feat: add native support for Azure Blob Storage

Barman Cloud now support Azure Blob Storage natively, without having to
deal with MinIO Gateway. This patch makes Cloud Native PostgreSQL use
that new feature and backup/restore clusters and WALs directly to Azure
Blob Storage.

The operator now support authenticating via:

1. connection string
2. storage account name and key
3. storage account name and SAS token

Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>

Author: leonardoce

.wordlist-en-custom.txt

@@ -7,6 +7,8 @@ AdditionalPodAntiAffinity
 AffinityConfiguration
 Anand
 Autoscaler
+AzureCredentials
+Azurite
 BackupConfiguration
 BackupList
 BackupPhase
@@ -153,6 +155,7 @@ ReplicationTLSSecret
 ResourceRequirements
 RoleBinding
 RollingUpdateStatus
+SAS
 SCC
 SCCs
 SDK
@@ -523,6 +526,8 @@ stopDelay
 stoppedAt
 storageClass
 storageClassName
+storageKey
+storageSasToken
 storageclass
 storageconfiguration
 subcommand

api/v1/backup_types.go

@@ -36,8 +36,11 @@ type BackupSpec struct {
 
 // BackupStatus defines the observed state of Backup
 type BackupStatus struct {
-	// The credentials to use to upload data to S3
-	S3Credentials S3Credentials `json:"s3Credentials"`
+	// The credentials to be used to upload data to S3
+	S3Credentials *S3Credentials `json:"s3Credentials,omitempty"`
+
+	// The credentials to be used to upload data to Azure Blob Storage
+	AzureCredentials *AzureCredentials `json:"azureCredentials,omitempty"`
 
 	// Endpoint to be used to upload data to the cloud,
 	// overriding the automatic endpoint discovery

api/v1/cluster_types.go

@@ -621,7 +621,10 @@ const (
 // using Barman against an S3-compatible object storage
 type BarmanObjectStoreConfiguration struct {
 	// The credentials to use to upload data to S3
-	S3Credentials S3Credentials `json:"s3Credentials"`
+	S3Credentials *S3Credentials `json:"s3Credentials,omitempty"`
+
+	// The credentials to use to upload data in Azure Blob Storage
+	AzureCredentials *AzureCredentials `json:"azureCredentials,omitempty"`
 
 	// Endpoint to be used to upload data to the cloud,
 	// overriding the automatic endpoint discovery
@@ -718,6 +721,29 @@ type S3Credentials struct {
 	SecretAccessKeyReference SecretKeySelector `json:"secretAccessKey"`
 }
 
+// AzureCredentials is the type for the credentials to be used to upload
+// files to Azure Blob Storage. The connection string contains every needed
+// information. If the connection string is not specified, we'll need the
+// storage account name and also one (and only one) of:
+//
+// - storageKey
+// - storageSasToken
+type AzureCredentials struct {
+	// The connection string to be used
+	ConnectionString *SecretKeySelector `json:"connectionString,omitempty"`
+
+	// The storage account where to upload data
+	StorageAccount *SecretKeySelector `json:"storageAccount,omitempty"`
+
+	// The storage account key to be used in conjunction
+	// with the storage account name
+	StorageKey *SecretKeySelector `json:"storageKey,omitempty"`
+
+	// A shared-access-signature to be used in conjunction with
+	// the storage account name
+	StorageSasToken *SecretKeySelector `json:"storageSasToken,omitempty"`
+}
+
 // MonitoringConfiguration is the type containing all the monitoring
 // configuration for a certain cluster
 type MonitoringConfiguration struct {

api/v1/cluster_webhook.go

@@ -132,6 +132,7 @@ func (r *Cluster) Validate() (allErrs field.ErrorList) {
 	allErrs = append(allErrs, r.validateTolerations()...)
 	allErrs = append(allErrs, r.validateAntiAffinity()...)
 	allErrs = append(allErrs, r.validateReplicaMode()...)
+	allErrs = append(allErrs, r.validateBackupConfiguration()...)
 
 	return allErrs
 }
@@ -865,3 +866,67 @@ func (r *Cluster) validateAntiAffinity() field.ErrorList {
 	}
 	return allErrors
 }
+
+// validateBackupConfiguration validates the backup configuration
+func (r *Cluster) validateBackupConfiguration() field.ErrorList {
+	allErrors := field.ErrorList{}
+
+	if r.Spec.Backup == nil || r.Spec.Backup.BarmanObjectStore == nil {
+		return nil
+	}
+
+	credentialsCount := 0
+	if r.Spec.Backup.BarmanObjectStore.AzureCredentials != nil {
+		credentialsCount++
+		allErrors = r.Spec.Backup.BarmanObjectStore.AzureCredentials.validateAzureCredentials(
+			field.NewPath("spec", "backupConfiguration", "azureCredentials"))
+	}
+	if r.Spec.Backup.BarmanObjectStore.S3Credentials != nil {
+		credentialsCount++
+	}
+
+	if credentialsCount != 1 {
+		allErrors = append(allErrors, field.Invalid(
+			field.NewPath("spec", "backupConfiguration"),
+			r.Spec.Backup.BarmanObjectStore,
+			"one and only one of azureCredentials and s3Credentials are required",
+		))
+	}
+
+	return allErrors
+}
+
+// validateAzureCredentials checks and validates the azure credentials
+func (azure *AzureCredentials) validateAzureCredentials(path *field.Path) field.ErrorList {
+	allErrors := field.ErrorList{}
+
+	secrets := 0
+	if azure.StorageKey != nil {
+		secrets++
+	}
+	if azure.StorageSasToken != nil {
+		secrets++
+	}
+
+	if secrets != 1 && azure.ConnectionString == nil {
+		allErrors = append(
+			allErrors,
+			field.Invalid(
+				path,
+				azure,
+				"when connection string is not specified, one and only one of "+
+					"storage key and storage SAS token is allowed"))
+	}
+
+	if secrets != 0 && azure.ConnectionString != nil {
+		allErrors = append(
+			allErrors,
+			field.Invalid(
+				path,
+				azure,
+				"when connection string is specified, the other parameters "+
+					"must be empty"))
+	}
+
+	return allErrors
+}

api/v1/cluster_webhook_test.go

@@ -13,6 +13,7 @@ import (
 	. "github.com/onsi/gomega"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	"github.com/EnterpriseDB/cloud-native-postgresql/internal/configuration"
 )
@@ -62,6 +63,114 @@ var _ = Describe("bootstrap methods validation", func() {
 	})
 })
 
+var _ = Describe("azure credentials", func() {
+	path := field.NewPath("spec", "backupConfiguration", "azureCredentials")
+
+	It("contain only one of storage account key and SAS token", func() {
+		azureCredentials := AzureCredentials{
+			StorageAccount: &SecretKeySelector{
+				LocalObjectReference: LocalObjectReference{
+					Name: "azure-config",
+				},
+				Key: "storageAccount",
+			},
+			StorageKey: &SecretKeySelector{
+				LocalObjectReference: LocalObjectReference{
+					Name: "azure-config",
+				},
+				Key: "storageKey",
+			},
+			StorageSasToken: &SecretKeySelector{
+				LocalObjectReference: LocalObjectReference{
+					Name: "azure-config",
+				},
+				Key: "sasToken",
+			},
+		}
+		Expect(azureCredentials.validateAzureCredentials(path)).ToNot(BeEmpty())
+
+		azureCredentials = AzureCredentials{
+			StorageAccount: &SecretKeySelector{
+				LocalObjectReference: LocalObjectReference{
+					Name: "azure-config",
+				},
+				Key: "storageAccount",
+			},
+			StorageKey:      nil,
+			StorageSasToken: nil,
+		}
+		Expect(azureCredentials.validateAzureCredentials(path)).ToNot(BeEmpty())
+	})
+
+	It("is correct when the storage key is used", func() {
+		azureCredentials := AzureCredentials{
+			StorageAccount: &SecretKeySelector{
+				LocalObjectReference: LocalObjectReference{
+					Name: "azure-config",
+				},
+				Key: "storageAccount",
+			},
+			StorageKey: &SecretKeySelector{
+				LocalObjectReference: LocalObjectReference{
+					Name: "azure-config",
+				},
+				Key: "storageKey",
+			},
+			StorageSasToken: nil,
+		}
+		Expect(azureCredentials.validateAzureCredentials(path)).To(BeEmpty())
+	})
+
+	It("is correct when the sas token is used", func() {
+		azureCredentials := AzureCredentials{
+			StorageAccount: &SecretKeySelector{
+				LocalObjectReference: LocalObjectReference{
+					Name: "azure-config",
+				},
+				Key: "storageAccount",
+			},
+			StorageKey: nil,
+			StorageSasToken: &SecretKeySelector{
+				LocalObjectReference: LocalObjectReference{
+					Name: "azure-config",
+				},
+				Key: "sasToken",
+			},
+		}
+		Expect(azureCredentials.validateAzureCredentials(path)).To(BeEmpty())
+	})
+
+	It("is correct even if only the connection string is specified", func() {
+		azureCredentials := AzureCredentials{
+			ConnectionString: &SecretKeySelector{
+				LocalObjectReference: LocalObjectReference{
+					Name: "azure-config",
+				},
+				Key: "connectionString",
+			},
+		}
+		Expect(azureCredentials.validateAzureCredentials(path)).To(BeEmpty())
+	})
+
+	It("it is not correct when the connection string is specified with other parameters", func() {
+		azureCredentials := AzureCredentials{
+			ConnectionString: &SecretKeySelector{
+				LocalObjectReference: LocalObjectReference{
+					Name: "azure-config",
+				},
+				Key: "connectionString",
+			},
+			StorageAccount: &SecretKeySelector{
+				LocalObjectReference: LocalObjectReference{
+					Name: "azure-config",
+				},
+				Key: "storageAccount",
+			},
+		}
+		Expect(azureCredentials.validateAzureCredentials(path)).To(BeEmpty())
+	})
+})
+
 var _ = Describe("certificates options validation", func() {
 	It("doesn't complain if there isn't a configuration", func() {
 		emptyCluster := &Cluster{}