OpenCost with external Azure Managed Prometheus - Workload Identity

[v-esteves]

Is your feature request related to a problem? Please describe. We are starting to use OpenCost on Azure AKS and we want to avoid having Prometheus deployed on our clusters, and use a managed service for this. Right now on OpenCost we have two options of authn/authz for external Prometheus: Basic Authentication and bearer token. With a managed service, there isn't the option of basic auth, so we are stuck with bearer tokens. This isn't a good solution, since the token have a short lifetime and we would need to keep refreshing this value and that isn't feasible.

Describe the solution you'd like Ideally using Workload Identity in order to avoid having to manage secrets.

Describe alternatives you've considered Using a SPN ClientId and ClientSecret and OpenCost needs to support fetching and updating the token by itself -> Like it does for fetching the Azure Pricing Data. While this solution is better than using bearer tokens, it isn't also ideal, since we would need to manage secrets for the SPN.

Additional context AKS Workload Identity

[mattray]

Definitely a useful feature, we'd need someone using AKS to provide support for this.

[v-esteves]

@mattray we have just rolled out OpenCost in all our AKS clusters and would be more than happy to help out with this enhancement.

[mattray]

@v-esteves happy to review any PRs you have.

[Davidsoff]

2117 might be a start for this. Or at least related to workloadidentity

[sossickd]

We are looking into Opencost and would need Opencost to support workload identity.

I have included the issue / merge for workload identity for external-dns if this helps.

https://github.com/kubernetes-sigs/external-dns/issues/2724

[dwbrown2]

@sossickd does #2117 look compatible with what you need?

[sossickd]

@dwbrown2 yes that looks relevant

[kwit75]

any update on this?

[Davidsoff]

should be fixed as of as part of #2363