Add support for Azure AD Pod Identity / Manage Identity

[cnadolny]

Provide support to authenticate with aad-pod-identity, using User Assigned Managed Identity.

[tomkerkhove]

Checking how we should authenticate for our Azure Monitor integration: Azure/azure-libraries-for-net#960

[Mimetis]

Hello @tomkerkhove
I'm currently working on the Managed Identity integration within Promitor.

I have already done the job for the Promitor.Agents.Scraper and I'm currently working on the Promitor.Agents.ResourceDiscovery to have a complete integration.

Basically, integrating the managed identity will lead to have a new flag indicating if we are using, or not, the managed identity system.

IF user choose to use the managed identity, he will be able to use its own User Managed Identity (by provider the GUID) or instead uses the System Assigned Identity (affected by Pod Identity for instance)

Here is a small screenshot of using Managed Identity within Promitor using the Scraper only:

I guess I will submit a PR by the end of the week.
Let me know if you have any question, or suggestions !

[tomkerkhove]

Awesome, thanks a ton!

Can you share a bit of what it looks like in terms of configuration?

Ideally the server.yml is extended with an authentication section which contains mode: ManagedIdentity|ServicePrinciple. Is that the case?

Just out of curiosity, are you also willing to write a new walkthrough, similar to this one, on how to configure it end to end?

[Mimetis]

Hey @tomkerkhove

I will open the Pull Request really soon but the work is not done yet, I'm still working on the Resource Discovery project.
I will expand everything I did so far, with details and we can have a discussion there.

Looking at the mode: For now, I'm still using the environment variables with a flag that can be omit (or not, depending the discussion we will have soon :) )

Regarding the walkthrough, we can think about it later; of course ! (well... hum... my English is not as good as it should be ;))

[jcorioland]

@Mimetis @tomkerkhove happy to help on the walkthrough :-)

[tomkerkhove]

That would be awesome, thanks @jcorioland!

@Mimetis I'll take a look at your PR asap! Would you mind moving the configuration of the mode to the server YAML in the meantime please? Thanks!

[Mimetis]

@tomkerkhove Really depends if we need to have the mode somewhere actually.
Have a look to the PR, it's a discussion we should have :)

[tomkerkhove]

We're using configuration as code so think we should. I'm not a fan of automagic configuration but will check.

[tomkerkhove]

I'll create a tasklist for this feature:

• Implement feature (@Mimetis)
• Provide docs (@tomkerkhove)
• Provide changelog entry (@tomkerkhove)
• Move identity ID to configuration (@tomkerkhove)
• Code sweep (@tomkerkhove)
• Update Helm chart (@Mimetis)
• Provide walkthrough (@tomkerkhove @Mimetis)
• Deprecate legacy approach for identity id (@tomkerkhove)

Just out of curiosity @jcorioland, when will you have the bandwidth for this?

[jcorioland]

@tomkerkhove I am off next week, so probably not before the week after. I'll keep you posted.

[Mimetis]

@tomkerkhove, @jcorioland: I will start working on a walkthrough next week, probably with the help of @dupuyjs.

[tomkerkhove]

Awesome, thanks folks!