Fix FIC Auth support issues (#1547)

* Fix Arc pipeline issue for OCP

* nit

* download jq

* Updated validation and docker

* removed conftest

* Fixed failed tests

* fix aad token

* update tests

* Access token fix

* revert import changes

* fix test

* Remove jq

* Update image

* fix test error

* jq fix

* nit

* increase time window

* Fix conf tests

* update conf image

Author: suyadav1

build/common/installer/scripts/tomlparser.rb

@@ -22,11 +22,11 @@
 @excludePath = "*.csv2" #some invalid path
 @enrichContainerLogs = false
 @containerLogSchemaVersion = ""
-@collectAllKubeEvents = false
+@collectAllKubeEvents = ENV["AZMON_CLUSTER_COLLECT_ALL_KUBE_EVENTS"]&.downcase == "true" || false
 @containerLogsRoute = "v2" # default for linux
 @logEnableMultiline = "false"
 @stacktraceLanguages = "go,java,python" #supported languages for multiline logs. java is also used for dotnet stacktraces
-@logEnableKubernetesMetadata = false
+@logEnableKubernetesMetadata = ENV["AZMON_KUBERNETES_METADATA_ENABLED"]&.downcase == "true" || false
 @logKubernetesMetadataIncludeFields = "podlabels,podannotations,poduid,image,imageid,imagerepo,imagetag"
 @annotationBasedLogFiltering = false
 @allowed_system_namespaces = ['kube-system', 'gatekeeper-system', 'calico-system', 'azure-arc', 'kube-public', 'kube-node-lease']

test/e2e/conformance.yaml

@@ -6,7 +6,7 @@ sonobuoy-config:
   plugin-name: azure-arc-monitor
   result-format: junit
 spec:
-  image: mcr.microsoft.com/azuremonitor/containerinsights/cidev:ciconftest09102025
+  image: mcr.microsoft.com/azuremonitor/containerinsights/cidev:ciconftest10282025
   imagePullPolicy: Always
   name: plugin
   resources: {}

test/e2e/e2e-tests.yaml

@@ -104,7 +104,7 @@ data:
       - name: AZURE_CLOUD
         value: "AZURE_PUBLIC_CLOUD"
       # image tag should be updated if new tests being added after this image
-      image: mcr.microsoft.com/azuremonitor/containerinsights/cidev:ciconftest09102025
+      image: mcr.microsoft.com/azuremonitor/containerinsights/cidev:ciconftest10282025
       imagePullPolicy: IfNotPresent
       name: plugin
       resources: {}

test/e2e/src/common/arm_rest_utility.py

@@ -1,56 +1,135 @@
-import pytest
 import os
-import json
+import base64
 import requests
-from azure.identity import ClientAssertionCredential, ClientSecretCredential, ManagedIdentityCredential, CertificateCredential
+import pytest
+from typing import Optional, Callable
+from azure.identity import (
+    ClientAssertionCredential,
+    ClientSecretCredential,
+    ManagedIdentityCredential,
+    CertificateCredential
+)
 
 # Function that returns aad token credentials for a given spn
 # Default behavior is to use managed identity, if use_cert_auth is set we attempt to use a certificate, if use_SPN_auth is set we fall back to SPN client secret auth
-def get_fed_token():
+def get_fed_token() -> str:
+    """Retrieve a federated (OIDC) token from Azure DevOps pipeline environment.
+
+    Expects the following environment variables to be set:
+      - SYSTEM_ACCESSTOKEN
+      - SERVICE_CONNECTION_ID
+      - SYSTEM_OIDCREQUESTURI
+
+    Returns:
+        JWT assertion string.
+
+    Raises:
+        RuntimeError: if required env vars missing or request/response invalid.
+    """
     system_accesstoken = os.getenv('SYSTEM_ACCESSTOKEN')
     service_connection_id = os.getenv('SERVICE_CONNECTION_ID')
     system_oidc_request_uri = os.getenv('SYSTEM_OIDCREQUESTURI')
 
-    if system_accesstoken and service_connection_id and system_oidc_request_uri:
-        # Construct the OIDC_REQUEST_URL
-        oidc_request_url = f"{system_oidc_request_uri}?api-version=7.1&serviceConnectionId={service_connection_id}"
-         # Preparing headers for ADO Pipeline OIDC authentication
-        headers = {
-            "Content-Length": "0",
-            "Content-Type": "application/json",
-            "Authorization": f"Bearer {system_accesstoken}"
-        }
-
-        # Make the POST request
-        response = requests.post(oidc_request_url, headers=headers)
-
-        # Check the response and extract the OIDC token
-        if response.status_code == 200:
-            # Assuming the response is JSON and has an 'oidcToken' field
-            arm_oidc_token = response.json().get('oidcToken')
-            print("Return Fed token")
-            return arm_oidc_token
-        else:
-            print("Failed to retrieve FED Token:", response.status_code, response.text)
-
-    else:
-        print("""
-        One or more variables (SYSTEM_ACCESSTOKEN, 
-        SERVICE_CONNECTION_ID, 
-        SYSTEM_OIDCREQUESTURI) are either not set or empty.
-        """)
-
-def fetch_aad_token_credentials(tenant_id, client_id, client_secret, authority, use_cert_auth = False, use_SPN_auth = False, use_FIC_auth = False):
+    missing = [name for name, val in [
+        ('SYSTEM_ACCESSTOKEN', system_accesstoken),
+        ('SERVICE_CONNECTION_ID', service_connection_id),
+        ('SYSTEM_OIDCREQUESTURI', system_oidc_request_uri)
+    ] if not val]
+    if missing:
+        raise RuntimeError(f"Missing required env vars for federated auth: {', '.join(missing)}")
+
+    oidc_request_url = f"{system_oidc_request_uri}?api-version=7.1&serviceConnectionId={service_connection_id}"
+    headers = {
+        "Content-Length": "0",
+        "Content-Type": "application/json",
+        "Authorization": f"Bearer {system_accesstoken}"
+    }
+
+    try:
+        response = requests.post(oidc_request_url, headers=headers, timeout=15)
+    except Exception as ex:
+        raise RuntimeError(f"HTTP request for federated token failed: {ex}") from ex
+
+    if response.status_code != 200:
+        raise RuntimeError(f"Failed to retrieve federated token: status={response.status_code} body={response.text[:300]}")
+
+    arm_oidc_token = response.json().get('oidcToken')
+    if not arm_oidc_token:
+        raise RuntimeError(f"Response JSON missing 'oidcToken' field: {response.text[:300]}")
+    return arm_oidc_token
+
+
+def build_scope(resource_endpoint: str) -> str:
+    """Return a resource scope suitable for Azure.Identity .get_token calls.
+
+    Ensures a single trailing slash before appending .default.
+    Example: https://management.azure.com -> https://management.azure.com/.default
+    """
+    resource_endpoint = resource_endpoint.rstrip('/')
+    return f"{resource_endpoint}/.default"
+
+def fetch_aad_token_credentials(
+    tenant_id: str,
+    client_id: Optional[str],
+    client_secret: Optional[str],
+    authority: str,
+    use_cert_auth: bool = False,
+    use_SPN_auth: bool = False,
+    use_FIC_auth: bool = False
+):
+    """Return an Azure credential object based on selected auth mode.
+
+    Precedence / selection rules:
+      - Exactly one of use_cert_auth, use_SPN_auth, use_FIC_auth may be True.
+      - If all False, fall back to ManagedIdentityCredential.
+
+    Args:
+        tenant_id: Azure AD tenant ID (guid).
+        client_id: Application (client) ID or user-assigned managed identity client ID.
+        client_secret: Secret or base64 cert bytes depending on mode.
+        authority: Base authority host (e.g. https://login.microsoftonline.com).
+        use_cert_auth: Use certificate assertion credential.
+        use_SPN_auth: Use client secret credential.
+        use_FIC_auth: Use federated identity credential (ClientAssertionCredential with get_fed_token).
+
+    Returns:
+        Credential instance implementing get_token().
+    """
     try:
+        modes_selected = sum(bool(x) for x in [use_cert_auth, use_SPN_auth, use_FIC_auth])
+        if modes_selected > 1:
+            raise ValueError("Only one auth mode may be enabled at a time.")
+
         if use_FIC_auth:
-            return ClientAssertionCredential(tenant_id=tenant_id, client_id=client_id, func=get_fed_token, authority=authority)
+            if not client_id:
+                raise ValueError("client_id required for federated identity auth")
+            return ClientAssertionCredential(
+                tenant_id=tenant_id,
+                client_id=client_id,
+                func=get_fed_token,
+                authority=authority
+            )
         if use_SPN_auth:
-            return ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret, authority=authority)
+            if not (client_id and client_secret):
+                raise ValueError("client_id and client_secret required for SPN auth")
+            return ClientSecretCredential(
+                tenant_id=tenant_id,
+                client_id=client_id,
+                client_secret=client_secret,
+                authority=authority
+            )
         if use_cert_auth:
-            import base64
+            if not (client_id and client_secret):
+                raise ValueError("client_id and client_secret (base64 cert) required for cert auth")
             cert_bytes = base64.b64decode(client_secret)
-            return CertificateCredential(tenant_id=tenant_id, client_id=client_id, certificate_data=cert_bytes, send_certificate_chain=True)
-        else:
-            return ManagedIdentityCredential(client_id=client_id)
+            return CertificateCredential(
+                tenant_id=tenant_id,
+                client_id=client_id,
+                certificate_data=cert_bytes,
+                send_certificate_chain=True,
+                authority=authority
+            )
+        # Managed Identity path
+        return ManagedIdentityCredential(client_id=client_id)
     except Exception as e:
-        pytest.fail("Error occured while fetching credentials: " + str(e))
+        pytest.fail("Error occurred while fetching credentials: " + str(e))

test/e2e/src/common/constants.py

@@ -44,7 +44,7 @@
 AMA_LOGS_MAIN_CONTAINER_NAME = 'ama-logs'
 
 # WAIT TIME BEFORE READING THE AGENT LOGS
-AGENT_WAIT_TIME_SECS = "180"
+AGENT_WAIT_TIME_SECS = "600"
 # Azure Monitor for Container Extension related
 AGENT_RESOURCES_NAMESPACE = 'kube-system'
 AGENT_DEPLOYMENT_NAME = 'ama-logs-rs'
@@ -74,7 +74,7 @@
 CONTAINER_INVENTORY_EMIT_STREAM = "containerInventoryEmitStreamSuccess"
 
 # simple log analytics queries to validate for e2e workflows
-DEFAULT_QUERY_TIME_INTERVAL_IN_MINUTES = 10
+DEFAULT_QUERY_TIME_INTERVAL_IN_MINUTES = 15
 KUBE_POD_INVENTORY_QUERY = "KubePodInventory |  where TimeGenerated > ago({0}) | count"
 KUBE_NODE_INVENTORY_QUERY = "KubeNodeInventory |  where TimeGenerated > ago({0}) | count"
 KUBE_SERVICES_QUERY = "KubeServices |  where TimeGenerated > ago({0}) | count"
@@ -101,7 +101,7 @@
 CONTAINER_PERF_RESTART_TIME_EPOCH_QUERY = "Perf | where ObjectName == 'K8SContainer' | where CounterName == 'restartTimeEpoch' |  where TimeGenerated > ago({0}) | count"
 # container log
 CONTAINER_LOG_V2_QUERY = "ContainerLogV2 |  where TimeGenerated > ago({0}) | count"
-CONTAINER_LOG_V2_K8S_METADATA_QUERY = "ContainerLogV2 |  where TimeGenerated > ago({0}) | where KubernetesMetadata != "" | count"
+CONTAINER_LOG_V2_K8S_METADATA_QUERY = "ContainerLogV2 |  where TimeGenerated > ago({0}) | where KubernetesMetadata != '' | count"
 
 # insights metrics
 INSIGHTS_METRICS_QUERY = "InsightsMetrics |  where TimeGenerated > ago({0}) | count"

test/e2e/src/core/Dockerfile

@@ -2,13 +2,15 @@
 ARG PYTHON_BASE_IMAGE=python:3.6
 FROM ${PYTHON_BASE_IMAGE}
 
-RUN pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org pytest pytest-xdist filelock requests kubernetes adal msrestazure
+RUN pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org \
+    pytest pytest-xdist filelock requests kubernetes adal msrestazure azure-identity \
+    azure-mgmt-hybridkubernetes azure-mgmt-kubernetesconfiguration junit-xml distro
 
 RUN curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash \
     && helm version
 
 RUN apt-get update && apt-get -y upgrade && \
-    apt-get -f -y install curl apt-transport-https lsb-release gnupg python3-pip && \
+    apt-get -f -y install curl apt-transport-https lsb-release gnupg python3-pip jq && \
     curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/microsoft.asc.gpg && \
     CLI_REPO=$(lsb_release -cs) && \
     echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ ${CLI_REPO} main" \

test/e2e/src/core/conftest.py

@@ -61,9 +61,6 @@ def env_dict():
             if not env_dict.get('CLIENT_ID'):
                 pytest.fail('ERROR: variable CLIENT_ID is required.')
 
-            if not env_dict.get('CLIENT_SECRET'):
-                pytest.fail('ERROR: variable CLIENT_SECRET is required.')
-
             print("Setup Complete.")
             append_result_output("Setup Complete.\n", env_dict['SETUP_LOG_FILE'])
 

test/e2e/src/core/e2e_tests.sh

@@ -77,20 +77,6 @@ validateCommonParameters() {
 	   echo "ERROR: parameter TENANT_ID is required." > ${results_dir}/error
 	   python3 setup_failure_handler.py
    fi
-
-   ## Look for WORKLOAD_CLIENT_ID
-   if [[ -z "${WORKLOAD_CLIENT_ID}" ]]
-   then
-      if [ -z $CLIENT_ID ]; then
-         echo "ERROR: parameter CLIENT_ID is required." > ${results_dir}/error
-         python3 setup_failure_handler.py
-      fi
-
-      if [ -z $CLIENT_SECRET ]; then
-         echo "ERROR: parameter CLIENT_SECRET is required." > ${results_dir}/error
-         python3 setup_failure_handler.py
-      fi
-   fi
 }
 
 validateArcConfTestParameters() {
@@ -99,7 +85,7 @@ validateArcConfTestParameters() {
 	   python3 setup_failure_handler.py
 	fi
 
-	if [ -z $RESOURCE_GROUP ]]; then
+	if [ -z $RESOURCE_GROUP ]; then
 		echo "ERROR: parameter RESOURCE_GROUP is required." > ${results_dir}/error
 		python3 setup_failure_handler.py
 	fi
@@ -157,47 +143,38 @@ deleteArcCIExtension() {
 login_to_azure() {
    ## Federted Identity credentials authentication mechanism added.
 	if [[ -v SYSTEM_ACCESSTOKEN && -n "$SYSTEM_ACCESSTOKEN" &&
-	      -v SERVICE_CONNECTION_ID && -n "$SERVICE_CONNECTION_ID" &&
-	      -v SYSTEM_OIDCREQUESTURI && -n "$SYSTEM_OIDCREQUESTURI" ]]; then
-	
-	  export OIDC_REQUEST_URL="${SYSTEM_OIDCREQUESTURI}?api-version=7.1&serviceConnectionId=${SERVICE_CONNECTION_ID}"
-	  echo "OIDC_REQUEST_URL= $OIDC_REQUEST_URL"
-	
-	  FED_TOKEN=$(curl -s -H "Content-Length: 0" -H "Content-Type: application/json" -H "Authorization: Bearer $SYSTEM_ACCESSTOKEN" -X POST $OIDC_REQUEST_URL | jq -r '.oidcToken')
-	  echo "FED_TOKEN= $FED_TOKEN"
-	
-	  echo "logging in using Federated Identity"
-	  az login --service-principal -u $FED_CLIENT_ID  --tenant $TENANT_ID --allow-no-subscriptions --federated-token $FED_TOKEN 2> >(tee "${results_dir}/error" >&2) || python3 setup_failure_handler.py
-	
-	elif [[ -v BASE_64_CLIENT_CERTIFICATE && -n "$BASE_64_CLIENT_CERTIFICATE" ]]; then
-	  BASE_64_CLIENT_CERTIFICATE=${BASE_64_CLIENT_CERTIFICATE#\"}   # Remove leading quote
-	  BASE_64_CLIENT_CERTIFICATE=${BASE_64_CLIENT_CERTIFICATE%\"} # Remove trailing quote
-	  echo "logging in using Certificate '${BASE_64_CLIENT_CERTIFICATE}'"
-	  ## create base64 cert to pem
-	  echo ${BASE_64_CLIENT_CERTIFICATE:0} | tr ' ' "\n" > base64_cert
-	  # convert base64 to PEM
-	  openssl base64 -d -in base64_cert -out clientcert.pem
-	  # minutes=60
-	  # seconds=$((minutes * 60))
-	  # sleep $seconds
-	  az login --service-principal --use-cert-sn-issuer -u $CLIENT_ID -p clientcert.pem --tenant $TENANT_ID 2> >(tee "${results_dir}/error" >&2) || python3 setup_failure_handler.py
-	  
-	elif [[ -z $WORKLOAD_CLIENT_ID ]]; then
+         -v SERVICE_CONNECTION_ID && -n "$SERVICE_CONNECTION_ID" &&
+         -v SYSTEM_OIDCREQUESTURI && -n "$SYSTEM_OIDCREQUESTURI" ]]; then
+      export OIDC_REQUEST_URL="${SYSTEM_OIDCREQUESTURI}?api-version=7.1&serviceConnectionId=${SERVICE_CONNECTION_ID}"
+      echo "OIDC_REQUEST_URL= $OIDC_REQUEST_URL"
+
+      FED_TOKEN=$(curl -s -H "Content-Length: 0" -H "Content-Type: application/json" -H "Authorization: Bearer $SYSTEM_ACCESSTOKEN" -X POST $OIDC_REQUEST_URL | jq -r '.oidcToken')
+      echo "FED_TOKEN= $FED_TOKEN"
+
+      echo "logging in using Federated Identity"
+      az login --service-principal -u $FED_CLIENT_ID  --tenant $TENANT_ID --allow-no-subscriptions --federated-token $FED_TOKEN 2> ${results_dir}/error || python3 setup_failure_handler.py
+   elif [[ -v BASE_64_CLIENT_CERTIFICATE && -n "$BASE_64_CLIENT_CERTIFICATE" ]]; then
+      BASE_64_CLIENT_CERTIFICATE=${BASE_64_CLIENT_CERTIFICATE#\"}   # Remove leading quote
+      BASE_64_CLIENT_CERTIFICATE=${BASE_64_CLIENT_CERTIFICATE%\"} # Remove trailing quote
+      echo "logging in using Certificate '${BASE_64_CLIENT_CERTIFICATE}'"
+      ## create base64 cert to pem
+      echo ${BASE_64_CLIENT_CERTIFICATE:0} | tr ' ' "\n" > base64_cert
+      openssl base64 -d -in base64_cert -out clientcert.pem
+      az login --service-principal --use-cert-sn-issuer -u $CLIENT_ID -p clientcert.pem --tenant $TENANT_ID 2> ${results_dir}/error || python3 setup_failure_handler.py
+   
+   elif [[ -v WORKLOAD_CLIENT_ID && -n "$WORKLOAD_CLIENT_ID" ]]; then
+      echo "logging in using managed identity '${WORKLOAD_CLIENT_ID}'"
+      az login --identity --client-id $WORKLOAD_CLIENT_ID 2> ${results_dir}/error || python3 setup_failure_handler.py
+   else
       echo "logging in using service principal '${CLIENT_ID}'"
       az login --service-principal \
          -u ${CLIENT_ID} \
          -p ${CLIENT_SECRET} \
          --tenant ${TENANT_ID} 2> ${results_dir}/error || python3 setup_failure_handler.py
-   else
-      echo "logging in using managed identity '${WORKLOAD_CLIENT_ID}'"
-      az login --identity \
-         -u ${WORKLOAD_CLIENT_ID} 2> ${results_dir}/error || python3 setup_failure_handler.py
    fi
-	
-   echo "setting subscription: ${SUBSCRIPTION_ID} as default subscription"
-	##
-	az account set \
-	  --subscription ${SUBSCRIPTION_ID} 2> >(tee "${results_dir}/error" >&2) || python3 setup_failure_handler.py
+
+	echo "setting subscription: ${SUBSCRIPTION_ID} as default subscription"
+	az account set -s $SUBSCRIPTION_ID
 }