Info about workload identity in volume mounts

public-site/docker-compose.yml

@@ -9,7 +9,7 @@ services:
     networks:
       - radix-public-site
     ports:
-      - "8000:8000"
+      - "8001:8000"
     volumes:
       - type: bind
         source: .

public-site/docs/docs/topic-releases/index.md

@@ -4,6 +4,13 @@ title: What's new
 
 # What's new
 
+## 2025
+
+### 2025-02-10 
+Radix now supports two options for authentication to Azure Storage Account from a Radix application component
+- [Azure Storage Account Keys](/guides/volume-mounts/#authentication-with-azure-storage-account-keys), already existing
+- [Azure Workload Identity](/guides/volume-mounts/#authentication-with-azure-workload-identity), available from now, authentication without need of Azure Storage Account key=
+
 ## 2024
 
 ### 2024-12-20 Relaxed Memory limit rules
@@ -291,7 +298,7 @@ If your Radix application uses Azure Blob volume mount, [radixconfig.yaml](/radi
 volumeMounts:
   - name: volume-name
     path: /path/in/container/to/mount/to
-    blobfuse2:
+    blobFuse2:
       container: container-name
       uid: 1000
       accessMode: ReadWriteMany
@@ -369,7 +376,7 @@ If your Radix application uses [Azure Blob volume mount](/guides/volume-mounts/)
   volumeMounts:
     - name: storage1
       path: /app/image-storage
-      blobfuse2:
+      blobFuse2:
         protocol: fuse2
         container: blobfusevolume
         uid: 1700

public-site/docs/guides/volume-mounts/index.md

@@ -36,15 +36,42 @@ environmentConfig:
     volumeMounts:
       - name: storage
         path: /app/image-storage
-        blobfuse2:
+        blobFuse2:
           container: blobfusevolumetestdata
 ```
 
 - After environment has been built, set the generated secret to key found in step 1. This should ensure that key value is Consistent status. It is recommended to restart a component after a key has been set in the console
 
-![SetSecrets](./set-secrets.png)
+### Authentication with Azure Storage Account keys
+![SetSecrets](./storage-account-key-name-secrets.png)
 
-This results in the Kubernetes deployment holding the volume mount in PersistentVolumeClaim and its StorageClass:
+When [storageAccount](/radix-config#blobfuse2-settings) is set, the "Account Name" secret is not shown.
+
+### Authentication with Azure Workload Identity
+- Enable [Workload Identity](../workload-identity/#configure-workload-identity-in-radix) for the component or job.
+- Configure Workload Identity authentication for the Azure Storage Account by setting `useAzureIdentity: true` in the [volumeMounts](/radix-config#blobfuse2-settings) section in [radixconfig.yaml](/radix-config/index.md)
+
+An option `useAzureIdentity` on a component level, defined or left default `false`, can be overridden on an `environmentConfig` level.
+
+Example:
+```yaml
+identity:
+  azure:
+    clientId: abcdefgh-1234-5678-9012-34567abcdefg
+volumeMounts:
+  - name: volume-name
+    path: /path/in/container/to/mount/to
+    blobFuse2:
+      container: container-name
+      uid: 1000
+      useAzureIdentity: true
+      storageAccount: storage-account-name
+      resourceGroup: resource-group-for-storage-account
+      subscriptionId: subscription-id-for-storage-account
+```
+
+
+This results in the Kubernetes deployment holding the volume mount in PersistentVolumeClaim and PersistentVolume:
 
 ```yaml
 spec:
@@ -97,12 +124,12 @@ To add multiple volumes
       volumeMounts:
         - name: storage1
           path: /app/image-storage
-          blobfuse2:
+          blobFuse2:
             container: blobfusevolumetestdata
             uid: 1000
         - name: storage3
           path: /app/image-storage3
-          blobfuse2:
+          blobFuse2:
             container: blobfusevolumetestdata3
             uid: 1000
   ```

public-site/docs/guides/volume-mounts/optional-settings/index.md

@@ -6,7 +6,7 @@ title: VolumeMounts optional settings
 * [Main settings](/radix-config/index.md#volumemounts)
 * [Guide](../)
 
-_Applicable for: `blobfuse2`_
+_Applicable for: `blobFuse2`_
 
 - `accessMode` - [access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) from container to external storage:
   - `ReadOnlyMany` - (default) read-only access.

public-site/docs/radix-config/index.md

@@ -581,7 +581,7 @@ spec:
       volumeMounts:
         - name: volume-name
           path: /path/in/container/to/mount/to
-          blobfuse2:
+          blobFuse2:
             container: container-name
             uid: 1000
         - name: temp-volume-name
@@ -598,9 +598,9 @@ The `volumeMounts` field configures volume mounts within the running component.
 - `name` - the name of the volume. Unique within `volumeMounts` list of a component
 - `path` - the folder inside the running container, where the external storage is mounted.
 - `emptyDir` - mounts a read-write empty volume in the container.
-- `blobfuse2` - mount a container from blob in [Azure storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview). Uses [CSI Azure blob storage driver](https://github.com/kubernetes-sigs/blob-csi-driver). Replaces types `blob` and `azure-blob` for obsolete drivers.
+- `blobFuse2` - mount a container from blob in [Azure storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview). Uses [CSI Azure blob storage driver](https://github.com/kubernetes-sigs/blob-csi-driver). Replaces types `blob` and `azure-blob` for obsolete drivers.
 
-`emptyDir` and `blobfuse2` are mutually exclusive.
+`emptyDir` and `blobFuse2` are mutually exclusive.
 
 #### `emptyDir` settings
 
@@ -622,7 +622,14 @@ An `emptyDir` volume mounts a temporary writable volume in the container. Data i
 - `protocol` - (optional) a protocol, supported by the BlobFuse2. Currently, supports `fuse2` (default) and `nfs`.
 - `container` - name of the blob container.
 - `uid` and/or `gid` - User ID and/or group ID (numbers) of a [mounted volume owner](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#podsecuritycontext-v1-core). It is a User ID and Group ID of a user in the running container within component replicas. Usually a user, which is a member of one or multiple [groups](https://en.wikipedia.org/wiki/Group_identifier), is specified in the `Dockerfile` for the component with command `USER`. Read [more details](../docs/topic-docker/index.md#running-as-non-root) about specifying user within `Dockerfile`. It is recommended to use because Blobfuse driver do [not honor fsGroup securityContext settings](https://github.com/kubernetes-sigs/blob-csi-driver/blob/master/docs/driver-parameters.md).
-- `useAdls` - (optional) enables blobfuse to access Azure DataLake storage account. When set to false, blobfuse will access Azure Block Blob storage account, hierarchical file system is not supported. Default `false`. This must be set `true` when [HNS enabled account](https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-namespace) is mounted.
+- `useAdls` - (optional) enables blobfuse to access Azure DataLake storage account or when hierarchical namespace (filesystem) is enabled. When set to false, blobfuse will access Azure Block Blob storage account, hierarchical file system is not supported. Default `false`. This must be set `true` when [HNS enabled account](https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-namespace) is mounted.
+- `useAzureIdentity` - If set to `true`, Radix will use [Azure Workload Identity](/guides/volume-mounts/#authentication-with-azure-workload-identity) to acquire credentials for accessing Azure Storage Account using the service principal configured in [identity.azure](#identity). This field is optional, with default value `false`. If omitted or set to `false`, credentials are acquired using [Azure Storage Account Keys](/guides/volume-mounts/#authentication-with-azure-storage-account-keys).
+- `storageAccount` - name of the Azure Storage Account. 
+  - required when `useAzureIdentity: true`.
+  - optional when `useAzureIdentity: false` or omitted. If not set, the value from the `Account Name` field in the `secrets` section is used.
+- `resourceGroup` - name of the Azure Resource Group for the Storage Account. (required when `useAzureIdentity: true`).
+- `subscriptionId` - Azure Subscription ID for the Storage Account (required when `useAzureIdentity: true`).
+- `tenantId` - (optional) Azure Tenant ID for the Storage Account. (applicable when `useAzureIdentity: true`).
 - `streaming` - (optional) defines a file streaming. When it is turned on (it is by default), files, opened by a container in its volume mount are not cached on a node, but read directly from a blob storage. It is recommended to use. When it is turned off, files are cached on a node, but it may cause a problem with a limited node disk available space.
 
   _Options for `streaming`_
@@ -967,7 +974,7 @@ spec:
           volumeMounts:
             - name: volume-name
               path: /path/in/container/to/mount/to
-              blobfuse2:
+              blobFuse2:
                 container: container-name
                 uid: 1000
             - name: temp-volume-name
@@ -1567,7 +1574,7 @@ spec:
       volumeMounts:
         - name: volume-name
           path: /path/in/container/to/mount/to
-          blobfuse2:
+          blobFuse2:
             container: container-name
             uid: 1000
 ```
@@ -1711,7 +1718,7 @@ spec:
           volumeMounts:
             - name: volume-name
               path: /path/in/container/to/mount/to
-              blobfuse2:
+              blobFuse2:
                 container: container-name
                 uid: 1000
 ```
@@ -2076,7 +2083,7 @@ spec:
       volumeMounts:
         - name: volume-name
           path: /path/in/container/to/mount/to
-          blobfuse2:
+          blobFuse2:
             container: container-name
             uid: 1000
       secretRefs: