[exporter/azuredataexplorerexporter] add azure default auth (#35835)

#### Description
Add the ability to use the default Azure SDK authentication for the
kusto client. This enables users to use workload identity.

Links:
-
https://learn.microsoft.com/azure/developer/go/azure-sdk-authentication?tabs=bash#2-authenticate-with-azure
-
https://github.com/Azure/azure-kusto-go/blob/11658efc9faad4d0300afdc4af9a19c470b0313a/azkustodata/kcsb.go#L294C1-L298C2
-
https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview?tabs=go

#### Link to tracking issue
Fixes
#33667

#### Testing
- `make`
- deploy controller in kind cluster using workload identity, send dummy
traces and validate that they reach the ADX cluster

#### Documentation
Split the authentication docs for each mechanism available.

Author: andreidorin-oprea

.chloggen/add_azure_default_auth.yaml

@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: azuredataexplorerexporter
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add new configuration option `use_default_auth` to enable default authentication for Azure Data Explorer. This option allows users to leverage workload identity for authentication.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [33667]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]

exporter/azuredataexplorerexporter/README.md

@@ -22,9 +22,16 @@ This exporter sends metrics, logs and trace data to
 The following settings are required:
 
 - `cluster_uri` (no default): The cluster name of the provisioned ADX cluster to ingest the data.
-- `application_id` (no default): The client id to connect to the cluster and ingest data.
-- `application_key` (no default): The cluster secret corresponding to the client id.
-- `tenant_id` (no default): The tenant id where the application_id is referenced from.
+
+One authentication method is required:
+- Service principal:
+  - `application_id` (no default): The client id to connect to the cluster and ingest data.
+  - `application_key` (no default): The cluster secret corresponding to the client id.
+  - `tenant_id` (no default): The tenant id where the application_id is referenced from.
+- Managed identity:
+  - `managed_identity_id` (no default): The managed identity id to authenticate with. Set to "system" for system-assigned managed identity. Set the MI client Id (GUID) for user-assigned managed identity.
+- Default authentication:
+  - `use_azure_auth` (default: false): Set to true to use the Azure [default authentication](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication?tabs=bash#2-authenticate-with-azure).
 
 The following settings can be optionally configured and have default values:
 > Note that the database tables are expected to be created upfront before the exporter is in operation , the definition of these are in the section [Database and Table definition scripts](#database-and-table-definition-scripts)

exporter/azuredataexplorerexporter/adx_exporter.go

@@ -218,6 +218,8 @@ func createKcsb(config *Config, version string) *kusto.ConnectionStringBuilder {
 	isSystemManagedIdentity := strings.EqualFold(strings.TrimSpace(config.ManagedIdentityID), "SYSTEM")
 	// If the user has managed identity done, use it. For System managed identity use the MI as system
 	switch {
+	case config.UseAzureAuth:
+		kcsb = kusto.NewConnectionStringBuilder(config.ClusterURI).WithDefaultAzureCredential()
 	case !isManagedIdentity:
 		kcsb = kusto.NewConnectionStringBuilder(config.ClusterURI).WithAadAppKey(config.ApplicationID, string(config.ApplicationKey), config.TenantID)
 	case isManagedIdentity && isSystemManagedIdentity:

exporter/azuredataexplorerexporter/adx_exporter_test.go

@@ -178,6 +178,7 @@ func TestCreateKcsb(t *testing.T) {
 		name              string // name of the test
 		config            Config // config for the test
 		isMsi             bool   // is MSI enabled
+		isAzureAuth       bool   // is azure authentication enabled
 		applicationID     string // application id
 		managedIdentityID string // managed identity id
 	}{
@@ -216,6 +217,15 @@ func TestCreateKcsb(t *testing.T) {
 			managedIdentityID: "636d798f-b005-41c9-9809-81a5e5a12b2e",
 			applicationID:     "",
 		},
+		{
+			name: "azure auth",
+			config: Config{
+				ClusterURI:   "https://CLUSTER.kusto.windows.net",
+				Database:     "tests",
+				UseAzureAuth: true,
+			},
+			isAzureAuth: true,
+		},
 	}
 	for i := range tests {
 		tt := tests[i]
@@ -229,6 +239,8 @@ func TestCreateKcsb(t *testing.T) {
 			wantManagedID := tt.managedIdentityID
 			assert.Equal(t, wantManagedID, gotKcsb.ManagedServiceIdentity)
 			assert.Equal(t, "https://CLUSTER.kusto.windows.net", gotKcsb.DataSource)
+			wantIsAzure := tt.isAzureAuth
+			assert.Equal(t, wantIsAzure, gotKcsb.DefaultAuth)
 		})
 	}
 }

exporter/azuredataexplorerexporter/config.go

@@ -24,6 +24,7 @@ type Config struct {
 	ApplicationKey            configopaque.String `mapstructure:"application_key"`
 	TenantID                  string              `mapstructure:"tenant_id"`
 	ManagedIdentityID         string              `mapstructure:"managed_identity_id"`
+	UseAzureAuth              bool                `mapstructure:"use_azure_auth"`
 	Database                  string              `mapstructure:"db_name"`
 	MetricTable               string              `mapstructure:"metrics_table_name"`
 	LogTable                  string              `mapstructure:"logs_table_name"`
@@ -46,9 +47,23 @@ func (adxCfg *Config) Validate() error {
 	if isClusterURIEmpty {
 		return errors.New(`clusterURI config is mandatory`)
 	}
-	// Parameters for AD App Auth or Managed Identity Auth are mandatory
-	if isAppAuthEmpty && isManagedAuthEmpty {
-		return errors.New(`either ["application_id" , "application_key" , "tenant_id"] or ["managed_identity_id"] are needed for auth`)
+	// Parameters for AD App Auth or Managed Identity Auth or Default Auth are mandatory
+	authMethods := 0
+
+	if !isAppAuthEmpty {
+		authMethods++
+	}
+
+	if !isManagedAuthEmpty {
+		authMethods++
+	}
+
+	if adxCfg.UseAzureAuth {
+		authMethods++
+	}
+
+	if authMethods != 1 {
+		return errors.New(`either ["application_id" , "application_key" , "tenant_id"] or ["managed_identity_id"] or ["use_azure_auth"] must be provided for auth`)
 	}
 
 	if !(adxCfg.IngestionType == managedIngestType || adxCfg.IngestionType == queuedIngestTest || isEmpty(adxCfg.IngestionType)) {

exporter/azuredataexplorerexporter/config_test.go

@@ -45,7 +45,7 @@ func TestLoadConfig(t *testing.T) {
 		},
 		{
 			id:           component.NewIDWithName(metadata.Type, "2"),
-			errorMessage: `either ["application_id" , "application_key" , "tenant_id"] or ["managed_identity_id"] are needed for auth`,
+			errorMessage: `either ["application_id" , "application_key" , "tenant_id"] or ["managed_identity_id"] or ["use_azure_auth"] must be provided for auth`,
 		},
 		{
 			id:           component.NewIDWithName(metadata.Type, "3"),
@@ -111,6 +111,18 @@ func TestLoadConfig(t *testing.T) {
 				},
 			},
 		},
+		{
+			id: component.NewIDWithName(metadata.Type, "9"),
+			expected: &Config{
+				ClusterURI:    "https://CLUSTER.kusto.windows.net",
+				Database:      "oteldb",
+				MetricTable:   "OTELMetrics",
+				LogTable:      "OTELLogs",
+				TraceTable:    "OTELTraces",
+				UseAzureAuth:  true,
+				IngestionType: queuedIngestTest,
+			},
+		},
 	}
 
 	for _, tt := range tests {

exporter/azuredataexplorerexporter/testdata/config.yaml

@@ -145,4 +145,9 @@ azuredataexplorer/8:
     enabled: true
     initial_interval: 10s
     max_interval: 60s
-    max_elapsed_time: 10m
+    max_elapsed_time: 10m
+azuredataexplorer/9:
+  # Kusto cluster uri
+  cluster_uri: "https://CLUSTER.kusto.windows.net"
+  # weather to use the default azure auth
+  use_azure_auth: true