commits into from
Aug 28, 2024
Merged

BR: support Azure blob storage sas token #5720

csuzhangxc merged 5 commits into from
Aug 28, 2024

Conversation

@tennix
Copy link
Member

@tennix tennix commented Aug 26, 2024
edited
Loading

What problem does this PR solve?

Previously, tidb-operator only supports access key and AAD authentication for Azure blob storage. The SAS (Shared Access Signature) token is also commonly used, especially for cross Azure tenant scenario. The BR kernel already supports SAS token authentication. This PR adds SAS token support in tidb-operator.

On Azure, the storage account is a namespace for Azure storage. In this respect, it's similar to S3 and GCS bucket. Though Azure blob storage has another hierarchy container. So the storage account should also be in the Backup CR spec. The BR kernel should also re-organize the storage account as normal argument.

What is changed and how does it work?

I add two new fields (StorageAccount, SasToken) in AzblobStorageProvider and concatenate the br command arguments with these two new fields. Now the authentication for Azure is as follows:

  • If Backup.Spec.StorageProvider.Azblob.SasToken is specified, then use SAS token authentication
  • If Backup.Spec.StorageProvider.Azblob.StorageAccount is specified, then use this to set backup-manager pod env. Otherwise get storage account from secret as before.
  • If sas token is unspecified, then try to use access key or AAD authentication.

Code changes

  • Has Go code change
  • Has CI related scripts change

Tests

  • Unit test
  • E2E test
  • Manual test
  • No code

I've tested this PR manually in local kind environment with Azure blob storage SAS token. The backup job finished successfully. The storage account and sas token are all set in Backup CR spec without specifying spec.azblob.secretName
image

I've also tested backup via access key with following two cases:

  • Specifying a secret with only AZURE_STORAGE_KEY and specifying the storage account in the spec.azblob.storageAccount
  • Specifying both AZURE_STORAGE_KEY and AZURE_STORAGE_ACCOUNT in secret, but not specifying spec.azblob.storageAccount

Both cases succeeded as expected.

Side effects

  • Breaking backward compatibility
  • Other side effects:

Related changes

  • Need to cherry-pick to the release branch
  • Need to update the documentation

Release Notes

Please refer to Release Notes Language Style Guide before writing the release note.

Support Backup & Restore using Azure blob storage SAS token authentication

@ti-chi-bot ti-chi-bot bot added the size/XL label Aug 26, 2024
tennix
tennix commented Aug 26, 2024
View reviewed changes
pkg/backup/util/remote.go
values.Add("sas-token", conf.sasToken)
}
if v := values.Encode(); v != "" {
path = path + "?" + v
Copy link
Member Author

@tennix tennix Aug 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ref: https://docs.pingcap.com/tidb/stable/backup-and-restore-storages#uri-examples

csuzhangxc
csuzhangxc reviewed Aug 27, 2024
View reviewed changes
@csuzhangxc
Copy link
Member

csuzhangxc commented Aug 27, 2024

/run-pull-e2e-kind-br

@codecov-commenter
Copy link

codecov-commenter commented Aug 27, 2024

Codecov Report

Attention: Patch coverage is 0% with 56 lines in your changes missing coverage. Please review.

Project coverage is 21.02%. Comparing base (9ef26f8) to head (c03faac).
Report is 17 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (9ef26f8) and HEAD (c03faac). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (9ef26f8) HEAD (c03faac)
unittest 1 0
Additional details and impacted files 
@@             Coverage Diff             @@
##           master    #5720       +/-   ##
===========================================
- Coverage   61.47%   21.02%   -40.45%     
===========================================
  Files         235      219       -16     
  Lines       30653    30618       -35     
===========================================
- Hits        18843     6437    -12406     
- Misses       9920    23269    +13349     
+ Partials     1890      912      -978
Flag Coverage Δ
e2e 21.02% <0.00%> (?)
unittest ?

@ti-chi-bot ti-chi-bot bot added the lgtm label Aug 28, 2024
@ti-chi-bot
Copy link
Contributor

ti-chi-bot bot commented Aug 28, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csuzhangxc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot bot added the approved label Aug 28, 2024
@ti-chi-bot ti-chi-bot bot removed the lgtm label Aug 28, 2024
@ti-chi-bot
Copy link
Contributor

ti-chi-bot bot commented Aug 28, 2024

[LGTM Timeline notifier]

Timeline:

  • 2024-08-28 06:36:32.155973707 +0000 UTC m=+938587.290423830: ☑️ agreed by csuzhangxc.
  • 2024-08-28 06:36:38.86317897 +0000 UTC m=+938593.997629083: ✖️🔁 reset by csuzhangxc.

@ti-chi-bot
Copy link
Contributor

ti-chi-bot bot commented Aug 28, 2024

New changes are detected. LGTM label has been removed.

@csuzhangxc
Copy link
Member

csuzhangxc commented Aug 28, 2024

/cherry-pick release-1.6

@ti-chi-bot
Copy link
Member

ti-chi-bot commented Aug 28, 2024

@csuzhangxc: once the present PR merges, I will cherry-pick it on top of release-1.6 in the new PR and assign it to you.

Details

In response to this:

/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@csuzhangxc csuzhangxc merged commit ff467a6 into pingcap:master Aug 28, 2024
@ti-chi-bot
Copy link
Member

ti-chi-bot commented Aug 28, 2024

@csuzhangxc: new pull request created to branch release-1.6: #5724.

Details

In response to this:

/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@ti-chi-bot ti-chi-bot mentioned this pull request Aug 28, 2024
Merged
10 tasks
@tennix tennix deleted the azure-sas branch August 28, 2024 07:29
csuzhangxc pushed a commit that referenced this pull request Aug 28, 2024
@ti-chi-bot @tennix
BR: support Azure blob storage sas token (#5720) (#5724)
5cfe52c 
Co-authored-by: tennix <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@csuzhangxc csuzhangxc csuzhangxc approved these changes

Assignees

No one assigned

Labels

approved size/XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tennix @csuzhangxc @codecov-commenter @ti-chi-bot