DM to read password from environment

[mzhang77]

Is your feature request related to a problem?

ight now, dm requires storing password in config file:

## ******** Downstream TiDB instance configuration ********** 
target-database: 
# Configuration of the downstream database instance. 
host: "n.n.n.n" 
port: 4000 
user: "root" 
password: "NElUoZylDevEjgPKvcJdF0Akdn2D"
# If the password is not null, it is recommended to use a password encrypted with dmctl.

This is still unsafe.

Describe the feature you'd like

DM to read password from environment variable. For example:

password: env("DM_PASSWORD")

When use it, user need to set the environment variable first:

export DM_PASSWORD=password
dmctl start-task ... 

Describe alternatives you've considered

There are ways to workaround this security breach, but it's nice if DM can handle it.

Teachability, Documentation, Adoption, Migration Strategy

No response

[lance6716]

A DM worker may replicate to different TiDB cluster with different password. And I'm not sure if environment variables are loaded at process start. If so, when need to change downstream password we need to restart DM workers. 🤔

also cc @OliverS929