Support Azure Workload Identity to authenticate the driver

[primeroz]

Is your feature request related to a problem?/Why is this needed
While testing AzureWorkloadIdentity i tried switching azuredisk controller ( and node ) to it but it does not seem supported.

Once i removed the AZURE_CREDENTIAL_FILE env and the volumes for it i get

kube-system                      csi-azuredisk-controller-6dc569d88f-p8hsx                  5/6     CrashLoopBackOff    4 (12s ago)   116s


csi-azuredisk-controller-6dc569d88f-p8hsx azuredisk I1209 16:48:44.309484       1 azure_disk_utils.go:161] reading cloud config from secret kube-system/azure-cloud-provider
csi-azuredisk-controller-6dc569d88f-p8hsx azuredisk I1209 16:48:44.322809       1 azure_disk_utils.go:168] InitializeCloudFromSecret: failed to get cloud config from secret kube-system/azure-cloud-provider: failed to get secret kube-system/azure-cloud-provider: secrets "azure-cloud-provider" not found
csi-azuredisk-controller-6dc569d88f-p8hsx azuredisk I1209 16:48:44.322828       1 azure_disk_utils.go:173] could not read cloud config from secret kube-system/azure-cloud-provider
csi-azuredisk-controller-6dc569d88f-p8hsx azuredisk I1209 16:48:44.322837       1 azure_disk_utils.go:183] use default AZURE_CREDENTIAL_FILE env var: /etc/kubernetes/azure.json
csi-azuredisk-controller-6dc569d88f-p8hsx azuredisk W1209 16:48:44.322865       1 azure_disk_utils.go:188] load azure config from file(/etc/kubernetes/azure.json) failed with open /etc/kubernetes/azure.json: no such file or directory
csi-azuredisk-controller-6dc569d88f-p8hsx azuredisk F1209 16:48:44.322882       1 azuredisk.go:176] failed to get Azure Cloud Provider, error: no cloud config provided, error: failed to get secret kube-system/azure-cloud-provider: secrets "azure-cloud-provider" not found

Describe the solution you'd like in detail
Support authenticating the csi controller and the csi node using azure workload identity so i can have them use a restricted identity

Describe alternatives you've considered
Keep using the VM Identity UserAssigned

Additional context

[abutcher]

Similar to kubernetes-sigs/azurefile-csi-driver#1138, OpenShift is seeking support for Azure Workload Identity in azuredisk-csi-driver.

cc @andyzhangx

[cvvz]

Hi, @primeroz @abutcher , We recently filed a pr(kubernetes-sigs/azurefile-csi-driver#1193) to support workload identity in Azurefile CSI driver, could you please kindly take a look at it? Especially the document, and make sure whether it satisfies your need? If so, we will soon support it in Azuredisk CSI driver, thanks!

[abutcher]

@cvvz I took a look at the changes and I think they will satisfy our need. Added a comment about how we pass credentials to the azurefile deployment using env vars and if I understand the changes correctly I believe we can set AZURE_FEDERATED_TOKEN_FILE / AZURE_TENANT_ID on our deployment to use workload identity instead of a service principal.

[abutcher]

@cvvz I noticed that the changes rely on ADAL implementation which is end of life. Are there plans to migrate the backend lib to azidentity, do you know?

[RomanBednar]

@abutcher According to this article the azidentity package is no longer in preview mode. The current implementation in Azure file uses ADAL: kubernetes-sigs/azurefile-csi-driver#1138

@cvvz @andyzhangx Can we expect transition to the new SDK any time soon? And if the transitions happens can we expect any behavior changes?

[andyzhangx]

@abutcher According to this article the azidentity package is no longer in preview mode. The current implementation in Azure file uses ADAL: kubernetes-sigs/azurefile-csi-driver#1138

@cvvz @andyzhangx Can we expect transition to the new SDK any time soon? And if the transitions happens can we expect any behavior changes?

@RomanBednar we have just completed the workload identity support for azure file driver, and @cvvz will work on azure disk driver next. Transition to new sdk would require quite a few months, we will use adal lib first. And we don't expect behavior change even we have migrated to new sdk.