kedacore · tomkerkhove · Apr 26, 2022 · Apr 26, 2022 · Apr 26, 2022 · Apr 26, 2022
@@ -78,6 +78,10 @@ their default values.
 | `serviceAccount.name`                                      | The name of the service account to use. If not set and create is true, a name is generated.      | `keda-operator` |
 | `serviceAccount.annotations`                               | Annotations to add to the service account | `{}` |
 | `podIdentity.activeDirectory.identity`                     | Identity in Azure Active Directory to use for Azure pod identity | `` |
+| `podIdentity.azureWorkload.clientId`                       | Azure Active Directory Client ID use for Azure Workload Identity. | `` |
+| `podIdentity.azureWorkload.enabled`                        | Specifies whether Azure Workload Identity is to be enabled. | `false` |
+| `podIdentity.azureWorkload.tenantId`                       | Azure Active Directory Tenant ID use for Azure Workload Identity. | `` |
+| `podIdentity.azureWorkload.tokenExpiration`                | Expiration duration (seconds) for projected service account tokens. | `3600` |
 | `grpcTLSCertsSecret`                                       | Name of the secret that will be mounted to the /grpccerts path on the Pod to communicate over TLS with external scaler(s) (recommended).  | ``|
 | `hashiCorpVaultTLS`                                        | Name of the secret that will be mounted to the /vault path on the Pod to communicate over TLS with HashiCorp Vault (recommended). | `` |
 | `logging.operator.level`                                   | Logging level for KEDA Operator. Allowed values are 'debug', 'info' & 'error'. | `info`                                        |

@@ -4,11 +4,15 @@ kind: ServiceAccount
 metadata:
   labels:
     app.kubernetes.io/name: {{ .Values.serviceAccount.name }}
+    azure.workload.identity/use: "{{ .Values.podIdentity.azureWorkload.enabled }}"
     {{- include "keda.labels" . | indent 4 }}
-  {{- if .Values.serviceAccount.annotations }}
+  {{- if or .Values.podIdentity.azureWorkload.enabled .Values.serviceAccount.annotations }}
   annotations:
-  {{- toYaml .Values.serviceAccount.annotations | nindent 4}}
-  {{- end }}
+    azure.workload.identity/client-id: {{ .Values.podIdentity.azureWorkload.clientId }}
+    azure.workload.identity/tenant-id: {{ .Values.podIdentity.azureWorkload.tenantId }}
+    azure.workload.identity/service-account-token-expiration: {{ .Values.podIdentity.azureWorkload.tokenExpiration }}
+    {{- toYaml .Values.serviceAccount.annotations | nindent 4}}
+    {{- end }}
   name: {{ .Values.serviceAccount.name }}
   namespace: {{ .Release.Namespace }}
 {{- end -}}
@@ -20,7 +20,7 @@ watchNamespace: ""
 
 imagePullSecrets: []
 operator:
-  name: keda-operator  
+  name: keda-operator
   replicaCount: 1
 
 metricsServer:
@@ -57,11 +57,22 @@ serviceAccount:
   # Annotations to add to the service account
   annotations: {}
 
-# Set to the value of the Azure Active Directory Pod Identity
-# This will be set as a label on the KEDA Pod(s)
 podIdentity:
   activeDirectory:
+    # Set to the value of the Azure Active Directory Pod Identity
+    # This will be set as a label on the KEDA Pod(s)
     identity: ""
+  azureWorkload:
+    # Set to true to enable Azure Workload Identity usage.
+    # This will be set as a label on the KEDA service account.
+    enabled: false
+    # Set to the value of the Azure Active Directory Client and Tenant Ids
+    # respectively. These will be set as annotations on the KEDA service account.
+    clientId: ""
+    tenantId: ""
+    # Set to the value of the service account token expiration duration.
+    # This will be set as an annotation on the KEDA service account.
+    tokenExpiration: 3600
 
 # Set this if you are using an external scaler and want to communicate
 # over TLS (recommended). This variable holds the name of the secret that