-
Notifications
You must be signed in to change notification settings - Fork 806
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
when msi is enabled, use a msi authorizer to fetch the storage accoun… #4100
when msi is enabled, use a msi authorizer to fetch the storage accoun… #4100
Conversation
84a026a
to
eb87dde
Compare
I think having MSI is a valuable feature for people on Azure. Just to make you aware that the chunk client is only one of the two object store clients in cortex and it is only used for chunk storage. When block storage is used we are actually using the client part of the thanos project. I would suggest we align the configuration options closely to thanos-io/thanos#3970 |
…t key Signed-off-by: guojing013214 <[email protected]>
eb87dde
to
484f5c7
Compare
I align the configuration and set the msi switch to MSIResource, to use MSI, at least two aditional config need to be specify: MSIResource and Resource group name(haven't found a simple way to get the resource group name XD) |
@guojing013214 Sorry for reiterating on this point but I would like to confirm you're actually using Cortex with the (old) chunks storage and not the (new) blocks storage. The changes done here affect only the Cortex chunks storage: are you running it? |
@pracucci yes, I am running the (old) chunks storage by Loki, here is my case: I am running Loki on Azure, and using azure storage account to save the chunks. But I need MSI to accomplish the authentication in Azure and also want to keep up with the version of open source, that's why I commit this PR. About the (new) blocks storage, could you please tell me where the code located(Are you suggesting to support MSI in this feature too), I'm a new guy to Loki and Cortex, but I would like to contribute in my spare time. Or if you have better plan to support MSI in Loki(Loki is using cortex to interact with storage account), I will be very grateful and pleased to follow up(I'm not quite sure if the way in This PR is the best way). |
We've deprecated the chunks storage in Cortex and Loki is forking it into their own repo (see grafana/loki#3842). I would suggest to discuss this change with the Loki community as soon as grafana/loki#3842 is merged. |
What this PR does:
In some Azure environments, sensitive information such as Storage Account Key is not allowed in the application configuration file. Azure recommends using MSI to obtain the read and write permissions of the Storage Account.
Three config options are added to BlobStorageConfig.
MSIEnabled: whether to use msi to access storage accountMSIResource: The Azure Management URI
ResourceGroupName: the resource group name which the target storage account belong to
SubscriptionId: the subscription id where current env belong to
Imported two denpendencies: azure-sdk-for-go and go-autorest
With the above changes, use a MSI authorizer to interact with storage account and get the key of it. Then update this key into the original field. Thus I think we can archive the goal with minimal cost.
Checklist
CHANGELOG.md
updated - the order of entries should be[CHANGE]
,[FEATURE]
,[ENHANCEMENT]
,[BUGFIX]