Gangams/workload identity geneva (#1543)

ganga1980 · web-flow · commit 4c0645b9df91 · 2025-10-22T10:21:53.000-07:00
* add workload identity support for geneva app logs

* workload identity support

* workload identity support for geneva path

* revert values yaml changes used for test

* improve code

* workload identity support

* workload identity support
diff --git a/charts/azuremonitor-containers-geneva/templates/deployment.yaml b/charts/azuremonitor-containers-geneva/templates/deployment.yaml
@@ -20,12 +20,19 @@ spec:
        agentVersion: {{ .Values.image.agentVersion }}
      labels:
        rsName: "ama-logs-geneva"
+       {{- if eq (.Values.genevaLogsConfig.authidType | lower) "authworkloadidentity" }}
+       azure.workload.identity/use: "true"
+       {{- else }}
        aadpodidbinding: {{ .Values.genevaLogsConfig.aadpodidbinding }}
+       {{- end }}
     spec:
      {{- with .Values.affinity }}
      affinity: {{- toYaml . | nindent 8 }}
      {{- end }}
     #  terminationGracePeriodSeconds: 45
+     {{- if eq (.Values.genevaLogsConfig.authidType | lower) "authworkloadidentity" }}
+     serviceAccountName: {{ .Values.genevaLogsConfig.serviceAccountName | quote }}
+     {{- end }}
      containers:
        - name: ama-logs-geneva
          image: {{ printf "%s:%s" .Values.image.repository .Values.image.tag }}
@@ -61,10 +68,15 @@ spec:
            value: {{ .Values.genevaLogsConfig.namespace  | quote }}
          - name: MONITORING_CONFIG_VERSION
            value: {{ .Values.genevaLogsConfig.configversion  | quote }}
+        {{- if eq (.Values.genevaLogsConfig.authidType | lower) "authworkloadidentity" }}
+         - name: MONITORING_GCS_AUTH_ID_TYPE
+           value: "AuthWorkloadIdentity"
+        {{- else }}
          - name: MONITORING_GCS_AUTH_ID_TYPE
            value: "AuthMSIToken"
          - name: MONITORING_GCS_AUTH_ID
-           value: {{ .Values.genevaLogsConfig.authid  | quote }}
+           value: {{ .Values.genevaLogsConfig.authid | quote }}
+        {{- end }}
          - name: MONITORING_GCS_REGION
            value: {{ .Values.genevaLogsConfig.region | quote }}
          - name: MONITORING_USE_GENEVA_CONFIG_SERVICE
diff --git a/charts/azuremonitor-containers-geneva/templates/serviceaccount.yaml b/charts/azuremonitor-containers-geneva/templates/serviceaccount.yaml
@@ -0,0 +1,8 @@
+{{- if eq (.Values.genevaLogsConfig.authidType | lower) "authworkloadidentity" }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+     azure.workload.identity/client-id: {{ trimPrefix "client_id#" .Values.genevaLogsConfig.authid | quote }}
+  name: {{ .Values.genevaLogsConfig.serviceAccountName | quote}}
+{{- end }}
diff --git a/charts/azuremonitor-containers-geneva/values.yaml b/charts/azuremonitor-containers-geneva/values.yaml
@@ -5,13 +5,15 @@
 replicaCount: 1
 
 genevaLogsConfig:
+ authidType: "AuthMSIToken"                                                                  # supported values AuthMSIToken or AuthWorkloadIdentity and recommended to use AuthWorkloadIdentity
  aadpodidbinding: "<AAD_POD_IDENTITY_NAME>"                                                  # AAD POD Identity Name in case of AAD POD Managed Identity
  authid:  "<client_id#<guid>>"                                                               # MUST be in this format: client_id#<guid of the user assigned managed identity>
  environment: "<your_geneva_environment_name>"                                               # Supported values Test, Stage, DiagnosticsProd, FirstpartyProd, BillingProd, ExternalProd, CaMooncake, CaFairfax, CaBlackforest, Bleu
  account: "<your_geneva_account_name>"                                                       # name of the Geneva Logs account
  namespace: "<your_geneva_account_namespace>"                                                # name of the Geneva Logs account namespace
  region: "<your_geneva_account_gcs_region>"                                                  # GCS region of the Geneva Logs Account.
  configversion: "<your_geneva_config_version>"                                               # config version of the agent xml config.
+ serviceAccountName: "ama-logs-geneva"                                                       # Service Account Name in case of AuthWorkloadIdentity. This account with k8snamespace MUST be have federated credential configured in the User Assigned Managed Identity. https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster#create-the-federated-identity-credential
 
 image:
   repository: mcr.microsoft.com/azuremonitor/containerinsights/ciprod
diff --git a/kubernetes/linux/main.sh b/kubernetes/linux/main.sh
@@ -1002,8 +1002,13 @@ if [ "${CONTAINER_TYPE}" != "PrometheusSidecar" ] && isGenevaMode; then
     echo "Runnning AMA in Geneva Logs Integration Mode"
     export MONITORING_USE_GENEVA_CONFIG_SERVICE=true
     echo "export MONITORING_USE_GENEVA_CONFIG_SERVICE=true" >> ~/.bashrc
-    export MONITORING_GCS_AUTH_ID_TYPE=AuthMSIToken
-    echo "export MONITORING_GCS_AUTH_ID_TYPE=AuthMSIToken" >> ~/.bashrc
+    if [ "${MONITORING_GCS_AUTH_ID_TYPE}" = "AuthWorkloadIdentity" ]; then
+        echo "Using AuthWorkloadIdentity for MONITORING_GCS_AUTH_ID_TYPE"
+    else
+        export MONITORING_GCS_AUTH_ID_TYPE=AuthMSIToken
+        echo "export MONITORING_GCS_AUTH_ID_TYPE=AuthMSIToken" >> ~/.bashrc
+        echo "Using AuthMSIToken for MONITORING_GCS_AUTH_ID_TYPE"
+    fi
     MDSD_AAD_MSI_AUTH_ARGS="-A"
     # except logs, all other data types ingested via sidecar container MDSD port
     export MDSD_FLUENT_SOCKET_PORT="26230"
