Merge pull request #6595 from slashpai/azure-sd

feat: support SDK auth in AzureSD
prometheus-operator · May 16, 2024 · f4b82d7 · f4b82d7
2 parents 889f4e8 + d24ff5b
commit f4b82d7
Show file tree

Hide file tree

Showing 8 changed files with 61 additions and 10 deletions.
diff --git a/Documentation/api.md b/Documentation/api.md
diff --git a/bundle.yaml b/bundle.yaml
diff --git a/example/prometheus-operator-crd-full/monitoring.coreos.com_scrapeconfigs.yaml b/example/prometheus-operator-crd-full/monitoring.coreos.com_scrapeconfigs.yaml
diff --git a/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml b/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml
diff --git a/jsonnet/prometheus-operator/scrapeconfigs-crd.json b/jsonnet/prometheus-operator/scrapeconfigs-crd.json
@@ -488,10 +488,11 @@
                       "description": "AzureSDConfig allow retrieving scrape targets from Azure VMs.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#azure_sd_config",
                       "properties": {
                         "authenticationMethod": {
-                          "description": "# The authentication method, either OAuth or ManagedIdentity.\nSee https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview",
+                          "description": "# The authentication method, either `OAuth` or `ManagedIdentity` or `SDK`.\nSee https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview\nSDK authentication method uses environment variables by default.\nSee https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication",
                           "enum": [
                             "OAuth",
-                            "ManagedIdentity"
+                            "ManagedIdentity",
+                            "SDK"
                           ],
                           "type": "string"
                         },

diff --git a/pkg/apis/monitoring/v1alpha1/scrapeconfig_types.go b/pkg/apis/monitoring/v1alpha1/scrapeconfig_types.go
@@ -516,9 +516,11 @@ type AzureSDConfig struct {
 	// The Azure environment.
 	// +optional
 	Environment *string `json:"environment,omitempty"`
-	// # The authentication method, either OAuth or ManagedIdentity.
+	// # The authentication method, either `OAuth` or `ManagedIdentity` or `SDK`.
 	// See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
-	// +kubebuilder:validation:Enum=OAuth;ManagedIdentity
+	// SDK authentication method uses environment variables by default.
+	// See https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication
+	// +kubebuilder:validation:Enum=OAuth;ManagedIdentity;SDK
 	// +optional
 	AuthenticationMethod *string `json:"authenticationMethod,omitempty"`
 	// The subscription ID. Always required.

diff --git a/pkg/prometheus/resource_selector.go b/pkg/prometheus/resource_selector.go
@@ -1034,9 +1034,20 @@ func (rs *ResourceSelector) validateEC2SDConfigs(ctx context.Context, sc *monito
 }
 
 func (rs *ResourceSelector) validateAzureSDConfigs(ctx context.Context, sc *monitoringv1alpha1.ScrapeConfig) error {
+	promVersion := operator.StringValOrDefault(rs.p.GetCommonPrometheusFields().Version, operator.DefaultPrometheusVersion)
+	version, err := semver.ParseTolerant(promVersion)
+	if err != nil {
+		return fmt.Errorf("failed to parse Prometheus version: %w", err)
+	}
+
 	for i, config := range sc.Spec.AzureSDConfigs {
+		authMethod := ptr.Deref(config.AuthenticationMethod, "")
+		if authMethod == "SDK" && !version.GTE(semver.MustParse("2.52.0")) {
+			return fmt.Errorf("[%d]: SDK authentication is only supported from Prometheus version 2.52.0", i)
+		}
+
 		// Since Prometheus uses default authentication method as "OAuth"
-		if ptr.Deref(config.AuthenticationMethod, "") == "ManagedIdentity" {
+		if authMethod == "ManagedIdentity" || authMethod == "SDK" {
 			continue
 		}
 

diff --git a/pkg/prometheus/resource_selector_test.go b/pkg/prometheus/resource_selector_test.go
@@ -1331,6 +1331,7 @@ func TestSelectScrapeConfigs(t *testing.T) {
 		scenario    string
 		updateSpec  func(*monitoringv1alpha1.ScrapeConfigSpec)
 		selected    bool
+		promVersion string
 		scrapeClass *string
 	}{
 		{
@@ -2194,6 +2195,30 @@ func TestSelectScrapeConfigs(t *testing.T) {
 			},
 			selected: true,
 		},
+		{
+			scenario: "Azure SD config without options provided for SDK authentication method",
+			updateSpec: func(sc *monitoringv1alpha1.ScrapeConfigSpec) {
+				sc.AzureSDConfigs = []monitoringv1alpha1.AzureSDConfig{
+					{
+						AuthenticationMethod: ptr.To("SDK"),
+					},
+				}
+			},
+			promVersion: "2.52.0",
+			selected:    true,
+		},
+		{
+			scenario: "Azure SD config with SDK authentication method but unsupported prometheus version",
+			updateSpec: func(sc *monitoringv1alpha1.ScrapeConfigSpec) {
+				sc.AzureSDConfigs = []monitoringv1alpha1.AzureSDConfig{
+					{
+						AuthenticationMethod: ptr.To("SDK"),
+					},
+				}
+			},
+			promVersion: "2.51.0",
+			selected:    false,
+		},
 		{
 			scenario: "OpenStack SD config with valid secret ref",
 			updateSpec: func(sc *monitoringv1alpha1.ScrapeConfigSpec) {
@@ -2925,6 +2950,7 @@ func TestSelectScrapeConfigs(t *testing.T) {
 					},
 					Spec: monitoringv1.PrometheusSpec{
 						CommonPrometheusFields: monitoringv1.CommonPrometheusFields{
+							Version: tc.promVersion,
 							ScrapeClasses: []monitoringv1.ScrapeClass{
 								{
 									Name: "existent",