refactor(go/cloudauth): adopt shared Azure auth schema for collectors and secretstore#21995
Merged
ilyam8 merged 8 commits intonetdata:masterfrom Mar 20, 2026
Merged
Conversation
github-actions
bot
added
area/docs
area/collectors
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
2 issues found across 25 files
Confidence score: 3/5
- There is a concrete medium-high risk in
src/go/plugin/go.d/pkg/cloudauth/azuread_auth_config.go:NewCredentialWithOptionsbypassesValidate(), so invalid configs can surface as less actionable Azure SDK errors instead of clear field-level validation messages. - The test issue in
src/go/plugin/agent/secrets/secretstore/backends/azure/init_test.gois lower severity, but the strict elapsed-time upper bound can introduce CI flakiness and intermittent failures unrelated to real behavior. - Given the severity (7/10) and high confidence (9/10) on the validation bypass, this carries some user-impacting regression risk and is best treated as moderate merge risk rather than a routine safe merge.
- Pay close attention to
src/go/plugin/go.d/pkg/cloudauth/azuread_auth_config.goandsrc/go/plugin/agent/secrets/secretstore/backends/azure/init_test.go- restore validation parity in credential construction and relax timing assertions to reduce flaky CI failures.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/go/plugin/go.d/pkg/cloudauth/azuread_auth_config.go">
<violation number="1" location="src/go/plugin/go.d/pkg/cloudauth/azuread_auth_config.go:90">
P1: `NewCredentialWithOptions` skips the `Validate()` call that `NewCredential` performs. Callers using this method will bypass config validation, resulting in cryptic Azure SDK errors instead of the clear field-level messages from `Validate()`.</violation>
</file>
<file name="src/go/plugin/agent/secrets/secretstore/backends/azure/init_test.go">
<violation number="1" location="src/go/plugin/agent/secrets/secretstore/backends/azure/init_test.go:151">
P2: This test uses a strict elapsed-time upper bound, which can cause flaky failures on slow/loaded CI even when timeout behavior is correct.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
src/go/plugin/agent/secrets/secretstore/backends/azure/init_test.go
Outdated
Show resolved
Hide resolved
Contributor
There was a problem hiding this comment.
Pull request overview
Refactors Azure AD auth configuration to use a shared, mode-specific schema across Go collectors and the Azure Key Vault secretstore backend, updating docs/schemas and aligning validation and credential creation paths.
Changes:
- Introduces nested Azure AD mode configs (
mode_service_principal,mode_managed_identity) with path-aware validation and credential options support. - Updates MSSQL DSN building and multiple collectors/tests/docs to use the new Azure AD auth schema.
- Refactors Azure Key Vault secretstore backend to use the shared
cloudauthtoken provider/credential creation and updates its JSON/UI schema accordingly.
Reviewed changes
Copilot reviewed 25 out of 25 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/go/plugin/go.d/pkg/cloudauth/sqladapter/mssql_test.go | Updates MSSQL DSN tests to use nested Azure AD mode configs. |
| src/go/plugin/go.d/pkg/cloudauth/sqladapter/mssql.go | Switches DSN building to read from nested Azure AD mode configs. |
| src/go/plugin/go.d/pkg/cloudauth/config_test.go | Adjusts config validation tests for the updated Azure AD schema. |
| src/go/plugin/go.d/pkg/cloudauth/azuread_auth_config_test.go | Adds path-aware validation tests and updates existing cases to nested schema. |
| src/go/plugin/go.d/pkg/cloudauth/azuread_auth_config.go | Implements nested mode configs, path-aware validation, and credential options plumbing. |
| src/go/plugin/go.d/config/go.d/ss/azure-kv.conf | Updates example secretstore config to service_principal schema naming. |
| src/go/plugin/go.d/collector/sql/metadata.yaml | Updates SQL collector docs to nested Azure AD config fields. |
| src/go/plugin/go.d/collector/sql/integrations/sql_databases_generic.md | Updates SQL integration docs to nested Azure AD config fields. |
| src/go/plugin/go.d/collector/sql/config_schema.json | Updates SQL collector JSON/UI schema for nested Azure AD configs and improved UI help. |
| src/go/plugin/go.d/collector/sql/collector_test.go | Updates SQL collector validation test to use nested Azure AD config. |
| src/go/plugin/go.d/collector/postgres/metadata.yaml | Updates Postgres collector docs to nested Azure AD config fields. |
| src/go/plugin/go.d/collector/postgres/integrations/postgresql.md | Updates Postgres integration docs to nested Azure AD config fields. |
| src/go/plugin/go.d/collector/postgres/config_schema.json | Updates Postgres collector JSON/UI schema for nested Azure AD configs and improved UI help. |
| src/go/plugin/go.d/collector/postgres/collector_test.go | Updates Postgres collector tests to use nested Azure AD config. |
| src/go/plugin/go.d/collector/mssql/mssql_test.go | Updates MSSQL collector test to use nested Azure AD config. |
| src/go/plugin/go.d/collector/mssql/metadata.yaml | Updates MSSQL collector docs to nested Azure AD config fields. |
| src/go/plugin/go.d/collector/mssql/integrations/microsoft_sql_server.md | Updates MSSQL integration docs to nested Azure AD config fields. |
| src/go/plugin/go.d/collector/mssql/config_schema.json | Updates MSSQL collector JSON/UI schema for nested Azure AD configs and improved UI help. |
| src/go/plugin/agent/secrets/secretstore/provider_parity_test.go | Updates parity test expectations and UI schema lookup keys for new mode naming. |
| src/go/plugin/agent/secrets/secretstore/backends/azure/resolve_test.go | Adds tests validating Key Vault resolve behavior with token provider auth. |
| src/go/plugin/agent/secrets/secretstore/backends/azure/resolve.go | Removes custom token fetching; uses shared token provider for access tokens. |
| src/go/plugin/agent/secrets/secretstore/backends/azure/provider.go | Replaces backend config types with shared cloudauth.AzureADAuthConfig and stores token provider. |
| src/go/plugin/agent/secrets/secretstore/backends/azure/init_test.go | Adds tests for init validation, auth timeout selection, and credential timeout wrapper. |
| src/go/plugin/agent/secrets/secretstore/backends/azure/init.go | Initializes Azure credential/token provider via shared cloudauth; wires transport/timeout behaviors. |
| src/go/plugin/agent/secrets/secretstore/backends/azure/config_schema.json | Updates Azure KV secretstore schema to `service_principal |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/go/plugin/agent/secrets/secretstore/backends/azure/resolve.go
Outdated
Show resolved
Hide resolved
stelfrag
approved these changes
Mar 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test Plan
Additional Information
For users: How does this change affect me?
Summary by cubic
Refactors Azure AD auth across
secretstore(Azure Key Vault) and SQL collectors to use a sharedcloud_auth.azure_adschema and Azure SDK credentials. Requires an explicitmodeand improves proxy routing, timeouts, and error clarity.Refactors
cloud_auth.azure_adwithmode_service_principalandmode_managed_identity;modeis required (service_principal|managed_identity|default); UI uses radio with clearer help; docs aligned with the new defaults.cloudauthtoken provider (Azure SDK); routes AAD requests through proxies and bypasses proxies for IMDS; applies HTTP client timeouts via a credential wrapper; clearer token acquisition errors.mssql,postgres, and genericsql; MSSQL DSN builder reads nested fields;cloud_auth.provider: azure_adrequires thecloud_auth.azure_adblock andmode.Migration
mode: clienttomode: service_principal.tenant_id,client_id,client_secretundermode_service_principal.mode_managed_identity.client_idif using a user‑assigned identity.modeexplicitly; usedefaultfor Azure SDKDefaultAzureCredential.mssql,postgres,sql):cloud_auth.azure_ad.modeexplicitly.cloud_auth.azure_ad.mode_service_principalormode_managed_identityas applicable.Written for commit 5d4f14f. Summary will update on new commits.