fluxcd
diff --git a/‎docs/spec/v1beta3/providers.md‎
Lines changed: 75 additions & 45 deletions b/‎docs/spec/v1beta3/providers.md‎
Lines changed: 75 additions & 45 deletions
diff --git a/‎go.mod‎
Lines changed: 3 additions & 16 deletions b/‎go.mod‎
Lines changed: 3 additions & 16 deletions
@@ -1463,9 +1463,9 @@ jobs:
 The Azure Event Hub provider supports the following authentication methods, 
 - [Managed
   Identity](https://learn.microsoft.com/en-us/azure/event-hubs/authenticate-managed-identity)
-- [JWT](https://docs.microsoft.com/en-us/azure/event-hubs/authenticate-application)
 - [SAS](https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature)
   based.
+- [JWT](https://docs.microsoft.com/en-us/azure/event-hubs/authenticate-application) (Deprecated)
 
 #### Managed Identity
 
@@ -1511,15 +1511,9 @@ for the client-id and tenant-id of the managed identity.
 For a complete guide on how to set up authentication for an Azure Event Hub,
 see the integration [docs](/flux/integrations/azure/).
 
-#### JWT based auth
-
-In JWT we use 3 input values. Channel, token and address. We perform the
-following translation to match we the data we need to communicate with Azure
-Event Hub.
+#### SAS based auth
 
-- channel = Azure Event Hub namespace
-- address = Azure Event Hub name 
-- token   = JWT
+When using SAS auth, we only use the `address` field in the secret.
 
 ```yaml
 ---
@@ -1530,47 +1524,44 @@ metadata:
   namespace: default
 spec:
   type: azureeventhub
-  address: <event-hub-name>
-  channel: <event-hub-namespace>
   secretRef:
-    name: azure-token
+    name: azure-webhook
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: azure-token
+  name: azure-webhook
   namespace: default
 stringData:
-  token: <event-hub-token>
+  address: <SAS-URL>
 ```
 
-The controller doesn't take any responsibility for the JWT token to be updated.
-You need to use a secondary tool to make sure that the token in the secret is
-renewed.
-
-If you want to make a easy test assuming that you have setup a Azure Enterprise
-application and you called it event-hub you can follow most of the bellow
-commands. You will need to provide the `client_secret` that you got when
-generating the Azure Enterprise Application.
+Assuming that you have created the Azure event hub and namespace you should be
+able to use a similar command to get your connection string. This will give you
+the default Root SAS, which is NOT supposed to be used in production.
 
 ```shell
-export AZURE_CLIENT=$(az ad app list --filter "startswith(displayName,'event-hub')" --query '[].appId' |jq -r '.[0]')
-export AZURE_SECRET='secret-client-secret-generated-at-creation'
-export AZURE_TENANT=$(az account show -o tsv --query tenantId)
-
-curl -X GET --data 'grant_type=client_credentials' --data "client_id=$AZURE_CLIENT" --data "client_secret=$AZURE_SECRET" --data 'resource=https://eventhubs.azure.net' -H 'Content-Type: application/x-www-form-urlencoded' https://login.microsoftonline.com/$AZURE_TENANT/oauth2/token |jq .access_token
+az eventhubs namespace authorization-rule keys list --resource-group <rg-name> --namespace-name <namespace-name> --name RootManageSharedAccessKey -o tsv --query primaryConnectionString
+# The output should look something like this:
+Endpoint=sb://fluxv2.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=yoursaskeygeneatedbyazure;EntityPath=youreventhub
 ```
 
-Use the output you got from `curl` and add it to your secret like bellow:
+To create the needed secret:
 
 ```shell
-kubectl create secret generic azure-token \
---from-literal=token='A-valid-JWT-token'
+kubectl create secret generic azure-webhook \
+--from-literal=address="Endpoint=sb://fluxv2.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=yoursaskeygeneatedbyazure"
 ```
 
-#### SAS based auth
+#### JWT based auth (Deprecated)
 
-When using SAS auth, we only use the `address` field in the secret.
+In JWT we use 3 input values. Channel, token and address. We perform the
+following translation to match we the data we need to communicate with Azure
+Event Hub.
+
+- channel = Azure Event Hub namespace
+- address = Azure Event Hub name 
+- token   = JWT
 
 ```yaml
 ---
@@ -1581,33 +1572,42 @@ metadata:
   namespace: default
 spec:
   type: azureeventhub
+  address: <event-hub-name>
+  channel: <event-hub-namespace>
   secretRef:
-    name: azure-webhook
+    name: azure-token
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: azure-webhook
+  name: azure-token
   namespace: default
 stringData:
-  address: <SAS-URL>
+  token: <event-hub-token>
 ```
 
-Assuming that you have created the Azure event hub and namespace you should be
-able to use a similar command to get your connection string. This will give you
-the default Root SAS, which is NOT supposed to be used in production.
+The controller doesn't take any responsibility for the JWT token to be updated.
+You need to use a secondary tool to make sure that the token in the secret is
+renewed.
+
+If you want to make a easy test assuming that you have setup a Azure Enterprise
+application and you called it event-hub you can follow most of the bellow
+commands. You will need to provide the `client_secret` that you got when
+generating the Azure Enterprise Application.
 
 ```shell
-az eventhubs namespace authorization-rule keys list --resource-group <rg-name> --namespace-name <namespace-name> --name RootManageSharedAccessKey -o tsv --query primaryConnectionString
-# The output should look something like this:
-Endpoint=sb://fluxv2.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=yoursaskeygeneatedbyazure
+export AZURE_CLIENT=$(az ad app list --filter "startswith(displayName,'event-hub')" --query '[].appId' |jq -r '.[0]')
+export AZURE_SECRET='secret-client-secret-generated-at-creation'
+export AZURE_TENANT=$(az account show -o tsv --query tenantId)
+
+curl -X GET --data 'grant_type=client_credentials' --data "client_id=$AZURE_CLIENT" --data "client_secret=$AZURE_SECRET" --data 'resource=https://eventhubs.azure.net' -H 'Content-Type: application/x-www-form-urlencoded' https://login.microsoftonline.com/$AZURE_TENANT/oauth2/token |jq .access_token
 ```
 
-To create the needed secret:
+Use the output you got from `curl` and add it to your secret like bellow:
 
 ```shell
-kubectl create secret generic azure-webhook \
---from-literal=address="Endpoint=sb://fluxv2.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=yoursaskeygeneatedbyazure"
+kubectl create secret generic azure-token \
+--from-literal=token='A-valid-JWT-token'
 ```
 
 ### Git Commit Status Updates
@@ -1753,7 +1753,37 @@ the repository specified in `.spec.address`.
 
 #### Azure DevOps
 
-When `.spec.type` is set to `azuredevops`, the referenced secret must contain a key called `token` with the value set to a
+The following authentication methods can be used when `.spec.type` is set to
+`azuredevops`. 
+
+- [Managed Identity](https://learn.microsoft.com/en-us/azure/event-hubs/authenticate-managed-identity)
+- [Personal Access Token](#pat)
+
+#### Managed Identity
+
+Managed Identity authentication can be setup using Azure Workload identity. 
+
+##### Pre-requisites
+
+- Ensure Workload Identity is properly 
+  [set up on your cluster](https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster#create-an-aks-cluster).
+
+##### Configure Workload Identity
+
+- Create a Managed Identity and grant the necessary permissions to list/update
+  commit status.
+- Establish a federated identity credential between the managed identity and the
+  service account to be used for authentication. Ensure the federated credential
+  uses the correct namespace and name of the service account. For more details,
+  please refer to this
+  [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).
+The service account used for authentication can be single-tenant
+(controller-level) or multi-tenant(object-level). For a complete guide on how to
+set up authentication, see the integration [docs](/flux/integrations/azure/).
+
+#### PAT
+
+The `.spec.secretRef` must contain a key called `token` with the value set to a
 [Azure DevOps personal access token](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page).
 
 The token must have permissions to update the commit status for the Azure DevOps repository specified in `.spec.address`.
 
@@ -8,8 +8,8 @@ require (
 	cloud.google.com/go/pubsub v1.49.0
 	code.gitea.io/sdk/gitea v0.21.0
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6
-	github.com/Azure/azure-amqp-common-go/v4 v4.2.0
-	github.com/Azure/azure-event-hubs-go/v3 v3.6.2
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
+	github.com/Azure/azure-sdk-for-go/sdk/messaging/azeventhubs/v2 v2.0.0
 	github.com/DataDog/datadog-api-client-go/v2 v2.42.0
 	github.com/PagerDuty/go-pagerduty v1.8.0
 	github.com/cdevents/sdk-go v0.4.1
@@ -63,22 +63,12 @@ require (
 	cloud.google.com/go/compute/metadata v0.7.0 // indirect
 	cloud.google.com/go/iam v1.5.2 // indirect
 	github.com/42wim/httpsig v1.2.2 // indirect
-	github.com/Azure/azure-sdk-for-go v65.0.0+incompatible // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry v0.2.3 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice v1.0.0 // indirect
-	github.com/Azure/go-amqp v1.3.0 // indirect
+	github.com/Azure/go-amqp v1.4.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.28 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.21 // indirect
-	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
-	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
-	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
-	github.com/Azure/go-autorest/logger v0.2.1 // indirect
-	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
 	github.com/DataDog/zstd v1.5.2 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
@@ -95,7 +85,6 @@ require (
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/davidmz/go-pageant v1.0.2 // indirect
-	github.com/devigned/tab v0.1.1 // indirect
 	github.com/docker/cli v28.2.2+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.3 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
@@ -136,9 +125,7 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/joho/godotenv v1.5.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect