Allow clientId and tenantId hint when using workload identity

[nilfr]

Workload identity supports the usage of multiple identities in the same pod. This PR attempts to add support for it.

We need to evaluate if we would like to also backport this to the legacyCredentials.

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[nilfr]

@asimpson @bossinc @aangelisc @alyssabull Can we get someone to review this?

[aangelisc]

Hi @nilfr,

Thank you for the contribution! This looks good to me. Are you also planning on creating a PR for the data sources to ensure this is usable? Tagging @kostrse to review as well.

[nilfr]

@aangelisc As far as I know, this is already usable when using the new format with azureCredentials, unless the datasource does some validation on the jsonData. I am happy to update the documentation if you could point me to the relevant repository.

The question is if this should be supported with the legacyCredentials via the getFromLegacy function?

[kostrse]

Did you consider security implications?

My concern that this may give ability to probe other identities in the Kubernetes cluster even if they aren't supposed to be used by Grafana and belong to other services hosted in the same cluster.

For this reason TenatID and ClientID were added to Grafana config (here), so they are not accessible by user.

[nilfr]

@kostrse I did. Security is actually the main driver for this. We have different teams that use the Azure Monitor datasource. We want to manage the datasources for them to restrict the scope and subscriptions that the datasource has access to, so each of them should use a separate ManagedIdentity. Today, this is possible with multiple ServicePrincipals, but not with ManagedIdentities. The issue with using ServicePrincipals is then lifecycle management of the ClientSecret.

Probing for other managed identities would not work since the FederatedIdentityCredential you create is tied to the subject claim of the Grafana ServiceAccount.

[aangelisc]

@nilfr ideally the data sources would need to be updated to provide the client ID and tenant ID of the identity via the UI to make this functionality more accessible (otherwise it will only be usable via provisioned data sources).

@kostrse this functionality looks good to me and I'm happy to add this to the SDK if you see no issues with it.

[nilfr]

@aangelisc I have updated the branch to be up-to-date with main.

I can look into submitting a PR for the UI once this is merged.

[aangelisc]

Thank you for the contribution @nilfr!

[aangelisc]

Apologies for this falling through the cracks! I've merged main to allow me to merge this

[nilfr]

@aangelisc Anything I can do to help get a tag and a release for this, so that we can add this to grafana/grafana?

[aangelisc]

Hi @nilfr! There are a couple things I'm trying to get merged and then I'll cut a new release (hopefully this week).

[aangelisc]

Hi @nilfr, apologies for the delay, I've published a new version of the SDK now 😊 Thanks again!