Skip to content

feat: [Geneva Uploader] Implement Azure Workload Identity authentication for Geneva. #467

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Oct 10, 2025
Merged

feat: [Geneva Uploader] Implement Azure Workload Identity authentication for Geneva. #467

merged 20 commits into from
Oct 10, 2025

Conversation

lalitb
Copy link
Member

@lalitb lalitb commented Oct 3, 2025
edited
Loading

Core Implementation

  • Added AuthMethod::WorkloadIdentity variant (geneva-uploader/src/config_service/client.rs)

    • Uses Azure Identity SDK's WorkloadIdentityCredential for token exchange
    • Automatically reads AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_FEDERATED_TOKEN_FILE from environment
    • Exchanges Kubernetes service account token for Azure AD access token
    • Uses /userapi endpoint (same as Managed Identity authentication)

  • Token acquisition and caching

    • Implements federated token exchange flow with Azure AD
    • Generates appropriate OAuth scopes based on resource URI and Azure cloud
    • Integrates with existing token caching mechanism

Example and Documentation

  • Complete working example (examples/basic_workload_identity_test.rs)

    • Demonstrates Workload Identity configuration
    • Shows environment variable setup
    • Includes sample log generation and export

  • Comprehensive setup guide (examples/README.md)

    • Step-by-step AKS cluster configuration
    • User-Assigned Managed Identity creation (NOT App Registration)
    • Federated credential setup
    • Kubernetes service account and pod deployment
    • Troubleshooting guide for common issues
    • Environment variable reference

  • Docker support (examples/Dockerfile)

    • Multi-stage build for optimized image size
    • Builds the workload identity example
    • Compatible with AKS (linux/amd64)

FFI Support

  • Updated FFI bindings (geneva-uploader-ffi/src/lib.rs)
    • Auto-detects Workload Identity vs System MSI based on AZURE_FEDERATED_TOKEN_FILE presence
    • Maintains backward compatibility with existing authentication methods

Merge requirement checklist

  • CONTRIBUTING guidelines followed
  • Unit tests added/updated (if applicable)
  • Appropriate CHANGELOG.md files updated for non-trivial, user-facing changes
  • Changes in public API reviewed (if applicable)

@lalitb lalitb requested a review from a team as a code owner October 3, 2025 21:34
@codecov Codecov
Copy link

codecov bot commented Oct 3, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 16.92308% with 54 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.7%. Comparing base (1ee6a9c) to head (76c9227).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
...eneva/geneva-uploader/src/config_service/client.rs 11.3% 47 Missing ⚠️
...try-exporter-geneva/geneva-uploader-ffi/src/lib.rs 0.0% 5 Missing ⚠️
...etry-exporter-geneva/geneva-uploader/src/client.rs 0.0% 1 Missing ⚠️
...r-geneva/geneva-uploader/src/config_service/mod.rs 83.3% 1 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##            main    #467     +/-   ##
=======================================
- Coverage   53.9%   53.7%   -0.3%     
=======================================
  Files         71      71             
  Lines      11220   11262     +42     
=======================================
- Hits        6057    6056      -1     
- Misses      5163    5206     +43

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@lalitb lalitb changed the title [Geneva Uploader] Implement Azure Workload Identity authentication for Geneva. feat: [Geneva Uploader] Implement Azure Workload Identity authentication for Geneva. Oct 7, 2025
lalitb
lalitb commented Oct 7, 2025
View reviewed changes
lalitb added 4 commits October 10, 2025 10:57
@lalitb
Add TODO for Azure Arc support in client.rs
a7f40b9 
Added a TODO for Azure Arc support in the Geneva Config Client.
@lalitb
Add TODO comment for get_token API usage
0ddb29b 
Added a TODO comment regarding the get_token API's parameter type.
@lalitb
Refactor scope candidates logic in client.rs
84668b2 
Removed unnecessary check for trailing slash in scope candidates generation.
@lalitb
Merge branch 'main' into geneva-workloadidentity
76c9227
@lalitb lalitb merged commit e8e5a89 into open-telemetry:main Oct 10, 2025
21 of 22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@utpilla utpilla utpilla approved these changes

Assignees

No one assigned

Labels

opentelemetry-exporter-geneva

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lalitb @utpilla