Managed Identity support for Azure Event Hubs. Changes include -

- If authentication token is not specified in provider, attempt to get the token using workload identity.
= Add new field .spec.serviceAccountName to support multi-tenant workload identity as defined in RFC-0010 to use an identity with a service account other than the notification-controller.
- Use proxy to get the token if specified in provider spec.
- Cache the tokens if enabled in the notification controller options.
- If address has SAS connection string, use that for authentication, this takes priority over token-authentication
- If static JWT token is specified in the secret reference, use it for authentication, this takes priority over workload identity-acquired token.
- Add unit tests for the 3 authentication mechanisms (SAS, JWT, managed identity).
- Add documentation for using single-tenant and multi-tenant approaches of workload identity with azureeventhub provider.
- Add operation post to github helpers and provider controller for cache event metrics

Signed-off-by: Dipti Pai <[email protected]>

Author: dipti-pai

api/v1beta3/provider_types.go

@@ -108,6 +108,11 @@ type ProviderSpec struct {
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
+	// ServiceAccountName is the name of the service account used to
+	// authenticate with services from cloud providers.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
 	// CertSecretRef specifies the Secret containing
 	// a PEM-encoded CA certificate (in the `ca.crt` key).
 	// +optional

config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml

@@ -490,6 +490,11 @@ spec:
                 required:
                 - name
                 type: object
+              serviceAccountName:
+                description: |-
+                  ServiceAccountName is the name of the service account used to
+                  authenticate with services from cloud providers.
+                type: string
               suspend:
                 description: |-
                   Suspend tells the controller to suspend subsequent

docs/api/v1beta3/notification.md

@@ -350,6 +350,19 @@ credentials for this Provider.</p>
 </tr>
 <tr>
 <td>
+<code>serviceAccountName</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ServiceAccountName is the name of the service account used to
+authenticate with services from cloud providers.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>certSecretRef</code><br>
 <em>
 <a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
@@ -655,6 +668,19 @@ credentials for this Provider.</p>
 </tr>
 <tr>
 <td>
+<code>serviceAccountName</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ServiceAccountName is the name of the service account used to
+authenticate with services from cloud providers.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>certSecretRef</code><br>
 <em>
 <a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">

docs/spec/v1beta3/providers.md

@@ -1414,13 +1414,59 @@ jobs:
 
 ### Azure Event Hub
 
-The Azure Event Hub supports two authentication methods, [JWT](https://docs.microsoft.com/en-us/azure/event-hubs/authenticate-application)
-and [SAS](https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature) based.
+The Azure Event Hub provider supports the following authentication methods, 
+- [Managed
+  Identity](https://learn.microsoft.com/en-us/azure/event-hubs/authenticate-managed-identity)
+- [JWT](https://docs.microsoft.com/en-us/azure/event-hubs/authenticate-application)
+- [SAS](https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature)
+  based.
+
+#### Managed Identity
+
+Managed identity authentication can be setup using Azure Workload identity. 
+
+##### Pre-requisites
+
+- Ensure Workload Identity is properly [set up on your
+  cluster](https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster#create-an-aks-cluster).
+
+##### Configure workload identity
+
+- Create a managed identity to access Azure Event Hub. 
+- Grant the managed identity the necessary permissions to send events to Azure
+  Event hub as described
+  [here](https://learn.microsoft.com/en-us/azure/event-hubs/authenticate-managed-identity#to-assign-azure-roles-using-the-azure-portal).
+
+- Establish a federated identity credential between the managed identity and the
+  service account to be used for authentication. Ensure the federated credential
+  uses the correct namespace and name of the service account. For more details,
+  please refer to this
+  [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).
+
+##### Single tenant approach
+
+This approach uses the notification-controller service account for setting up
+authentication.
+
+- In the default installation, the notification-controller service account is
+  located in the `flux-system` namespace with name `notification-controller`.
+
+- Configure workload identity with notification-controller as described in the
+  docs [here](/flux/installation/configuration/workload-identity/).
+
+##### Multi-tenant approach
+
+For multi-tenant clusters, set  `.spec.serviceAccountName` of the provider to
+the service account to be used for authentication. Ensure that the service
+account has the
+[annotations](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview?tabs=dotnet#service-account-annotations)
+for the client-id and tenant-id of the managed identity. 
 
 #### JWT based auth
 
-In JWT we use 3 input values. Channel, token and address.
-We perform the following translation to match we the data we need to communicate with Azure Event Hub.
+In JWT we use 3 input values. Channel, token and address. We perform the
+following translation to match we the data we need to communicate with Azure
+Event Hub.
 
 - channel = Azure Event Hub namespace
 - address = Azure Event Hub name 
@@ -1450,11 +1496,13 @@ stringData:
 ```
 
 The controller doesn't take any responsibility for the JWT token to be updated.
-You need to use a secondary tool to make sure that the token in the secret is renewed.
+You need to use a secondary tool to make sure that the token in the secret is
+renewed.
 
-If you want to make a easy test assuming that you have setup a Azure Enterprise application and you called it
-event-hub you can follow most of the bellow commands. You will need to provide the `client_secret` that you got
-when generating the Azure Enterprise Application.
+If you want to make a easy test assuming that you have setup a Azure Enterprise
+application and you called it event-hub you can follow most of the bellow
+commands. You will need to provide the `client_secret` that you got when
+generating the Azure Enterprise Application.
 
 ```shell
 export AZURE_CLIENT=$(az ad app list --filter "startswith(displayName,'event-hub')" --query '[].appId' |jq -r '.[0]')
@@ -1497,8 +1545,8 @@ stringData:
 ```
 
 Assuming that you have created the Azure event hub and namespace you should be
-able to use a similar command to get your connection string. This will give
-you the default Root SAS, which is NOT supposed to be used in production.
+able to use a similar command to get your connection string. This will give you
+the default Root SAS, which is NOT supposed to be used in production.
 
 ```shell
 az eventhubs namespace authorization-rule keys list --resource-group <rg-name> --namespace-name <namespace-name> --name RootManageSharedAccessKey -o tsv --query primaryConnectionString

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6
 	github.com/Azure/azure-amqp-common-go/v4 v4.2.0
 	github.com/Azure/azure-event-hubs-go/v3 v3.6.2
-	github.com/DataDog/datadog-api-client-go/v2 v2.37.1
+	github.com/DataDog/datadog-api-client-go/v2 v2.35.0
 	github.com/PagerDuty/go-pagerduty v1.8.0
 	github.com/cdevents/sdk-go v0.4.1
 	github.com/chainguard-dev/git-urls v1.0.2
@@ -20,8 +20,9 @@ require (
 	github.com/fluxcd/notification-controller/api v1.5.0
 	github.com/fluxcd/pkg/apis/event v0.17.0
 	github.com/fluxcd/pkg/apis/meta v1.11.0
-	github.com/fluxcd/pkg/cache v0.8.0
-	github.com/fluxcd/pkg/git v0.27.0
+	github.com/fluxcd/pkg/auth v0.10.1-0.20250502123105-182841a21cfa
+	github.com/fluxcd/pkg/cache v0.8.1-0.20250502123105-182841a21cfa
+	github.com/fluxcd/pkg/git v0.27.1-0.20250502123105-182841a21cfa
 	github.com/fluxcd/pkg/masktoken v0.7.0
 	github.com/fluxcd/pkg/runtime v0.59.0
 	github.com/fluxcd/pkg/ssa v0.46.0
@@ -63,15 +64,15 @@ require (
 	cloud.google.com/go/compute/metadata v0.6.0 // indirect
 	cloud.google.com/go/iam v1.3.1 // indirect
 	github.com/42wim/httpsig v1.2.2 // indirect
-	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go v65.0.0+incompatible // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
-	github.com/Azure/go-amqp v1.0.0 // indirect
+	github.com/Azure/go-amqp v1.3.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.28 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.21 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
 	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
@@ -100,7 +101,6 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fluxcd/pkg/apis/acl v0.7.0 // indirect
 	github.com/fluxcd/pkg/apis/kustomize v1.10.0 // indirect
-	github.com/fluxcd/pkg/auth v0.10.0 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.5 // indirect
@@ -132,6 +132,7 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/joho/godotenv v1.5.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect