feat: add azure auth workload_identity by heliapb · Pull Request #7998 · prometheus-operator/prometheus-operator

heliapb · 2025-10-08T10:38:23Z

Description

Add support for workload_identity in azure auth, as part of the new prometheus version 3.7
prometheus/prometheus#16788

Type of change

What type of changes does your code introduce to the Prometheus operator? Put an x in the box that apply.

CHANGE (fix or feature that would cause existing functionality to not work as expected)
FEATURE (non-breaking change which adds functionality)
BUGFIX (non-breaking change which fixes an issue)
ENHANCEMENT (non-breaking change which improves existing functionality)
NONE (if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)

Verification

Please check the Prometheus-Operator testing guidelines for recommendations about automated tests.

Changelog entry

Please put a one-line changelog entry below. This will be copied to the changelog file during the release process.

simonpasquier · 2025-10-08T12:26:52Z

Hmm the new options are for remote write configurations not scrape configurations?

pkg/apis/monitoring/v1/prometheus_types.go

simonpasquier · 2025-10-08T16:13:22Z

#7815 (comment) also applies here.

pkg/thanos/operator.go

pkg/apis/monitoring/v1/prometheus_types.go

pkg/prometheus/operator.go

pkg/apis/monitoring/v1/prometheus_types.go

pkg/prometheus/operator.go

simonpasquier · 2025-12-16T08:27:17Z

We also need to implement the feature in the ThanosRuler controller.

simonpasquier · 2026-01-06T14:18:10Z

pkg/prometheus/operator.go

-		if spec.AzureAD.ManagedIdentity == nil && spec.AzureAD.OAuth == nil && spec.AzureAD.SDK == nil {
-			return fmt.Errorf("must provide Azure Managed Identity or Azure OAuth or Azure SDK in the Azure AD config")
+		if spec.AzureAD.ManagedIdentity == nil && spec.AzureAD.OAuth == nil && spec.AzureAD.SDK == nil && spec.AzureAD.WorkloadIdentity == nil {
+			return fmt.Errorf("must provide Azure Managed Identity, Azure OAuth, Azure SDK, or Azure Workload Identity in the Azure AD config")


this could become a CEL expression (as a follow-up).

ok then, just to clarify, to open a follow up pr with the cel validations then?

got it, will work on this as follow up

pkg/prometheus/operator.go

pkg/thanos/operator.go

pkg/prometheus/testdata/RemoteWriteConfigAzureADWorkloadIdentity_v3.7.0.golden

simonpasquier

LGTM but the tests need to be fixed.

Signed-off-by: Hélia Barroso <helia_barroso@hotmail.com>

Co-authored-by: Simon Pasquier <spasquie@redhat.com>

Signed-off-by: Hélia Barroso <helia_barroso@hotmail.com>

heliapb requested a review from a team as a code owner October 8, 2025 10:38

pull-request-size bot added the size/L label Oct 8, 2025

heliapb force-pushed the feat/azure_workloadidentity branch from 95eb44b to 1b66005 Compare October 8, 2025 12:53

simonpasquier reviewed Oct 8, 2025

View reviewed changes

pkg/apis/monitoring/v1/prometheus_types.go Outdated Show resolved Hide resolved

pkg/apis/monitoring/v1/prometheus_types.go Outdated Show resolved Hide resolved

pkg/apis/monitoring/v1/prometheus_types.go Outdated Show resolved Hide resolved

heliapb requested a review from simonpasquier October 8, 2025 19:38

simonpasquier reviewed Oct 10, 2025

View reviewed changes

pkg/thanos/operator.go Outdated Show resolved Hide resolved

pkg/apis/monitoring/v1/prometheus_types.go Outdated Show resolved Hide resolved

pkg/prometheus/operator.go Show resolved Hide resolved

heliapb requested a review from simonpasquier October 10, 2025 11:47

heliapb force-pushed the feat/azure_workloadidentity branch 2 times, most recently from c3e6bce to 54ebcc7 Compare October 15, 2025 15:55

heliapb force-pushed the feat/azure_workloadidentity branch from 54ebcc7 to ce50e53 Compare October 26, 2025 17:27

heliapb force-pushed the feat/azure_workloadidentity branch 2 times, most recently from 3d634c1 to 9f26e0e Compare November 5, 2025 12:53

heliapb mentioned this pull request Dec 9, 2025

Feature/azure workload identity remote write #8145

Closed

5 tasks

heliapb force-pushed the feat/azure_workloadidentity branch 2 times, most recently from 03cf7c6 to 0c8dc81 Compare December 9, 2025 22:50

simonpasquier reviewed Dec 15, 2025

View reviewed changes

pkg/apis/monitoring/v1/prometheus_types.go Show resolved Hide resolved

pkg/prometheus/operator.go Show resolved Hide resolved

pkg/prometheus/operator.go Show resolved Hide resolved

pkg/prometheus/operator.go Show resolved Hide resolved

pkg/prometheus/operator.go Show resolved Hide resolved

heliapb force-pushed the feat/azure_workloadidentity branch from 9f9b712 to 202f4b9 Compare January 5, 2026 22:09

simonpasquier reviewed Jan 6, 2026

View reviewed changes

heliapb force-pushed the feat/azure_workloadidentity branch from d678b82 to 79907f3 Compare January 6, 2026 22:20

heliapb requested a review from simonpasquier January 6, 2026 22:39

simonpasquier reviewed Jan 7, 2026

View reviewed changes

pkg/prometheus/testdata/RemoteWriteConfigAzureADWorkloadIdentity_v3.7.0.golden Show resolved Hide resolved

simonpasquier reviewed Jan 7, 2026

View reviewed changes

heliapb requested a review from simonpasquier January 7, 2026 10:02

heliapb and others added 4 commits January 7, 2026 10:22

feat: add azure workload idendity

4138a0f

feat: add azure workload identity

2f93e45

Signed-off-by: Hélia Barroso <helia_barroso@hotmail.com>

Update pkg/prometheus/operator.go

5b8d302

Co-authored-by: Simon Pasquier <spasquie@redhat.com>

Update pkg/prometheus/operator.go

b6c7028

Co-authored-by: Simon Pasquier <spasquie@redhat.com>

heliapb added 6 commits January 7, 2026 10:22

feat: checks

bfa2ca7

Signed-off-by: Hélia Barroso <helia_barroso@hotmail.com>

feat: tests

ad4a92b

Signed-off-by: Hélia Barroso <helia_barroso@hotmail.com>

feat: tests thanos

21e1251

Signed-off-by: Hélia Barroso <helia_barroso@hotmail.com>

fix: comments

95e7945

Signed-off-by: Hélia Barroso <helia_barroso@hotmail.com>

fix: comments

fe56178

Signed-off-by: Hélia Barroso <helia_barroso@hotmail.com>

fix: tests

e9c0e32

Signed-off-by: Hélia Barroso <helia_barroso@hotmail.com>

heliapb force-pushed the feat/azure_workloadidentity branch from 1ed4736 to e9c0e32 Compare January 7, 2026 10:22

simonpasquier approved these changes Jan 7, 2026

View reviewed changes

simonpasquier enabled auto-merge (squash) January 7, 2026 10:25

simonpasquier merged commit 327d864 into prometheus-operator:main Jan 7, 2026
22 checks passed

heliapb deleted the feat/azure_workloadidentity branch January 7, 2026 11:37

This was referenced Jan 7, 2026

feat: Add scope support for AzureAD Remote Write #8240

Merged

feat: workload identity support for azure remote write scenarios #8118

Closed

simonpasquier mentioned this pull request Jan 9, 2026

chore: cut v0.88.0 #8263

Merged

5 tasks

Conversation

heliapb commented Oct 8, 2025

Description

Type of change

Verification

Changelog entry

Uh oh!

simonpasquier commented Oct 8, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

simonpasquier commented Oct 8, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

simonpasquier commented Dec 16, 2025

Uh oh!

simonpasquier Jan 6, 2026

Choose a reason for hiding this comment

Uh oh!

heliapb Jan 6, 2026

Choose a reason for hiding this comment

Uh oh!

simonpasquier Jan 7, 2026

Choose a reason for hiding this comment

Uh oh!

heliapb Jan 7, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

simonpasquier left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants