feat: Provide support for Azure AD Workload Identity (#263)

* Helm support for Azure AD Workload Identity. Signed-off-by: Vighnesh Shenoy <vshenoy@microsoft.com> * Incorporate PR reviews. Signed-off-by: Vighnesh Shenoy <vshenoy@microsoft.com> * Fix missing space. Signed-off-by: Vighnesh Shenoy <vshenoy@microsoft.com> * Fix indent. Signed-off-by: Vighnesh Shenoy <vshenoy@microsoft.com>
kedacore · Apr 26, 2022 · 9ceb455 · 9ceb455
1 parent 76523f7
commit 9ceb455
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 5 deletions.
diff --git a/keda/README.md b/keda/README.md
@@ -78,6 +78,10 @@ their default values.
 | `serviceAccount.name`                                      | The name of the service account to use. If not set and create is true, a name is generated.      | `keda-operator` |
 | `serviceAccount.annotations`                               | Annotations to add to the service account | `{}` |
 | `podIdentity.activeDirectory.identity`                     | Identity in Azure Active Directory to use for Azure pod identity | `` |
+| `podIdentity.azureWorkload.clientId`                       | Id of Azure Active Directory Client to use for authentication with Azure Workload Identity. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) | `` |
+| `podIdentity.azureWorkload.enabled`                        | Specifies whether [Azure Workload Identity](https://azure.github.io/azure-workload-identity/) is to be enabled or not. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) | `false` |
+| `podIdentity.azureWorkload.tenantId`                       | Id Azure Active Directory Tenant to use for authentication with for Azure Workload Identity. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) | `` |
+| `podIdentity.azureWorkload.tokenExpiration`                | Duration in seconds to automatically expire tokens for the service account. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) | `3600` |
 | `grpcTLSCertsSecret`                                       | Name of the secret that will be mounted to the /grpccerts path on the Pod to communicate over TLS with external scaler(s) (recommended).  | ``|
 | `hashiCorpVaultTLS`                                        | Name of the secret that will be mounted to the /vault path on the Pod to communicate over TLS with HashiCorp Vault (recommended). | `` |
 | `logging.operator.level`                                   | Logging level for KEDA Operator. Allowed values are 'debug', 'info' & 'error'. | `info`                                        |

diff --git a/keda/templates/01-serviceaccount.yaml b/keda/templates/01-serviceaccount.yaml
@@ -4,10 +4,16 @@ kind: ServiceAccount
 metadata:
   labels:
     app.kubernetes.io/name: {{ .Values.serviceAccount.name }}
+    azure.workload.identity/use: "{{ .Values.podIdentity.azureWorkload.enabled }}"
     {{- include "keda.labels" . | indent 4 }}
-  {{- if .Values.serviceAccount.annotations }}
+  {{- if or .Values.podIdentity.azureWorkload.enabled .Values.serviceAccount.annotations }}
   annotations:
-  {{- toYaml .Values.serviceAccount.annotations | nindent 4}}
+    {{- if .Values.podIdentity.azureWorkload.enabled }}
+    azure.workload.identity/client-id: {{ .Values.podIdentity.azureWorkload.clientId }}
+    azure.workload.identity/tenant-id: {{ .Values.podIdentity.azureWorkload.tenantId }}
+    azure.workload.identity/service-account-token-expiration: {{ .Values.podIdentity.azureWorkload.tokenExpiration }}
+    {{- end }}
+    {{- toYaml .Values.serviceAccount.annotations | nindent 4}}
   {{- end }}
   name: {{ .Values.serviceAccount.name }}
   namespace: {{ .Release.Namespace }}

diff --git a/keda/values.yaml b/keda/values.yaml
@@ -20,7 +20,7 @@ watchNamespace: ""
 
 imagePullSecrets: []
 operator:
-  name: keda-operator  
+  name: keda-operator
   replicaCount: 1
 
 metricsServer:
@@ -57,11 +57,24 @@ serviceAccount:
   # Annotations to add to the service account
   annotations: {}
 
-# Set to the value of the Azure Active Directory Pod Identity
-# This will be set as a label on the KEDA Pod(s)
 podIdentity:
   activeDirectory:
+    # Set to the value of the Azure Active Directory Pod Identity
+    # See https://keda.sh/docs/concepts/authentication/#azure-pod-identity
+    # This will be set as a label on the KEDA Pod(s)
     identity: ""
+  azureWorkload:
+    # Set to true to enable Azure Workload Identity usage.
+    # See https://keda.sh/docs/concepts/authentication/#azure-workload-identity
+    # This will be set as a label on the KEDA service account.
+    enabled: false
+    # Set to the value of the Azure Active Directory Client and Tenant Ids
+    # respectively. These will be set as annotations on the KEDA service account.
+    clientId: ""
+    tenantId: ""
+    # Set to the value of the service account token expiration duration.
+    # This will be set as an annotation on the KEDA service account.
+    tokenExpiration: 3600
 
 # Set this if you are using an external scaler and want to communicate
 # over TLS (recommended). This variable holds the name of the secret that