Add support for Azure AD Workload Identity.

[YvesZelros]

Description

Add support for Azure AD Workload Identity.
https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview

Replace low level Azure mod autorest that is deprecated by more higth level Azure Api
https://github.com/Azure/go-autorest/blob/autorest/azure/auth/v0.5.12/README.md

Replace old PR:

• feat: add azure ad workload identity support #425

Fixes:

• [Feature] Upgrade Azure SDK for GO, support Azure Workload Identity  #421
• Use of Azure Managed Identity for reading secrets from Azure Key Vault #539

Checklist

Please make sure that your PR fulfills the following requirements:

• Reviewed the guidelines for contributing to this repository
• The commit message follows the Conventional Commits Guidelines.
• Tests for the changes have been updated
• Are you adding dependencies? If so, please run go mod tidy -compat=1.17 to ensure only the minimum is pulled in.
• Docs have been added / updated
• Optional. My organization is added to USERS.md.

Type of Change

• Bugfix
• Feature
• Code style update (formatting, local variables)
• Refactoring (no functional changes, no api changes)
• New tests
• Build/CI related changes
• Documentation content changes
• Other (please describe)

Other information

Update Go from 17 to 18 because new tests required Go 18 as Azure function use generic

[YvesZelros]

@werne2j It's possible to re-run Workflows.
I have fix the test that was fail and the linux go image sha1.
Thx

[YvesZelros]

@jkayani Can you run the ci please, thanks

[codecov-commenter]

Codecov Report

Merging #548 (fd625b2) into main (77b07b1) will increase coverage by 0.41%.
The diff coverage is 88.63%.

@@            Coverage Diff             @@
##             main     #548      +/-   ##
==========================================
+ Coverage   71.29%   71.71%   +0.41%     
==========================================
  Files          26       26              
  Lines        1951     1962      +11     
==========================================
+ Hits         1391     1407      +16     
+ Misses        460      458       -2     
+ Partials      100       97       -3     

Files Changed	Coverage Δ
pkg/backends/azurekeyvault.go	92.00% <88.09%> (+14.58%)	⬆️
pkg/config/config.go	83.06% <100.00%> (-1.34%)	⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[YvesZelros]

@werne2j @jkayani
Please review this change when you have some time.
On my side I test this change on our Aks cluster.

• Authentification with AZURE_CLIENT_SECRET continu to be supported
• Azure managed identity is now supported

[YvesZelros]

@werne2j Can you look on please.

[Stolz]

Also interested in this getting merged

[lukipro]

Please merge this life saving PR :)

[Stolz]

@YvesZelros would it be possible for you to release the binary from your fork?

[werne2j]

Will look to get this merged for the next release. @YvesZelros can you rebase the branch? I can then kick off the CI and do a review

[YvesZelros]

Will look to get this merged for the next release. @YvesZelros can you rebase the branch? I can then kick off the CI and do a review

@werne2j Rebase is done

[YvesZelros]

@YvesZelros would it be possible for you to release the binary from your fork?

@Stolz

We have push temporary a amd64 binary on our Github, you can test it WITHOUT any guaranty ;-)

We plan to remove this binary soon as this this PR will be merged !

curl -L https://github.com/zelros/argocd-vault-plugin/raw/azure_workload_identity_linux_amd64_beta_v3/argocd-vault-plugin -o /custom-tools/argocd-vault-plugin 

[werne2j]

@YvesZelros this is backwards compatible? Still works with client and tenant Id as before?

[YvesZelros]

@YvesZelros this is backwards compatible? Still works with client and tenant Id as before?

@werne2j

Yes, the Azure SDK method NewDefaultAzureCredential that I use is described here

As documented on Azure it support these types of auth =>

Option 1: Define environment variables (as the pervious version of this plugin)

• Service principal with a secret (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET)
• Service principal with certificate (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_CERTIFICATE_PATH)
• Username and password (AZURE_CLIENT_ID, AZURE_USERNAME, AZURE_PASSWORD)

Option 2: 🥇🥇 Use Workload Identity

• Enables pods in a Kubernetes cluster to use a Kubernetes identity (service account)
  Based on the Kubernetes service account, Azure will automatically inject env variables =>

  • AZURE_TENANT_ID=xxx

  • AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token

  • AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/

  • AZURE_CLIENT_ID=yyyy

  • And mount a secret token on /var/run/secrets/azure/tokens/azure-identity-token that have a limited validity and is automatically rotated by Azure.

Option 3: Use a managed identity

As resume, yes AZURE_CLIENT_SECRET still work but using Azure AD Workload Identity is a better way for service authentification in Azure.

[YvesZelros]

@werne2j Any chance to merge it in 2024 ;-) ?

[Eneuman]

This really needs to be merged. Todays code is using the deprecated (Since June 30, 2023) ADAL lib that does not recive any more security updates.

[SylwiaBrant]

Hello. When can we expect this to be released?

[werne2j]

Will try to get it released soon

[singh-balraj]

Hello @werne2j Any tentative date for release?

[arunalakmal]

When can we expect this to be released?

[yyvess]

@werne2j Can you communicate about AgroCd plan related to this project #618 ?

[Eneuman]

@werne2j Any news? We really need a new release.

[jserpapinto]

Is there any documentation on how to implement this? Thanks

[yyvess]

@jserpapinto
You need to read Azure documentation https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication?tabs=bash