-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Azure AD Workload Identity #54
Comments
Lets move this to objstore. I can get this done when I have time. Right now AKS workload identity is still in public preview, so it has not been high enough prio for me. This will most likely only require some docs changes and maybe some configuration changes, as we have already made the migration to the new SDK. |
@phillebaba the public preview part is the direct AKS integration via a cluster option, the Azure AD Workload Identity technology looks to be GA and has been recommended over Azure AD Pod Identity (which is now deprecated) for a relatively long time. Based on the implementations I've seen there is a code change required but it doesn't look to be too significant. |
Yes sorry what I mean was the AKS integration. So the deprecation of AAD Pod Identity has more been used a signal to the community that no new features will be accepted into the project. Especially because the same people working on that project are also working on the new solution. However security patches will still be provided for a longer time. The major reason we have not seen greater adoption of workload identities has been for the fact that it has not supported managed identities until recently. The reasons for this seemed to be due to technical limitations at the time in Azure. From my perspective there has been no point to switch until manage identity support was resolved which has just happened. I will try to get to this before the next release of Thanos. |
Thanks @phillebaba, that would be great. You're absolutely right that this hasn't worked until very recently (even more recently if you wanted to use Terraform). The reason I'm so keen to get it working now is that the current Azure AD Pod Identity solution causes significant friction due to various defects and this is the path for us to remove that whole component from our AKS clusters. |
Hi @phillebaba I am new to open source contribution and I would like to work on this issue. Can I go ahead and work on this ? |
I had a look at this just now, and honestly I am wondering if this is already working and all we need are some docs. I did the whole SDK upgrade during the summer for this reason. Has anyone actually tried to run Thanos with Azure Workload Identity in AKS? All required configuration is injected as environment variables to the Pod so the MSI configuration should just pick it up. I don't have time right now so if you want to you could maybe verify if it works @RagibAjmal and get back with the results. |
Sure I will work on it and get back with the results |
Hi @phillebaba , Please correct/guide me if I am wrong I tried to access my azure storage container from thanos store using
I can find the error is from objstore/providers/azure/azure.go so I tried to findout what happend by running in local the function
Here is what i get when i use in
Also, I am just going through the tutorials of workload Identity and I find that a webhook is inserting the clientID into the pod as a env var named here is the configuration using sa and webhooks in the pod
|
Sounds like the SDK is not picking up the AZURE_CLIENT_ID parameter by itself which is a shame. I need to look further into the SDK to figure out how it is expected to be configured. |
Ok so I have totally missed a detail in the SDK. Federated tokens are not supported out of the box in the latest Go SDK. It will be available in January hopefully. In the meantime I will implement the code snippet example to get support working. |
Hi @phillebaba Can I work on this |
Yeah sure, I would suggest you branch from #35 as it contains a couple of SDK changes caused by the upgrade. It would be great if you could verify that token renewal actually works, as it is not stated. If I remember correctly the token renews every hour. |
@phillebaba federated token gets updated once an hour, an access token - every 24h, so the end solution requires at least 25h of testing. |
@phillebaba @weisdd. Could you please help me with how can we test the application or how/where do you test the application. |
@RagibAjmal My approach is simple:
Even if you cannot afford to pay the cloud bills, there's a way for you to go forward. - While testing the token renewal process, you don't actually need to have a kubernetes cluster. You can write a comprehensive test suite with a test web server, whose responses would emulate token expiration, and you just have to make sure an updated federated token is sent over to your web server. In case of adal, it was enough to just make an explicit call to |
@phillebaba I've setup WI on my cluster with thanos now that it's GA. It doesn't seem to work:
I think the issue might be that neither DefaultAzureCredential nor FederatedCredential is created but rather the ManagedIdentityCredential is created directly, which is not a valid credential for workload identity. That credential signals the use of managed identity using the IMDS, instead of the federated token exchange endpoint used by workload identity. |
@rouke-broersma azidentity v1.3.0 was released two days ago, with official support for workload identity. As soon as I get some time over I will upgrade the package and test it. Unless someone else has time right now to do it. |
@phillebaba should I also open a new issue in thanos-io/objstore/ to track the work? |
@fpetkovski @GiedriusS could you move this issue to objstore? If that is not possible it would be better to create a new issue. |
Good idea, moved. |
@phillebaba @fpetkovski don't we need an issue in both repos? This repo needs an issue to track the actual work while the main Thanos repo needs an issue to track when Azure AD Workload Identity support has been added into Thanos. |
Any update on this? |
@phillebaba Any further updates on this? AAD Pod Identity is now end of life so we now have to use Thanos with the Azure Workload Identity Sidecar (which also won't be supported long-term). |
…Workload Identity resolves thanos-io#54 Signed-off-by: Rikhil Shah <[email protected]>
…Workload Identity resolves thanos-io#54
…Workload Identity resolves thanos-io#54
…Workload Identity resolves thanos-io#54
…Workload Identity resolves thanos-io#54 Signed-off-by: Rikhil Shah <[email protected]>
…Workload Identity resolves thanos-io#54 Signed-off-by: Rikhil Shah <[email protected]>
…Workload Identity resolves thanos-io#54
…Workload Identity resolves thanos-io#54 Signed-off-by: Rikhil Shah <[email protected]>
PR has been created here #82 to resolve this issue. Just need someone to review! |
…Workload Identity resolves thanos-io#54 Signed-off-by: Rikhil Shah <[email protected]>
…Workload Identity resolves thanos-io#54 Signed-off-by: Rikhil Shah <[email protected]>
…Workload Identity resolves thanos-io#54 Signed-off-by: Rikhil Shah <[email protected]>
Isn't this implemented with #82 now? |
Yeah i think this issue can be closed! It can be tested with 0.33.0-rc.0 already |
Is your proposal related to a problem?
The currently supported Azure AD Pod Identity is deprecated in favour of the new Azure AD Workload identity.
Describe the solution you'd like
I'd like Thanos to support Azure AD Workload Identity.
Describe alternatives you've considered
n/a
Additional context
The following 2 PRs are for adding this support to other projects and might help with the required changes.
The text was updated successfully, but these errors were encountered: