Azure: Add support for Azure Workload Identity authentication using DefaultAzureCredential #82
Conversation
rikhil-s
force-pushed
the
workloadidentity
branch
2 times, most recently
from
85a8bb6
to
4f2667b
Compare
rikhil-s
force-pushed
the
workloadidentity
branch
from
a2007b9
to
4f2667b
Compare
rikhil-s
force-pushed
the
workloadidentity
branch
from
4f2667b
to
1b257a3
Compare
rikhil-s
force-pushed
the
workloadidentity
branch
4 times, most recently
from
93a3646
to
434c07b
Compare
|
@kakkoyun Please could I get a review of this PR. Thanks! |
rikhil-s
force-pushed
the
workloadidentity
branch
2 times, most recently
from
44f81a3
to
6422764
Compare
|
Just a friendly note - I think you are able to use WorkloadIdentityCredential which is more accurate for an in-place replacement |
Thanks for the suggestion! I did look into using WorkloadIdentityCredential, but using that would mean users would no longer be able to authenticate using VM Managed Identities - which is something Thanos currently supports. DefaultAzureCredential has the benefit of supporting all types of authentication (providing the correct inputs exist or are passed to it) and attempts to authenticate in the order described here. |
|
Great to see workload identity support being added for azure storage connections. Is this going to support sovereign clouds? From what I can see it doesn't look to be an option. Usually there is a cloud client option set for both the auth call and for the actual storage call. It would be great to see additional cloud env support included with the workload identity support |
I'm not entirely sure what sovereign cloud is but doing a quick online search suggests it's something to do with being compliant with local laws ensuring all data stays on sovereign soil. I'm not sure how that ties in with making a request for an authorisation token though! The |
|
@vglafirov @phillebaba As |
|
@rikhil-s So sovereign clouds are special cloud environments that use different endpoints and any call to them you need to pass it the cloud config for that environment otherwise it will always call the the main public cloud endpoints which won't work. Both the identity call as well as the storage calls need to be updated to pass the correct cloud environment option. externaldns recently had to fix support for it as well: kubernetes-sigs/external-dns#3942, I can point out some of the key points to set so it can hopefully be replicated here. This is the line that set the client options to use the correct cloud for the identity call: https://github.com/kubernetes-sigs/external-dns/blob/master/provider/azure/config.go#L74. Looks like As for the actual storage calls, I think it would just be setting the cloud option in the already defined options object: https://github.com/thanos-io/objstore/blob/main/providers/azure/helpers.go#L27 and just make sure it gets passed to all calls. I am not sure of the specifics of the storage calls, but here is an example in externaldns of where a resource call passes client options that include the cloud environment: https://github.com/kubernetes-sigs/external-dns/blob/master/provider/azure/azure.go#L78 I know that was a lot, hopefully that information helps, would be awesome if we could get additional cloud environment support directly with workload identity support. Just want to be able to set a variable for which azure environment to use and for it to be able to work. |
Ok that makes sense. I think I would be reluctant to include those changes in this PR as I don't really have the knowledge or expertise to test that. CI doesn't currently test Azure object storage client implementations so there would need to be a lot of local testing involved which I can't commit to at this time. |
|
I’ve been putting off using thanos for this reason and was about to do this myself. Hopefully this few line PR can be reviewed at some point. |
|
@rikhil-s can you add reviewers? |
It won't let me add reviewers - I think only maintainers can add themselves as reviewers. I have posted in the slack channel for a review but haven't received much engagement apart from @MichaHoffmann who is trying to get in contact with one of the |
|
I am ok to switch to |
rikhil-s
force-pushed
the
workloadidentity
branch
3 times, most recently
from
85dfb6e
to
b5278e7
Compare
rikhil-s
changed the title
rikhil-s
force-pushed
the
workloadidentity
branch
from
b5278e7
to
e0e212f
Compare
See thread above, but we have now worked around using the env var whilst maintaining support for VM Managed Identities. |
Signed-off-by: Rikhil Shah <rikhil.shah@metaswitch.com>
rikhil-s
force-pushed
the
workloadidentity
branch
from
e0e212f
to
1564748
Compare
So after this is merged in, what is the protocol for getting this into the main thanos image? After that happens, I'd be happy to update the documentation for this, unless @rikhil-s wants to handle that too. |
|
@MichaHoffmann I will go ahead and merge this pr. Incase you have any other comments we can follow up in next pr.
@jellis18 We don't have a doc for the upgrade process. But you just need to do |
|
Hey! No this looks great to me. |
I can create the PR for the main Thanos image and if you're happy to handle the documentation, that'd be great! @MichaHoffmann @yeya24 What's the process for releasing a patch release? From reading the release process docs, I can see that major releases are on a 6 weekly cadence but I would like to release a |
|
0.33-rc0 is in progress; we could add it there maybe |
When is that being released? I guess putting these changes in a |
|
Sometime early this week probably; if we add this it would be -rc1 i think |
Ok, let's aim to get it in there. Will create the PR in Thanos now to pull in these changes. |
Changes
DefaultAzureCredentialazidentityfrom1.2.0to1.4.0to enable Workload Identity authenticationVerification
thanosimage with these changes and using it in an:thanoscomponents which useobjstoresuccessfully authenticated with Azure