Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Provide support for specifying identity to use for Azure managed identity auth #2741

Conversation

stephaneey
Copy link

@stephaneey stephaneey commented Mar 12, 2022

This PR aims at improving the way pod managed identities are used with Azure Services and Azure Storage in particular. Workloads can specify the identity to be used by the operator when peeking the Azure service

Checklist

  • Commits are signed with Developer Certificate of Origin (DCO - learn more)
  • Tests have been added
  • A PR is opened to update our Helm chart (repo) (if applicable, ie. when deployment manifests are modified)
  • A PR is opened to update the documentation on (repo) (if applicable)
  • Changelog has been updated and is aligned with our changelog requirements

Relates to #2656.

@stephaneey stephaneey requested a review from a team as a code owner March 12, 2022 17:22
@stephaneey stephaneey force-pushed the stephaneey/podidentity branch from 09e3b24 to 15d5205 Compare March 13, 2022 06:54
@tomkerkhove tomkerkhove changed the title Stephaneey/podidentity feat: Provide support for specifying identity to use for Azure managed identity auth Mar 14, 2022
CHANGELOG.md Outdated Show resolved Hide resolved
@tomkerkhove
Copy link
Member

Would you mind sending a PR for our docs please?

@stephaneey
Copy link
Author

Would you mind sending a PR for our docs please?

No problem. I was waiting for this PR to move on :)

@zroubalik zroubalik requested a review from JorTurFer March 22, 2022 20:17
Copy link
Member

@JorTurFer JorTurFer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First, thanks a ton for this huge effort, not only the code, also the research that you have done.
❤️ ❤️ ❤️

From technological pov I can't say anything because I'm not an expert in Azure Identities, the idea that you proposed in the issue IMO is achieved.

From code and KEDA pov, I left some comments inline and in general I prefer to avoid using magic strings if there is a constant for it.
Things like kedav1alpha1.AuthPodIdentity{Provider: "azure"}} could be kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderAzure}}.
It's more verbose, but we avoid magic strings and give us the option to change it in the future if it's needed

CHANGELOG.md Outdated Show resolved Hide resolved
pkg/scalers/azure_eventhub_scaler_test.go Outdated Show resolved Hide resolved
pkg/scalers/azure_eventhub_scaler_test.go Outdated Show resolved Hide resolved
apis/keda/v1alpha1/triggerauthentication_types.go Outdated Show resolved Hide resolved
@tomkerkhove
Copy link
Member

Let us know if you need any other feedback @stephaneey!

Signed-off-by: Stephane Eyskens <stephaneey@hotmail.com>
@stephaneey stephaneey force-pushed the stephaneey/podidentity branch from f29b10d to 53f17e0 Compare March 31, 2022 07:56
Signed-off-by: Stephane Eyskens <stephaneey@hotmail.com>
@stephaneey
Copy link
Author

@tomkerkhove I applied all the changes on my own branch. Should I make a new PR?

@tomkerkhove
Copy link
Member

Nope, you can just push them here indeed, thanks!

Would you mind rebasing/merging latest from main to fix the conflicts please?

@stephaneey
Copy link
Author

Nope, you can just push them here indeed, thanks!

Would you mind rebasing/merging latest from main to fix the conflicts please?

Hey @tomkerkhove

Sorry to bother but I'm not sure what I'm supposed to do here. I applied all the changes to this branch on my own repo: https://github.com/stephaneey/keda/tree/stephaneey/podidentity
I thought of closing this PR and making a new one so that all the latest changes would be part of the new PR. Merging is greyed out for me...I also don't want to do something that violates the DCO (I lost quite some time with this already). So, what am I supposed to to exactly?

Thanks

@tomkerkhove
Copy link
Member

No need to create a new PR or we will lose the context from this one.

What you should do is:

  1. Add upstream remote to kedacore/keda
  2. Fetch main branch and pull it
  3. Merge changes to your fork's branch

This should help you : https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/merging-an-upstream-repository-into-your-fork

@zroubalik
Copy link
Member

It's alwasy better to do git pull --rebase instead of merging new changes from main. DCO is fixable (Details on DCO provides a customized command that fixes DCO).
But if you think that it is too complicated, there's no need to open a new PR, you can just force push to your branch :)

Signed-off-by: Stephane Eyskens <stephaneey@hotmail.com>
Signed-off-by: Stephane Eyskens <stephaneey@hotmail.com>
@stephaneey
Copy link
Author

Hey @tomkerkhove @zroubalik

Thanks for your review. I resolved the conflicts and the PR is being validated.

Best regards

@tomkerkhove tomkerkhove requested a review from a team April 2, 2022 11:27
@tomkerkhove
Copy link
Member

Thanks a ton!

Copy link
Member

@zroubalik zroubalik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, only HTTP client usage

pkg/scalers/azure/azure_aad_podidentity.go Show resolved Hide resolved
Signed-off-by: Stephane Eyskens <stephaneey@hotmail.com>
@zroubalik
Copy link
Member

zroubalik commented Apr 7, 2022

/run-e2e azure*
Update: You can check the progres here

Copy link
Member

@zroubalik zroubalik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, but I think we should document this, could you please open docs PR?

CHANGELOG.md Outdated Show resolved Hide resolved
Signed-off-by: Stephane Eyskens <stephaneey@hotmail.com>
@stephaneey
Copy link
Author

Looking good, but I think we should document this, could you please open docs PR?
@tomkerkhove @zroubalik

Where should it be documented? I don't see a "general" category in the docs. Can you elaborate on what is expected to avoid back & forth conversations? I already "documented" the changes in the initial issue #2656. I have forked the docs repo..

Thanks

@tomkerkhove
Copy link
Member

All docs live in kedacore/keda-docs (see PR description) where we need to document this new feature in how people can configure to use a different identity (not perse how it works under the covers)

@tomkerkhove
Copy link
Member

Feel free to have a look at our contribution guide.

@stephaneey
Copy link
Author

Feel free to have a look at our contribution guide.

That's exactly what I did (as mentioned I already cloned the doc repo & created my own branch) and why I come back to ask what is expected. The contribution guide just says that you must open a PR for the doc...On Keda Docs, there are only instructions for:

  • Adding a new blob post
  • Adding a new scaler
  • Adding a new FAQ
  • Adding a new troubleshooting guidance

So my question is: where should I document my changes, given none of the above category corresponds. The closest one could be a blog post. Do you confirm?

Thanks

@tomkerkhove
Copy link
Member

No, we already have a documentation page for trigger authentication where you can just extend the pod Identity option for Azure.

https://keda.sh/docs/latest/concepts/authentication/

Just make sure this is only in v2.7.

Every documentation page also has a "suggest a change" button that takes you to the exact file.

@tomkerkhove
Copy link
Member

The reason why it's not in that section is because there is no dedicated page per auth provider.

But I'll update the guidance to look for the suggest a change button as well if need be.

@stephaneey
Copy link
Author

Ok thanks, I'll have a look at it

Copy link
Member

@JorTurFer JorTurFer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some inline comments.
There still are some magic strings, but looks good in general!
Thanks for this

CHANGELOG.md Outdated
@@ -39,7 +39,7 @@
- **General**: Support for `ValueMetricType` in `ScaledObject` for all scalers except CPU/Memory ([#2030](https://github.com/kedacore/keda/issues/2030))

### Improvements

- **TriggerAuthentication:** Provide support for specifying identity to use for Azure managed identity auth ([#2656](https://github.com/kedacore/keda/issues/2656))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, rename this to General,

  • General: Provide support for specifying identity to use for Azure managed identity auth (#2656)

@@ -149,7 +149,7 @@ func parseAzureEventHubMetadata(config *ScalerConfig) (*eventHubMetadata, error)
}
meta.eventHubInfo.ActiveDirectoryEndpoint = activeDirectoryEndpoint

if config.PodIdentity == "" || config.PodIdentity == v1alpha1.PodIdentityProviderNone {
if (config.PodIdentity == kedav1alpha1.AuthPodIdentity{}) || (config.PodIdentity == kedav1alpha1.AuthPodIdentity{Provider: "none"}) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace this magic string (kedav1alpha1.PodIdentityProviderNone)

@@ -214,7 +214,7 @@ func (checkpointer *defaultCheckpointer) extractCheckpoint(get *azblob.DownloadR
}

func getCheckpoint(ctx context.Context, httpClient util.HTTPDoer, info EventHubInfo, checkpointer checkpointer) (Checkpoint, error) {
blobCreds, storageEndpoint, err := ParseAzureStorageBlobConnection(ctx, httpClient, kedav1alpha1.PodIdentityProviderNone, info.StorageConnection, "", "")
blobCreds, storageEndpoint, err := ParseAzureStorageBlobConnection(ctx, httpClient, kedav1alpha1.AuthPodIdentity{Provider: "none"}, info.StorageConnection, "", "")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace this magic string (kedav1alpha1.PodIdentityProviderNone)

@@ -339,7 +340,7 @@ func TestShouldParseCheckpointForGoSdk(t *testing.T) {
func createNewCheckpointInStorage(urlPath string, containerName string, partitionID string, checkpoint string, metadata map[string]string) (context.Context, error) {
ctx := context.Background()

credential, endpoint, _ := ParseAzureStorageBlobConnection(ctx, http.DefaultClient, "none", StorageConnectionString, "", "")
credential, endpoint, _ := ParseAzureStorageBlobConnection(ctx, http.DefaultClient, kedav1alpha1.AuthPodIdentity{Provider: "none"}, StorageConnectionString, "", "")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace this magic string (kedav1alpha1.PodIdentityProviderNone)

@@ -216,7 +216,7 @@ func TestAzureAppInsightsGetMetricSpecForScaling(t *testing.T) {
}
mockAzureAppInsightsScaler := azureAppInsightsScaler{
metadata: meta,
podIdentity: kedav1alpha1.PodIdentityProviderAzure,
podIdentity: kedav1alpha1.AuthPodIdentity{Provider: "azure"},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace this magic string)

@@ -165,8 +165,8 @@ func parseAzureLogAnalyticsMetadata(config *ScalerConfig) (*azureLogAnalyticsMet
meta.clientSecret = clientSecret

meta.podIdentity = ""
case kedav1alpha1.PodIdentityProviderAzure:
meta.podIdentity = string(config.PodIdentity)
case kedav1alpha1.AuthPodIdentity{Provider: "azure"}:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace this magic string

@@ -176,7 +176,7 @@ func parseAzureMonitorMetadata(config *ScalerConfig) (*azureMonitorMetadata, err

// parseAzurePodIdentityParams gets the activeDirectory clientID and password
func parseAzurePodIdentityParams(config *ScalerConfig) (clientID string, clientPassword string, err error) {
if config.PodIdentity == "" || config.PodIdentity == kedav1alpha1.PodIdentityProviderNone {
if (config.PodIdentity == kedav1alpha1.AuthPodIdentity{}) || (config.PodIdentity == kedav1alpha1.AuthPodIdentity{Provider: "none"}) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace this magic string

if val == "true" {
config.PodIdentity = kedav1alpha1.PodIdentityProviderAzure
config.PodIdentity = kedav1alpha1.AuthPodIdentity{Provider: "azure"}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace this magic string

@@ -241,7 +241,7 @@ func TestResolveAuthRef(t *testing.T) {
},
soar: &kedav1alpha1.ScaledObjectAuthRef{Name: triggerAuthenticationName},
expected: map[string]string{"host": secretData},
expectedPodIdentity: kedav1alpha1.PodIdentityProviderNone,
expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: "none"},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace this magic string

authParams["awsRoleArn"] = podTemplateSpec.ObjectMeta.Annotations[kedav1alpha1.PodIdentityAnnotationKiam]
}
return authParams, podIdentity, nil
}

authParams, _ := resolveAuthRef(ctx, client, logger, triggerAuthRef, nil, namespace)
return authParams, kedav1alpha1.PodIdentityProviderNone, nil
return authParams, kedav1alpha1.AuthPodIdentity{Provider: "none"}, nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace this magic string

@tomkerkhove
Copy link
Member

Feel free to let us know if you need any help @stephaneey

@tomkerkhove
Copy link
Member

tomkerkhove commented May 4, 2022

Bump @stephaneey, anything we can help you with?

Do note that our workload identity support is close as well - #2907

@stephaneey
Copy link
Author

Bump @stephaneey, anything we can help you with?

Do note that our workload identity support is close as well - #2907

Hi Tom,

Indeed, sorry for the late reply. I guess we'd better discard the PR with the arrival of workload identities and the low value added to the product.

Best Regards

@tomkerkhove
Copy link
Member

Oh I don't think this is low value add as it allows for identity segregation but maybe you don't have time to work on it anymore?

@stephaneey
Copy link
Author

Oh I don't think this is low value add as it allows for identity segregation but maybe you don't have time to work on it anymore?

Well, indeed, it's a bit tricky these days and I spent more time in fixing conflicts than writing the actual code. The review process takes time (it's normal and even a very good practice to ensure high quality), but this leads to new conflicts each time I adjust the changes to the remarks, so it's a never ending story and I don't have much time to allocate (my bad). I don't know if someone can take this over, else, it was a nice attempt :)

@tomkerkhove tomkerkhove changed the base branch from main to azure-identity-seperation May 5, 2022 12:17
@tomkerkhove
Copy link
Member

No problem at all - I will merge this in to azure-identity-seperation branch and hopefully somebody else can pick this up.

Thanks for the initial start.

Oh I don't think this is low value add as it allows for identity segregation but maybe you don't have time to work on it anymore?

Well, indeed, it's a bit tricky these days and I spent more time in fixing conflicts than writing the actual code. The review process takes time (it's normal and even a very good practice to ensure high quality), but this leads to new conflicts each time I adjust the changes to the remarks, so it's a never ending story and I don't have much time to allocate (my bad). I don't know if someone can take this over, else, it was a nice attempt :)

We are always happy to hear feedback on how we can improve though

@tomkerkhove tomkerkhove merged commit abc1991 into kedacore:azure-identity-seperation May 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants