Closed
Description
Today, notification-controller integration with Azure event hub provider supports JWT tokens and SAS string for authentication. The existing approaches have drawbacks.
- JWT token is valid only for one hour and has to be refreshed by the user by fetching a new token using Azure APIs and setting it in a Kubernetes secret.
- SAS strings are not secure and cannot be used in production.
Because of these drawbacks, the proposal is to add support for Managed Identity for Azure Event Hub.
- The existing azure-event-hubs-go sdk used in notification controller is outdated and does not support azidentity APIs. The newer azeventhubs sdk is available with managed identity support.
- Existing authentication mechanisms (JWT and SAS) continue to work with the newer azeventhubs SDK.
- If token is specified in the
.spec.secretRefof theProviderobject, use the ProducerClient of the SDK to specify a TokenCredential built using the JWT token. - If address contains a SAS connection string as specified in the
.spec.secretRefof theProviderobject, use the ProducerClient of the SDK to connect using SAS string. - If no token OR SAS connection string is detected, use managed identity.
To use notification-controller with Workload identity,
- User would create a managed identity and grant it Azure Event Hub Sender role on the Azure Event Hub.
- User would create a federated credential to allow notification-controller pod running in the Kubernetes cluster to send events to Azure Event Hub.
- The deployments and service account for notification-controller would be updated to use workload identity.
- The
Providerspec would no longer need a.spec.secretRef, it would reference the azure event hub namespace and event hub name as shown below.
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
name: azure
spec:
address: <azure-event-hub-name>
channel: <azure-event-hub-namespace>
type: azureeventhub
Metadata
Metadata
Assignees
Labels
No labels