Loki: Add support for Azure Workload Identity authentication

[Tolsto]

What this PR does / why we need it:

Adds support for Azure Workload Identity authentication.

[CLAassistant]

All committers have signed the CLA.

[jkroepke]

Please validate, if it re-reads the token after a hour, since the token file is rotating each hour.

[kavirajk]

Thanks for PR @Tolsto. Added one minor feedback. Can you please add small test to check if adal.NewServicePrincipalTokenFromFederatedToken works correctly with this additional flag and configs?

[kavirajk]

Can you add AzurePublicCloud as part of the list of const Environments top of this file.

Also you could avoid else here.

		environmentName := azurePublicCloud

		if b.cfg.Environment != azureGlobal {
			environmentName = b.cfg.Environment
		}

looks more readable IMHO.

Q: Also curious what's the difference between AzureGlobal vs AzurePublicCloud environments?

[Tolsto]

I don't know where AzureGlobal is coming from but it doesn't exist in the Azure Go SDKs. It's AzurePublicCloud there, i.e. you cannot do an environment lookup via EnvironmentFromName with AzureGlobal

[jkroepke]

The workload identity webhook is exposing a authority host AZURE_AUTHORITY_HOST which is the env.ActiveDirectoryEndpoint. Consider to prefer the environment variable instead a own cloud env lookup

[Tolsto]

I thought about that but decided to go with the reference implementation outlined by the person who added the code to adal. I also looked at the new azidentity module where AZURE_AUTHORITY_HOST gets only used as a fallback option. It will only honor it if no cloud configuration has been set. However, the current implementation of Azure storage in Loki requires the cloud environment name to be set, i.e. adding fallback logic is imho futile.

[grafanabot]

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[jkroepke]

FYI: Workload Identity will be official supported jan 2023 - Azure/azure-sdk-for-go#15615

Edit:

ref: #5413 - why discontinued azure-storage-blob is used.

[Tolsto]

FYI: Workload Identity will be official supported jan 2023 - Azure/azure-sdk-for-go#15615

Doesn't help us much as Loki doesn't use azure-sdk-for-go for the Azure storage integration but the discontinued azure-storage-blob SDK.

[grafanabot]

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[grafanabot]

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[grafanabot]

./tools/diff_coverage.sh ../loki-target-branch/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[Tolsto]

@kavirajk Anything missing for this PR to move forward?

[keisari-ch]

Would be a nice addition, because actual workaround using sidecar requires enabling privilege escalation.

[Tolsto]

ping @kavirajk

[jeschkies]

Unfortunately I don't know Azure well enough to accept this change. I does look good to me though.

[jeschkies]

Interesting. Are you using the suite to get a test setup code?

[Tolsto]

I use the suite to set up an isolated environment with mocks for testing the Azure federated token functionality. There might be other ways to do it, but I come from the Ruby/Rspec world, and using a suite was the most familiar approach for me.

[jeschkies]

Would Azure users understand what a federated token is? Do you have a link to the documentation?

[Tolsto]

I'd suppose so.

https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html
https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation

[jeschkies]

Could you add the second link in the documentation? I think that would be helpful.

Also, I know this is a big ask but could you provide documentation similar to https://grafana.com/docs/loki/next/storage/#aws-deployment-s3-single-store

[Tolsto]

I don't think that the second link is very helpful as it describes the federated token architecture in general. >90% of Loki users will use it with the reference implementation (Azure Workload Identity) in a Kubernetes cluster.
I'm willing to provide documentation if this PR can then get merged in the very near future.

[jeschkies]

Sounds good to me 😊

[jeschkies]

@Tolsto once you've fixed the merge conflicts we can land the change.