From 023bcbadc72e44086888e6cc93cfe4aaad61e38b Mon Sep 17 00:00:00 2001
From: Arnab Baishnab Nipun <nipun@appscode.com>
Date: Thu, 23 Apr 2026 15:44:34 +0600
Subject: [PATCH] Add wal backup support for azure credless mode

Signed-off-by: Arnab Baishnab Nipun <nipun@appscode.com>
---
 go.mod                          |  2 +-
 go.sum                          |  4 ++--
 pkg/storages/azure/configure.go |  1 +
 pkg/storages/azure/storage.go   | 20 ++++++++++++++++----
 4 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/go.mod b/go.mod
index 1b24d590c..8edc1aa58 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.25.0
 require (
 	cloud.google.com/go/storage v1.51.0
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.14.0-beta.3
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3
 	github.com/RoaringBitmap/roaring v0.4.21
 	github.com/aws/aws-sdk-go v1.55.6
diff --git a/go.sum b/go.sum
index 7873326d4..55aab07a2 100644
--- a/go.sum
+++ b/go.sum
@@ -65,8 +65,8 @@ filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 h1:JXg2dwJUmPB9JmtVmdEB16APJ7jurfbY5jnfXpJoRMc=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 h1:KpMC6LFL7mqpExyMC9jVOYRiVhLmamjeZfRsUpB7l4s=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.14.0-beta.3 h1:0g4UTtvRA9goC37cmD9ZHdW6CCNJR4cOXBnHz0r4ubM=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.14.0-beta.3/go.mod h1:fEiHi0sbYqbo3shUkIF1SNxm8GyeEJl+Poc/djOvbdE=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
diff --git a/pkg/storages/azure/configure.go b/pkg/storages/azure/configure.go
index 9134a34d0..d8a54a217 100644
--- a/pkg/storages/azure/configure.go
+++ b/pkg/storages/azure/configure.go
@@ -19,6 +19,7 @@ const (
 	BuffersSetting      = "AZURE_MAX_BUFFERS"
 	TryTimeoutSetting   = "AZURE_TRY_TIMEOUT"
 	BlobStoreAPIVersion = "AZURE_BLOB_STORE_API_VERSION"
+	FederatedTokenFile  = "AZURE_FEDERATED_TOKEN_FILE"
 )
 
 // SettingList provides a list of GCS folder settings.
diff --git a/pkg/storages/azure/storage.go b/pkg/storages/azure/storage.go
index b6eb5212f..503f35435 100644
--- a/pkg/storages/azure/storage.go
+++ b/pkg/storages/azure/storage.go
@@ -4,8 +4,10 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"os"
 	"time"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
@@ -154,9 +156,19 @@ func containerClientWithAccessKey(config *Config) (*container.Client, error) {
 }
 
 func containerClientWithDefaultAuth(config *Config) (*container.Client, error) {
-	defaultCredential, err := azidentity.NewDefaultAzureCredential(nil)
-	if err != nil {
-		return nil, fmt.Errorf("construct the default Azure credential chain: %w", err)
+	var credential azcore.TokenCredential
+	var err error
+
+	if os.Getenv(FederatedTokenFile) != "" {
+		if credential, err = azidentity.NewWorkloadIdentityCredential(&azidentity.WorkloadIdentityCredentialOptions{
+			EnableAzureProxy: true,
+		}); err != nil {
+			return nil, fmt.Errorf("construct workload identity credential: %w", err)
+		}
+	} else {
+		if credential, err = azidentity.NewDefaultAzureCredential(nil); err != nil {
+			return nil, fmt.Errorf("construct the default Azure credential chain: %w", err)
+		}
 	}
 
 	containerURLString := fmt.Sprintf(
@@ -170,7 +182,7 @@ func containerClientWithDefaultAuth(config *Config) (*container.Client, error) {
 		return nil, fmt.Errorf("parse service URL: %w", err)
 	}
 
-	containerClient, err := container.NewClient(containerURLString, defaultCredential, buildClientOptions(config))
+	containerClient, err := container.NewClient(containerURLString, credential, buildClientOptions(config))
 	return containerClient, err
 }