remote_write azure auth : add workload identity support#16788
remote_write azure auth : add workload identity support#16788bwplotka merged 14 commits intoprometheus:mainfrom
Conversation
8b00adc to
4bcef25
Compare
Signed-off-by: Kaveesh Dubey <kadubey@microsoft.com>
Signed-off-by: Kaveesh Dubey <kadubey@microsoft.com>
Signed-off-by: Kaveesh Dubey <kadubey@microsoft.com>
1552995 to
1a8758c
Compare
|
Hey @bwplotka, gentle ping on this PR. Let me know what the best next steps would be to get this merged in. |
|
Thanks! I was on holidays, will try to look tomorrow, please ping me on Slack if I don't! |
bwplotka
left a comment
There was a problem hiding this comment.
Thanks, excellent work, code quality wise - thanks for tests!
Generally looks good, but we need to update `documentation, ideally in this PR, to allow users to discover and use the new entries.
I also suggest we don't over explain the setup here. It can change anytime and it will hard to update our code commentary or even any complex instructions in the potential configuration documentation. Let's keep it minimal and refer to Azure docs if possible, WDYT?
Co-authored-by: Bartlomiej Plotka <bwplotka@gmail.com> Signed-off-by: bragi92 <kadubey@microsoft.com>
Co-authored-by: Bartlomiej Plotka <bwplotka@gmail.com> Signed-off-by: bragi92 <kadubey@microsoft.com>
Co-authored-by: Bartlomiej Plotka <bwplotka@gmail.com> Signed-off-by: bragi92 <kadubey@microsoft.com>
Co-authored-by: Bartlomiej Plotka <bwplotka@gmail.com> Signed-off-by: bragi92 <kadubey@microsoft.com>
Co-authored-by: Bartlomiej Plotka <bwplotka@gmail.com> Signed-off-by: bragi92 <kadubey@microsoft.com>
Co-authored-by: Bartlomiej Plotka <bwplotka@gmail.com> Signed-off-by: bragi92 <kadubey@microsoft.com>
Co-authored-by: Bartlomiej Plotka <bwplotka@gmail.com> Signed-off-by: bragi92 <kadubey@microsoft.com>
Signed-off-by: Kaveesh Dubey <kadubey@microsoft.com>
|
Thank you for taking a look at this PR @bwplotka. I believe I’ve addressed all your comments — when you have a moment, I’d appreciate another look. |
|
Gentle ping on this @bwplotka , Thanks for your help in reviewing this! |
Currently, Prometheus supports several authentication mechanisms for remote write including basic auth, authorization headers, sigv4, azuread, and oauth2. However, it lacks support for Azure Workload Identity, which is Microsoft's recommended modern authentication method for workloads running in Azure Kubernetes Service (AKS) and other Azure environments.
Azure Workload Identity provides a secure, token-based authentication mechanism that eliminates the need for storing secrets and credentials in pods. It leverages the relationship between Kubernetes service accounts and Azure managed identities to provide seamless authentication.
Changes
This implementation extends the existing Azure AD authentication support to include Workload Identity authentication for remote write endpoints. The changes allow users to:
Configure Prometheus to use Azure Workload Identity for authenticating remote write requests
Leverage the existing Azure token acquisition mechanisms while supporting the Workload Identity token exchange flow
Maintain backward compatibility with existing Azure AD authentication methods
Benefits
Enhanced Security: Eliminates the need to store Azure credentials as secrets in Kubernetes
Simplified Operations: Reduces credential management overhead for Azure-based deployments
Modern Authentication: Aligns with Microsoft's recommended authentication patterns for Azure workloads
Compliance: Supports organizations' requirements for credential-less authentication in cloud environments
Breaking Changes
None. This is an additive feature that maintains full backward compatibility with existing authentication methods.
Testing
I've added unit tests and also built the prometheus binary locally and deployed it as a container in my AKS cluster with workload identity and see data flowing into my workspace: