-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure: Add support for Azure Workload Identity authentication using DefaultAzureCredential #82
Conversation
85a8bb6
to
4f2667b
Compare
a2007b9
to
4f2667b
Compare
4f2667b
to
1b257a3
Compare
93a3646
to
434c07b
Compare
@kakkoyun Please could I get a review of this PR. Thanks! |
44f81a3
to
6422764
Compare
Just a friendly note - I think you are able to use WorkloadIdentityCredential which is more accurate for an in-place replacement |
Thanks for the suggestion! I did look into using WorkloadIdentityCredential, but using that would mean users would no longer be able to authenticate using VM Managed Identities - which is something Thanos currently supports. DefaultAzureCredential has the benefit of supporting all types of authentication (providing the correct inputs exist or are passed to it) and attempts to authenticate in the order described here. |
Great to see workload identity support being added for azure storage connections. Is this going to support sovereign clouds? From what I can see it doesn't look to be an option. Usually there is a cloud client option set for both the auth call and for the actual storage call. It would be great to see additional cloud env support included with the workload identity support |
I'm not entirely sure what sovereign cloud is but doing a quick online search suggests it's something to do with being compliant with local laws ensuring all data stays on sovereign soil. I'm not sure how that ties in with making a request for an authorisation token though! The |
@vglafirov @phillebaba As |
@rikhil-s So sovereign clouds are special cloud environments that use different endpoints and any call to them you need to pass it the cloud config for that environment otherwise it will always call the the main public cloud endpoints which won't work. Both the identity call as well as the storage calls need to be updated to pass the correct cloud environment option. externaldns recently had to fix support for it as well: kubernetes-sigs/external-dns#3942, I can point out some of the key points to set so it can hopefully be replicated here. This is the line that set the client options to use the correct cloud for the identity call: https://github.com/kubernetes-sigs/external-dns/blob/master/provider/azure/config.go#L74. Looks like As for the actual storage calls, I think it would just be setting the cloud option in the already defined options object: https://github.com/thanos-io/objstore/blob/main/providers/azure/helpers.go#L27 and just make sure it gets passed to all calls. I am not sure of the specifics of the storage calls, but here is an example in externaldns of where a resource call passes client options that include the cloud environment: https://github.com/kubernetes-sigs/external-dns/blob/master/provider/azure/azure.go#L78 I know that was a lot, hopefully that information helps, would be awesome if we could get additional cloud environment support directly with workload identity support. Just want to be able to set a variable for which azure environment to use and for it to be able to work. |
Ok that makes sense. I think I would be reluctant to include those changes in this PR as I don't really have the knowledge or expertise to test that. CI doesn't currently test Azure object storage client implementations so there would need to be a lot of local testing involved which I can't commit to at this time. |
I’ve been putting off using thanos for this reason and was about to do this myself. Hopefully this few line PR can be reviewed at some point. |
@rikhil-s can you add reviewers? |
It won't let me add reviewers - I think only maintainers can add themselves as reviewers. I have posted in the slack channel for a review but haven't received much engagement apart from @MichaHoffmann who is trying to get in contact with one of the |
I am ok to switch to |
85dfb6e
to
b5278e7
Compare
b5278e7
to
e0e212f
Compare
See thread above, but we have now worked around using the env var whilst maintaining support for VM Managed Identities. |
Signed-off-by: Rikhil Shah <rikhil.shah@metaswitch.com>
e0e212f
to
1564748
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
So after this is merged in, what is the protocol for getting this into the main thanos image? After that happens, I'd be happy to update the documentation for this, unless @rikhil-s wants to handle that too. |
@MichaHoffmann I will go ahead and merge this pr. Incase you have any other comments we can follow up in next pr.
@jellis18 We don't have a doc for the upgrade process. But you just need to do |
Hey! No this looks great to me. |
I can create the PR for the main Thanos image and if you're happy to handle the documentation, that'd be great! @MichaHoffmann @yeya24 What's the process for releasing a patch release? From reading the release process docs, I can see that major releases are on a 6 weekly cadence but I would like to release a |
0.33-rc0 is in progress; we could add it there maybe |
When is that being released? I guess putting these changes in a |
Sometime early this week probably; if we add this it would be -rc1 i think |
Ok, let's aim to get it in there. Will create the PR in Thanos now to pull in these changes. |
Changes
DefaultAzureCredential
azidentity
from1.2.0
to1.4.0
to enable Workload Identity authenticationVerification
thanos
image with these changes and using it in an:thanos
components which useobjstore
successfully authenticated with Azure