Skip to content

feat: add azure auth workload_identity #7998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
simonpasquier merged 10 commits into from
Jan 7, 2026
Merged

feat: add azure auth workload_identity #7998

simonpasquier merged 10 commits into from
Jan 7, 2026

Conversation

@heliapb
Copy link
Member

@heliapb heliapb commented Oct 8, 2025

Description

Add support for workload_identity in azure auth, as part of the new prometheus version 3.7
prometheus/prometheus#16788

Type of change

What type of changes does your code introduce to the Prometheus operator? Put an x in the box that apply.

  • CHANGE (fix or feature that would cause existing functionality to not work as expected)
  • FEATURE (non-breaking change which adds functionality)
  • BUGFIX (non-breaking change which fixes an issue)
  • ENHANCEMENT (non-breaking change which improves existing functionality)
  • NONE (if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)

Verification

Please check the Prometheus-Operator testing guidelines for recommendations about automated tests.

Changelog entry

Please put a one-line changelog entry below. This will be copied to the changelog file during the release process.

@heliapb heliapb requested a review from a team as a code owner October 8, 2025 10:38
@simonpasquier
Copy link
Contributor

simonpasquier commented Oct 8, 2025

Hmm the new options are for remote write configurations not scrape configurations?

@heliapb heliapb force-pushed the feat/azure_workloadidentity branch from 95eb44b to 1b66005 Compare October 8, 2025 12:53
simonpasquier
simonpasquier reviewed Oct 8, 2025
View reviewed changes
@simonpasquier
Copy link
Contributor

simonpasquier commented Oct 8, 2025

#7815 (comment) also applies here.

@heliapb heliapb requested a review from simonpasquier October 8, 2025 19:38
simonpasquier
simonpasquier reviewed Oct 10, 2025
View reviewed changes
@heliapb heliapb requested a review from simonpasquier October 10, 2025 11:47
@heliapb heliapb force-pushed the feat/azure_workloadidentity branch 2 times, most recently from c3e6bce to 54ebcc7 Compare October 15, 2025 15:55
@heliapb heliapb force-pushed the feat/azure_workloadidentity branch from 54ebcc7 to ce50e53 Compare October 26, 2025 17:27
@heliapb heliapb force-pushed the feat/azure_workloadidentity branch 2 times, most recently from 3d634c1 to 9f26e0e Compare November 5, 2025 12:53
@heliapb heliapb mentioned this pull request Dec 9, 2025
Closed
5 tasks
@heliapb heliapb force-pushed the feat/azure_workloadidentity branch 2 times, most recently from 03cf7c6 to 0c8dc81 Compare December 9, 2025 22:50
simonpasquier
simonpasquier reviewed Dec 15, 2025
View reviewed changes
@simonpasquier
Copy link
Contributor

simonpasquier commented Dec 16, 2025

We also need to implement the feature in the ThanosRuler controller.

@heliapb heliapb force-pushed the feat/azure_workloadidentity branch from 9f9b712 to 202f4b9 Compare January 5, 2026 22:09
simonpasquier
simonpasquier reviewed Jan 6, 2026
View reviewed changes
pkg/prometheus/operator.go
if spec.AzureAD.ManagedIdentity == nil && spec.AzureAD.OAuth == nil && spec.AzureAD.SDK == nil {
return fmt.Errorf("must provide Azure Managed Identity or Azure OAuth or Azure SDK in the Azure AD config")
if spec.AzureAD.ManagedIdentity == nil && spec.AzureAD.OAuth == nil && spec.AzureAD.SDK == nil && spec.AzureAD.WorkloadIdentity == nil {
return fmt.Errorf("must provide Azure Managed Identity, Azure OAuth, Azure SDK, or Azure Workload Identity in the Azure AD config")
Copy link
Contributor

@simonpasquier simonpasquier Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this could become a CEL expression (as a follow-up).

Copy link
Member Author

@heliapb heliapb Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok then, just to clarify, to open a follow up pr with the cel validations then?

Copy link
Contributor

@simonpasquier simonpasquier Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

Copy link
Member Author

@heliapb heliapb Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

got it, will work on this as follow up

@heliapb heliapb force-pushed the feat/azure_workloadidentity branch from d678b82 to 79907f3 Compare January 6, 2026 22:20
@heliapb heliapb requested a review from simonpasquier January 6, 2026 22:39
simonpasquier
simonpasquier reviewed Jan 7, 2026
View reviewed changes
Copy link
Contributor

@simonpasquier simonpasquier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but the tests need to be fixed.

@heliapb heliapb requested a review from simonpasquier January 7, 2026 10:02
heliapb added 6 commits January 7, 2026 10:22
@heliapb
feat: checks
bfa2ca7 
Signed-off-by: Hélia Barroso <[email protected]>
@heliapb
feat: tests
ad4a92b 
Signed-off-by: Hélia Barroso <[email protected]>
@heliapb
feat: tests thanos
21e1251 
Signed-off-by: Hélia Barroso <[email protected]>
@heliapb
fix: comments
95e7945 
Signed-off-by: Hélia Barroso <[email protected]>
@heliapb
fix: comments
fe56178 
Signed-off-by: Hélia Barroso <[email protected]>
@heliapb
fix: tests
e9c0e32 
Signed-off-by: Hélia Barroso <[email protected]>
@heliapb heliapb force-pushed the feat/azure_workloadidentity branch from 1ed4736 to e9c0e32 Compare January 7, 2026 10:22
@simonpasquier simonpasquier enabled auto-merge (squash) January 7, 2026 10:25
@simonpasquier simonpasquier merged commit 327d864 into prometheus-operator:main Jan 7, 2026
22 checks passed
@heliapb heliapb deleted the feat/azure_workloadidentity branch January 7, 2026 11:37
This was referenced Jan 7, 2026
Merged
Closed
@simonpasquier simonpasquier mentioned this pull request Jan 9, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simonpasquier simonpasquier simonpasquier approved these changes

Assignees

No one assigned

Labels

size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@heliapb @simonpasquier