Add support for Workload Identity on OpenShift cluster

[RomanBednar]

Is your feature request related to a problem?/Why is this needed

• A customer using ARO wants to spin up an OpenShift cluster with "az aro create" without needing additional input, i.e. without the need for an AD account or service principal credentials, and the identity used is never visible to the customer and cannot appear in the cluster.

• As an administrator, I want to deploy OpenShift 4 and run Operators on Azure using access controls (IAM roles) with temporary, limited privilege credentials.

Describe the solution you'd like in detail

CSI Driver should support identity federation to enable workload identities, similar work is currently WIP in cluster-api-provider-azure.

In order to use identity federation the driver has to be updated to use azidentity instead of autorest/adal.

Describe alternatives you've considered

Alternatively, if we can't migrate the driver to azidentity, OpenShift Operators might use OIDC sidecar as a short term solution: https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview#how-to-migrate-to-workload-identity

Additional context

OpenShift Enhancement: https://github.com/openshift/enhancements/blob/40aac25619eb2e1bd2fb55a90bdcdddf7d7346e2/enhancements/cloud-integration/azure/azure-workload-identity.md

[andyzhangx]

if we want to support CSI driver with workload identity, migration to MSAL should be the dependency, related to kubernetes-sigs/cloud-provider-azure#430, related MSAL code example for workload identity support: https://github.com/Azure/azure-workload-identity/blob/main/examples/msal-go/main.go

[cvvz]

Hi, @RomanBednar , could you please kindly take a look at this pr: #1193? Especially the document, and make sure whether it satisfies your need?

[andyzhangx]

the adal lib token refresh issue depends on Azure/go-autorest#719