fluent-plugin-azurestorage-gen2 0.3.5 → 0.3.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +38 -2
- data/VERSION +1 -1
- data/lib/fluent/plugin/out_azurestorage_gen2.rb +36 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e13452c3b7d79a554cac9bcc584e25efe61c530f7a2340d1284e7eeb0693a8e8
|
|
4
|
+
data.tar.gz: 13f9f27acc1133373afa395771fd2fc5df9d6d578847f6a8d9f71e58d4a6e17d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a12173488632629709fb921cf56849afa7d1b02f608e78b5fe3701a715d0bc329206c526c1e67aff3932c64317ad134ccf4b815c99b056f4ec44b75a075d6c1d
|
|
7
|
+
data.tar.gz: 30c5ce283d05e015adff27e2d79858d998eb6001058fe2f9ebe4cb207d527da116775b346dc0c4b0f0fc4832e00d98ec6071cd72756cc94e6702906e3683890e
|
data/README.md
CHANGED
|
@@ -51,6 +51,34 @@ $ gem install fluent-plugin-azurestorage-gen2
|
|
|
51
51
|
</match>
|
|
52
52
|
```
|
|
53
53
|
|
|
54
|
+
- Configuration in a pod using Azure Workload Identity:
|
|
55
|
+
```
|
|
56
|
+
<match **>
|
|
57
|
+
@type azurestorage_gen2
|
|
58
|
+
azure_storage_account mystorageabfs
|
|
59
|
+
azure_container mycontainer
|
|
60
|
+
azure_use_workload_id true
|
|
61
|
+
azure_oauth_tenant_id <my tenant id>
|
|
62
|
+
azure_oauth_app_id <my app client id>
|
|
63
|
+
azure_object_key_format %{path}-%{index}.%{file_extension}
|
|
64
|
+
azure_oauth_refresh_interval 3600
|
|
65
|
+
time_slice_format %Y%m%d-%H
|
|
66
|
+
file_extension log # only used with store_as none
|
|
67
|
+
path "/cluster-logs/myfolder/${tag[1]}-#{Socket.gethostname}-%M"
|
|
68
|
+
auto_create_container true
|
|
69
|
+
store_as gzip
|
|
70
|
+
format single_value
|
|
71
|
+
<buffer tag,time>
|
|
72
|
+
@type file
|
|
73
|
+
path /var/log/fluent/azurestorage-buffer
|
|
74
|
+
timekey 5m
|
|
75
|
+
timekey_wait 0s
|
|
76
|
+
timekey_use_utc true
|
|
77
|
+
chunk_limit_size 64m
|
|
78
|
+
</buffer>
|
|
79
|
+
</match>
|
|
80
|
+
```
|
|
81
|
+
|
|
54
82
|
- Configuration outside of VMs with OAuth credentials:
|
|
55
83
|
```
|
|
56
84
|
<match **>
|
|
@@ -97,6 +125,14 @@ $ gem install fluent-plugin-azurestorage-gen2
|
|
|
97
125
|
Your Azure Storage Account Name. This can be got from Azure Management potal.
|
|
98
126
|
This parameter is required when environment variable 'AZURE_STORAGE_ACCOUNT' is not set.
|
|
99
127
|
|
|
128
|
+
### azure_use_workload_id
|
|
129
|
+
|
|
130
|
+
Use Azure Workload Identity for authentication. The plugin will use a token generated from the kubernetes OIDC issuer to get an Azure OAuth2 token, which will be used to authenticate with the storage API. Supersedes other authentication types. Requires azure_oauth_tenant_id and azure_oauth_app_id to be set. See https://azure.github.io/azure-workload-identity/docs/introduction.html for implementation details. Default is false.
|
|
131
|
+
|
|
132
|
+
### azure_federated_token_file_path
|
|
133
|
+
|
|
134
|
+
The path where the federated token is mounted on the local filesystem. If not specified, defaults to the value of the environment variable `AZURE_FEDERATED_TOKEN_FILE`, or `/var/run/secrets/azure/tokens/azure-identity-token` if the environment variable is not set. Defaults set per Azure Workload Identity documentation.
|
|
135
|
+
|
|
100
136
|
### azure_storage_access_key (not implemented yet - use msi)
|
|
101
137
|
|
|
102
138
|
Your Azure Storage Access Key(Primary or Secondary). This also can be got from Azure Management potal. Storage access key authentication is used when this parameter is provided or environment variable 'AZURE_STORAGE_ACCESS_KEY' is set.
|
|
@@ -115,11 +151,11 @@ Azure AD object id is a specific explicit identity to use when authenticating to
|
|
|
115
151
|
|
|
116
152
|
### azure_oauth_tenant_id (Preview)
|
|
117
153
|
|
|
118
|
-
Azure account tenant id from your Azure Directory. Required if OAuth based credential mechanism is used.
|
|
154
|
+
Azure account tenant id from your Azure Directory. Required if workload ID or OAuth based credential mechanism is used.
|
|
119
155
|
|
|
120
156
|
### azure_oauth_app_id (Preview)
|
|
121
157
|
|
|
122
|
-
OAuth client id that is used for OAuth based authentication. Required if OAuth based credential mechanism is used.
|
|
158
|
+
OAuth client id that is used for OAuth based authentication. Required if workload ID or OAuth based credential mechanism is used.
|
|
123
159
|
|
|
124
160
|
### azure_oauth_secret (Preview)
|
|
125
161
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.3.
|
|
1
|
+
0.3.8
|
|
@@ -23,6 +23,8 @@ module Fluent::Plugin
|
|
|
23
23
|
config_param :path, :string, :default => ""
|
|
24
24
|
config_param :azure_storage_account, :string, :default => nil
|
|
25
25
|
config_param :azure_storage_access_key, :string, :default => nil, :secret => true
|
|
26
|
+
config_param :azure_use_workload_id, :string, :default => false
|
|
27
|
+
config_param :azure_federated_token_file_path, :string, :default => nil
|
|
26
28
|
config_param :azure_instance_msi, :string, :default => nil
|
|
27
29
|
config_param :azure_client_id, :string, :default => nil
|
|
28
30
|
config_param :azure_object_id, :string, :default => nil
|
|
@@ -261,17 +263,49 @@ module Fluent::Plugin
|
|
|
261
263
|
end
|
|
262
264
|
|
|
263
265
|
def acquire_access_token
|
|
264
|
-
if
|
|
266
|
+
if @azure_use_workload_id
|
|
267
|
+
acquire_access_token_federated
|
|
268
|
+
elsif !@azure_instance_msi.nil?
|
|
265
269
|
acquire_access_token_msi
|
|
266
270
|
elsif !@azure_oauth_app_id.nil? and !@azure_oauth_secret.nil? and !@azure_oauth_tenant_id.nil?
|
|
267
271
|
acquire_access_token_oauth_app
|
|
268
272
|
elsif @azure_oauth_use_azure_cli
|
|
269
273
|
acquire_access_token_by_az
|
|
270
274
|
else
|
|
271
|
-
raise Fluent::UnrecoverableError, "Using MSI or 'az cli tool' or simple OAuth 2.0 based authentication parameters (azure_oauth_tenant_id, azure_oauth_app_id, azure_oauth_secret) are required."
|
|
275
|
+
raise Fluent::UnrecoverableError, "Using MSI or Workload Identity or 'az cli tool' or simple OAuth 2.0 based authentication parameters (azure_oauth_tenant_id, azure_oauth_app_id, azure_oauth_secret) are required."
|
|
272
276
|
end
|
|
273
277
|
end
|
|
274
278
|
|
|
279
|
+
private
|
|
280
|
+
def acquire_access_token_federated
|
|
281
|
+
token_path = @azure_federated_token_file_path ||= ENV['AZURE_TOKEN_FILE'] ||= "/var/run/secrets/azure/tokens/azure-identity-token"
|
|
282
|
+
log.debug "azurestorage_gen2: Reading federated token from #{token_path}"
|
|
283
|
+
token = File.read(token_path)
|
|
284
|
+
log.debug "azurestorage_gen2: Locally mounted token: #{token}"
|
|
285
|
+
params = { :"api-version" => ACCESS_TOKEN_API_VERSION, :resource => "#{@url_storage_resource}"}
|
|
286
|
+
headers = {:"Content-Type" => "application/x-www-form-urlencoded"}
|
|
287
|
+
content = "grant_type=client_credentials&client_id=#{@azure_oauth_app_id}&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=#{token.chomp}&resource=#{@url_storage_resource}&scope=https://storage.azure.com/.default"
|
|
288
|
+
req_opts = {
|
|
289
|
+
:params => params,
|
|
290
|
+
:body => content,
|
|
291
|
+
:headers => headers,
|
|
292
|
+
:timeout => @http_timeout_seconds
|
|
293
|
+
}
|
|
294
|
+
add_proxy_options(req_opts)
|
|
295
|
+
request = Typhoeus::Request.new("#{@azure_oauth_identity_authority}/#{@azure_oauth_tenant_id}/oauth2/token", req_opts)
|
|
296
|
+
|
|
297
|
+
request.on_complete do |response|
|
|
298
|
+
if response.success?
|
|
299
|
+
data = JSON.parse(response.body)
|
|
300
|
+
log.debug "azurestorage_gen2: Token response: #{data}"
|
|
301
|
+
@azure_access_token = data["access_token"].chomp
|
|
302
|
+
else
|
|
303
|
+
raise Fluent::UnrecoverableError, "Failed to acquire access token. #{response.code}: #{response.body}"
|
|
304
|
+
end
|
|
305
|
+
end
|
|
306
|
+
request.run
|
|
307
|
+
end
|
|
308
|
+
|
|
275
309
|
# Referenced from azure doc.
|
|
276
310
|
# https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage#get-an-access-token-and-use-it-to-call-azure-storage
|
|
277
311
|
private
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: fluent-plugin-azurestorage-gen2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Oliver Szabo
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-08-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: fluentd
|