[Feature] Upgrade Azure SDK for GO, support Azure Workload Identity

[jeffpuckett]

Is your feature request related to a problem? Please describe.
Request to update the Azure SDK for Go version to v7.0. This will require a change in how the SDK is used.

My underlying request: Microsoft has a new option to authenticate with Azure resources. https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview To use the new authentication method, the Azure SDK For Go should be updated. Example implementation is here: https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-go

(By implementing this, one would not need to store a client secret, token, or username/password in the cluster to authenticate with the vault resource. Which would be awesome.)

Describe the solution you'd like
Ways this could be implemented:

• upgrading the library wholesale
• using the AVP_AUTH_TYPE environment variable to support "workloadidentity" or something like that as a way to say use the new SDK and API

Describe alternatives you've considered
No alternates yet, although I do hope to clone the repo and implement soon.

Additional context
Add any other context or screenshots about the feature request here.

[jserpapinto]

We too have this problem. We want o have workload identity on the plugin sidecar container and we couldn't do it.

I think the AVP_AUTH_TYPE could still be azurekeyvault, but if the plugin doesn't find a AZURE_CLIENT_ID env var, it should expect that the the identity is being managed at an external level.

Looking forward to seeing this integrated into the plugin!

[avdicl]

+1

[asahnovskiy-deloitte]

+1

[YvesZelros]

Should work without any code change when azure-identity library will be updated to 1.9.2
https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/CHANGELOG.md

Then =>

Use existing type:
AVP_TYPE: azurekeyvault

On the service account argocd-repo-server, add the azure application client id

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    azure.workload.identity/client-id: <azure application client id>
  name: argocd-repo-server

On the deployment argocd-repo-server, add the pod label

azure.workload.identity/use: "true"

Then follow variables should be automatically injected on the argocd-repo-server pod

AZURE_CLIENT_ID=...
AZURE_TENANT_ID=...
AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/
AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token

[YvesZelros]

Should work without any code change when azure-identity library will be updated to 1.9.2 https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/CHANGELOG.md

Sorry that was wrong ....

Actually argocd-vault-plugin use the mod autorest/azure/auth that is out of support by March 31, 2023 ...

This mod should be replaced by https://github.com/Azure/azure-sdk-for-go/tree/sdk/security/keyvault/azkeys/v1.0.1/sdk/security/keyvault/azkeys/

And use the function NewDefaultAzureCredential that support Azure Workload Identity

[werne2j]

Released in https://github.com/argoproj-labs/argocd-vault-plugin/releases/tag/v1.18.0