-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Provide support for specifying identity to use for Azure managed identity auth #2741
feat: Provide support for specifying identity to use for Azure managed identity auth #2741
Conversation
09e3b24
to
15d5205
Compare
Would you mind sending a PR for our docs please? |
No problem. I was waiting for this PR to move on :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First, thanks a ton for this huge effort, not only the code, also the research that you have done.
❤️ ❤️ ❤️
From technological pov I can't say anything because I'm not an expert in Azure Identities, the idea that you proposed in the issue IMO is achieved.
From code and KEDA pov, I left some comments inline and in general I prefer to avoid using magic strings if there is a constant for it.
Things like kedav1alpha1.AuthPodIdentity{Provider: "azure"}}
could be kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderAzure}}
.
It's more verbose, but we avoid magic strings and give us the option to change it in the future if it's needed
Let us know if you need any other feedback @stephaneey! |
Signed-off-by: Stephane Eyskens <stephaneey@hotmail.com>
f29b10d
to
53f17e0
Compare
Signed-off-by: Stephane Eyskens <stephaneey@hotmail.com>
@tomkerkhove I applied all the changes on my own branch. Should I make a new PR? |
Nope, you can just push them here indeed, thanks! Would you mind rebasing/merging latest from main to fix the conflicts please? |
Hey @tomkerkhove Sorry to bother but I'm not sure what I'm supposed to do here. I applied all the changes to this branch on my own repo: https://github.com/stephaneey/keda/tree/stephaneey/podidentity Thanks |
No need to create a new PR or we will lose the context from this one. What you should do is:
This should help you : https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/merging-an-upstream-repository-into-your-fork |
It's alwasy better to do |
Signed-off-by: Stephane Eyskens <stephaneey@hotmail.com>
Signed-off-by: Stephane Eyskens <stephaneey@hotmail.com>
Thanks for your review. I resolved the conflicts and the PR is being validated. Best regards |
Thanks a ton! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good, only HTTP client usage
Signed-off-by: Stephane Eyskens <stephaneey@hotmail.com>
/run-e2e azure* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good, but I think we should document this, could you please open docs PR?
Signed-off-by: Stephane Eyskens <stephaneey@hotmail.com>
Where should it be documented? I don't see a "general" category in the docs. Can you elaborate on what is expected to avoid back & forth conversations? I already "documented" the changes in the initial issue #2656. I have forked the docs repo.. Thanks |
All docs live in kedacore/keda-docs (see PR description) where we need to document this new feature in how people can configure to use a different identity (not perse how it works under the covers) |
Feel free to have a look at our contribution guide. |
That's exactly what I did (as mentioned I already cloned the doc repo & created my own branch) and why I come back to ask what is expected. The contribution guide just says that you must open a PR for the doc...On Keda Docs, there are only instructions for:
So my question is: where should I document my changes, given none of the above category corresponds. The closest one could be a blog post. Do you confirm? Thanks |
No, we already have a documentation page for trigger authentication where you can just extend the pod Identity option for Azure. https://keda.sh/docs/latest/concepts/authentication/ Just make sure this is only in v2.7. Every documentation page also has a "suggest a change" button that takes you to the exact file. |
The reason why it's not in that section is because there is no dedicated page per auth provider. But I'll update the guidance to look for the suggest a change button as well if need be. |
Ok thanks, I'll have a look at it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some inline comments.
There still are some magic strings, but looks good in general!
Thanks for this
CHANGELOG.md
Outdated
@@ -39,7 +39,7 @@ | |||
- **General**: Support for `ValueMetricType` in `ScaledObject` for all scalers except CPU/Memory ([#2030](https://github.com/kedacore/keda/issues/2030)) | |||
|
|||
### Improvements | |||
|
|||
- **TriggerAuthentication:** Provide support for specifying identity to use for Azure managed identity auth ([#2656](https://github.com/kedacore/keda/issues/2656)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, rename this to General,
- General: Provide support for specifying identity to use for Azure managed identity auth (#2656)
@@ -149,7 +149,7 @@ func parseAzureEventHubMetadata(config *ScalerConfig) (*eventHubMetadata, error) | |||
} | |||
meta.eventHubInfo.ActiveDirectoryEndpoint = activeDirectoryEndpoint | |||
|
|||
if config.PodIdentity == "" || config.PodIdentity == v1alpha1.PodIdentityProviderNone { | |||
if (config.PodIdentity == kedav1alpha1.AuthPodIdentity{}) || (config.PodIdentity == kedav1alpha1.AuthPodIdentity{Provider: "none"}) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace this magic string (kedav1alpha1.PodIdentityProviderNone
)
@@ -214,7 +214,7 @@ func (checkpointer *defaultCheckpointer) extractCheckpoint(get *azblob.DownloadR | |||
} | |||
|
|||
func getCheckpoint(ctx context.Context, httpClient util.HTTPDoer, info EventHubInfo, checkpointer checkpointer) (Checkpoint, error) { | |||
blobCreds, storageEndpoint, err := ParseAzureStorageBlobConnection(ctx, httpClient, kedav1alpha1.PodIdentityProviderNone, info.StorageConnection, "", "") | |||
blobCreds, storageEndpoint, err := ParseAzureStorageBlobConnection(ctx, httpClient, kedav1alpha1.AuthPodIdentity{Provider: "none"}, info.StorageConnection, "", "") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace this magic string (kedav1alpha1.PodIdentityProviderNone
)
@@ -339,7 +340,7 @@ func TestShouldParseCheckpointForGoSdk(t *testing.T) { | |||
func createNewCheckpointInStorage(urlPath string, containerName string, partitionID string, checkpoint string, metadata map[string]string) (context.Context, error) { | |||
ctx := context.Background() | |||
|
|||
credential, endpoint, _ := ParseAzureStorageBlobConnection(ctx, http.DefaultClient, "none", StorageConnectionString, "", "") | |||
credential, endpoint, _ := ParseAzureStorageBlobConnection(ctx, http.DefaultClient, kedav1alpha1.AuthPodIdentity{Provider: "none"}, StorageConnectionString, "", "") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace this magic string (kedav1alpha1.PodIdentityProviderNone
)
@@ -216,7 +216,7 @@ func TestAzureAppInsightsGetMetricSpecForScaling(t *testing.T) { | |||
} | |||
mockAzureAppInsightsScaler := azureAppInsightsScaler{ | |||
metadata: meta, | |||
podIdentity: kedav1alpha1.PodIdentityProviderAzure, | |||
podIdentity: kedav1alpha1.AuthPodIdentity{Provider: "azure"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace this magic string)
@@ -165,8 +165,8 @@ func parseAzureLogAnalyticsMetadata(config *ScalerConfig) (*azureLogAnalyticsMet | |||
meta.clientSecret = clientSecret | |||
|
|||
meta.podIdentity = "" | |||
case kedav1alpha1.PodIdentityProviderAzure: | |||
meta.podIdentity = string(config.PodIdentity) | |||
case kedav1alpha1.AuthPodIdentity{Provider: "azure"}: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace this magic string
@@ -176,7 +176,7 @@ func parseAzureMonitorMetadata(config *ScalerConfig) (*azureMonitorMetadata, err | |||
|
|||
// parseAzurePodIdentityParams gets the activeDirectory clientID and password | |||
func parseAzurePodIdentityParams(config *ScalerConfig) (clientID string, clientPassword string, err error) { | |||
if config.PodIdentity == "" || config.PodIdentity == kedav1alpha1.PodIdentityProviderNone { | |||
if (config.PodIdentity == kedav1alpha1.AuthPodIdentity{}) || (config.PodIdentity == kedav1alpha1.AuthPodIdentity{Provider: "none"}) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace this magic string
if val == "true" { | ||
config.PodIdentity = kedav1alpha1.PodIdentityProviderAzure | ||
config.PodIdentity = kedav1alpha1.AuthPodIdentity{Provider: "azure"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace this magic string
@@ -241,7 +241,7 @@ func TestResolveAuthRef(t *testing.T) { | |||
}, | |||
soar: &kedav1alpha1.ScaledObjectAuthRef{Name: triggerAuthenticationName}, | |||
expected: map[string]string{"host": secretData}, | |||
expectedPodIdentity: kedav1alpha1.PodIdentityProviderNone, | |||
expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: "none"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace this magic string
authParams["awsRoleArn"] = podTemplateSpec.ObjectMeta.Annotations[kedav1alpha1.PodIdentityAnnotationKiam] | ||
} | ||
return authParams, podIdentity, nil | ||
} | ||
|
||
authParams, _ := resolveAuthRef(ctx, client, logger, triggerAuthRef, nil, namespace) | ||
return authParams, kedav1alpha1.PodIdentityProviderNone, nil | ||
return authParams, kedav1alpha1.AuthPodIdentity{Provider: "none"}, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace this magic string
Feel free to let us know if you need any help @stephaneey |
Bump @stephaneey, anything we can help you with? Do note that our workload identity support is close as well - #2907 |
Hi Tom, Indeed, sorry for the late reply. I guess we'd better discard the PR with the arrival of workload identities and the low value added to the product. Best Regards |
Oh I don't think this is low value add as it allows for identity segregation but maybe you don't have time to work on it anymore? |
Well, indeed, it's a bit tricky these days and I spent more time in fixing conflicts than writing the actual code. The review process takes time (it's normal and even a very good practice to ensure high quality), but this leads to new conflicts each time I adjust the changes to the remarks, so it's a never ending story and I don't have much time to allocate (my bad). I don't know if someone can take this over, else, it was a nice attempt :) |
No problem at all - I will merge this in to Thanks for the initial start.
We are always happy to hear feedback on how we can improve though |
This PR aims at improving the way pod managed identities are used with Azure Services and Azure Storage in particular. Workloads can specify the identity to be used by the operator when peeking the Azure service
Checklist
Relates to #2656.