From 9c9af60811de3ca0fcced20fc25da25ba4e22e8c Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Fri, 16 Jun 2023 17:09:43 +0800 Subject: [PATCH 01/32] Update Signed-off-by: SpiritZhou --- CHANGELOG.md | 1 + apis/keda/v1alpha1/triggerauthentication_types.go | 2 +- pkg/scalers/azure/azure_app_insights.go | 4 ++-- pkg/scalers/azure/azure_data_explorer.go | 2 +- pkg/scalers/azure/azure_eventhub.go | 4 ++-- .../azure/azure_managed_prometheus_http_round_tripper.go | 2 +- pkg/scalers/azure/azure_monitor.go | 4 ++-- pkg/scalers/azure/azure_storage.go | 4 ++-- pkg/scalers/azure_log_analytics_scaler.go | 6 +++--- pkg/scalers/azure_servicebus_scaler.go | 2 +- pkg/scaling/resolver/azure_keyvault_handler.go | 6 +++--- pkg/scaling/resolver/scale_resolvers.go | 9 +++++++++ 12 files changed, 28 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b6bd659a521..d5e2eaeb3ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,6 +53,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio ### Improvements - **General**: Metrics Adapter: remove deprecated Prometheus Metrics and non-gRPC code ([#3930](https://github.com/kedacore/keda/issues/3930)) +- **Azure PodIdentity**:Add validation of identity id to block empty identity id ([#4528](https://github.com/kedacore/keda/issues/4528)) - **Azure Data Explorer Scaler**: Use azidentity SDK ([#4489](https://github.com/kedacore/keda/issues/4489)) - **External Scaler**: Add tls options in TriggerAuth metadata. ([#3565](https://github.com/kedacore/keda/issues/3565)) - **GCP PubSub Scaler**: Make it more flexible for metrics ([#4243](https://github.com/kedacore/keda/issues/4243)) diff --git a/apis/keda/v1alpha1/triggerauthentication_types.go b/apis/keda/v1alpha1/triggerauthentication_types.go index d97b827a5a7..60306b6bae9 100644 --- a/apis/keda/v1alpha1/triggerauthentication_types.go +++ b/apis/keda/v1alpha1/triggerauthentication_types.go @@ -116,7 +116,7 @@ const ( type AuthPodIdentity struct { Provider PodIdentityProvider `json:"provider"` // +optional - IdentityID string `json:"identityId"` + IdentityID *string `json:"identityId"` } // AuthSecretTargetRef is used to authenticate using a reference to a secret diff --git a/pkg/scalers/azure/azure_app_insights.go b/pkg/scalers/azure/azure_app_insights.go index c4c64d78c34..94bb60ca5f4 100644 --- a/pkg/scalers/azure/azure_app_insights.go +++ b/pkg/scalers/azure/azure_app_insights.go @@ -69,10 +69,10 @@ func getAuthConfig(ctx context.Context, info AppInsightsInfo, podIdentity kedav1 case kedav1alpha1.PodIdentityProviderAzure: config := auth.NewMSIConfig() config.Resource = info.AppInsightsResourceURL - config.ClientID = podIdentity.IdentityID + config.ClientID = *podIdentity.IdentityID return config case kedav1alpha1.PodIdentityProviderAzureWorkload: - return NewAzureADWorkloadIdentityConfig(ctx, podIdentity.IdentityID, info.AppInsightsResourceURL) + return NewAzureADWorkloadIdentityConfig(ctx, *podIdentity.IdentityID, info.AppInsightsResourceURL) } return nil } diff --git a/pkg/scalers/azure/azure_data_explorer.go b/pkg/scalers/azure/azure_data_explorer.go index 915e5ece3d2..8f6d3983d7f 100644 --- a/pkg/scalers/azure/azure_data_explorer.go +++ b/pkg/scalers/azure/azure_data_explorer.go @@ -91,7 +91,7 @@ func getDataExplorerAuthConfig(metadata *DataExplorerMetadata) (*kusto.Connectio case kedav1alpha1.PodIdentityProviderAzure, kedav1alpha1.PodIdentityProviderAzureWorkload: azureDataExplorerLogger.V(1).Info(fmt.Sprintf("Creating Azure Data Explorer Client using podIdentity %s", metadata.PodIdentity.Provider)) - creds, chainedErr := NewChainedCredential(metadata.PodIdentity.IdentityID, metadata.PodIdentity.Provider) + creds, chainedErr := NewChainedCredential(*metadata.PodIdentity.IdentityID, metadata.PodIdentity.Provider) if chainedErr != nil { return nil, chainedErr } diff --git a/pkg/scalers/azure/azure_eventhub.go b/pkg/scalers/azure/azure_eventhub.go index e7c3b93b2e3..520cab279e4 100644 --- a/pkg/scalers/azure/azure_eventhub.go +++ b/pkg/scalers/azure/azure_eventhub.go @@ -53,7 +53,7 @@ func GetEventHubClient(ctx context.Context, info EventHubInfo) (*eventhub.Hub, e envJWTProviderOption := aad.JWTProviderWithAzureEnvironment(&env) resourceURLJWTProviderOption := aad.JWTProviderWithResourceURI(info.EventHubResourceURL) clientIDJWTProviderOption := func(config *aad.TokenProviderConfiguration) error { - config.ClientID = info.PodIdentity.IdentityID + config.ClientID = *info.PodIdentity.IdentityID return nil } @@ -68,7 +68,7 @@ func GetEventHubClient(ctx context.Context, info EventHubInfo) (*eventhub.Hub, e // User wants to use AAD Workload Identity env := azure.Environment{ActiveDirectoryEndpoint: info.ActiveDirectoryEndpoint, ServiceBusEndpointSuffix: info.ServiceBusEndpointSuffix} hubEnvOptions := eventhub.HubWithEnvironment(env) - provider := NewAzureADWorkloadIdentityTokenProvider(ctx, info.PodIdentity.IdentityID, info.EventHubResourceURL) + provider := NewAzureADWorkloadIdentityTokenProvider(ctx, *info.PodIdentity.IdentityID, info.EventHubResourceURL) return eventhub.NewHub(info.Namespace, info.EventHubName, provider, hubEnvOptions) } diff --git a/pkg/scalers/azure/azure_managed_prometheus_http_round_tripper.go b/pkg/scalers/azure/azure_managed_prometheus_http_round_tripper.go index b3bd400d798..1374fb2372f 100644 --- a/pkg/scalers/azure/azure_managed_prometheus_http_round_tripper.go +++ b/pkg/scalers/azure/azure_managed_prometheus_http_round_tripper.go @@ -36,7 +36,7 @@ func TryAndGetAzureManagedPrometheusHTTPRoundTripper(podIdentity kedav1alpha1.Au return nil, fmt.Errorf("trigger metadata cannot be nil") } - chainedCred, err := NewChainedCredential(podIdentity.IdentityID, podIdentity.Provider) + chainedCred, err := NewChainedCredential(*podIdentity.IdentityID, podIdentity.Provider) if err != nil { return nil, err } diff --git a/pkg/scalers/azure/azure_monitor.go b/pkg/scalers/azure/azure_monitor.go index 08ef4fa21a1..6065bb778b8 100644 --- a/pkg/scalers/azure/azure_monitor.go +++ b/pkg/scalers/azure/azure_monitor.go @@ -89,11 +89,11 @@ func createMetricsClient(ctx context.Context, info MonitorInfo, podIdentity keda case kedav1alpha1.PodIdentityProviderAzure: config := auth.NewMSIConfig() config.Resource = info.AzureResourceManagerEndpoint - config.ClientID = podIdentity.IdentityID + config.ClientID = *podIdentity.IdentityID authConfig = config case kedav1alpha1.PodIdentityProviderAzureWorkload: - authConfig = NewAzureADWorkloadIdentityConfig(ctx, podIdentity.IdentityID, info.AzureResourceManagerEndpoint) + authConfig = NewAzureADWorkloadIdentityConfig(ctx, *podIdentity.IdentityID, info.AzureResourceManagerEndpoint) } authorizer, _ := authConfig.Authorizer() diff --git a/pkg/scalers/azure/azure_storage.go b/pkg/scalers/azure/azure_storage.go index 759fa62917c..5bad8c4a386 100644 --- a/pkg/scalers/azure/azure_storage.go +++ b/pkg/scalers/azure/azure_storage.go @@ -207,9 +207,9 @@ func parseAccessTokenAndEndpoint(ctx context.Context, httpClient util.HTTPDoer, switch podIdentity.Provider { case kedav1alpha1.PodIdentityProviderAzure: - token, err = GetAzureADPodIdentityToken(ctx, httpClient, podIdentity.IdentityID, storageResource) + token, err = GetAzureADPodIdentityToken(ctx, httpClient, *podIdentity.IdentityID, storageResource) case kedav1alpha1.PodIdentityProviderAzureWorkload: - token, err = GetAzureADWorkloadIdentityToken(ctx, podIdentity.IdentityID, storageResource) + token, err = GetAzureADWorkloadIdentityToken(ctx, *podIdentity.IdentityID, storageResource) } if err != nil { diff --git a/pkg/scalers/azure_log_analytics_scaler.go b/pkg/scalers/azure_log_analytics_scaler.go index 0c4f3b25fed..f0323b9fb26 100644 --- a/pkg/scalers/azure_log_analytics_scaler.go +++ b/pkg/scalers/azure_log_analytics_scaler.go @@ -480,7 +480,7 @@ func (s *azureLogAnalyticsScaler) getAuthorizationToken(ctx context.Context) (to switch s.metadata.podIdentity.Provider { case kedav1alpha1.PodIdentityProviderAzureWorkload: - aadToken, err := azure.GetAzureADWorkloadIdentityToken(ctx, s.metadata.podIdentity.IdentityID, s.metadata.logAnalyticsResourceURL) + aadToken, err := azure.GetAzureADWorkloadIdentityToken(ctx, *s.metadata.podIdentity.IdentityID, s.metadata.logAnalyticsResourceURL) if err != nil { return tokenData{}, nil } @@ -565,10 +565,10 @@ func (s *azureLogAnalyticsScaler) executeAADApicall(ctx context.Context) ([]byte func (s *azureLogAnalyticsScaler) executeIMDSApicall(ctx context.Context) ([]byte, int, error) { var urlStr string - if s.metadata.podIdentity.IdentityID == "" { + if *s.metadata.podIdentity.IdentityID == "" { urlStr = fmt.Sprintf(azure.MSIURL, s.metadata.logAnalyticsResourceURL) } else { - urlStr = fmt.Sprintf(azure.MSIURLWithClientID, s.metadata.logAnalyticsResourceURL, url.QueryEscape(s.metadata.podIdentity.IdentityID)) + urlStr = fmt.Sprintf(azure.MSIURLWithClientID, s.metadata.logAnalyticsResourceURL, url.QueryEscape(*s.metadata.podIdentity.IdentityID)) } request, err := http.NewRequestWithContext(ctx, http.MethodGet, urlStr, nil) diff --git a/pkg/scalers/azure_servicebus_scaler.go b/pkg/scalers/azure_servicebus_scaler.go index 977d60b4c9b..bcb974cb223 100755 --- a/pkg/scalers/azure_servicebus_scaler.go +++ b/pkg/scalers/azure_servicebus_scaler.go @@ -297,7 +297,7 @@ func (s *azureServiceBusScaler) getServiceBusAdminClient() (*admin.Client, error case "", kedav1alpha1.PodIdentityProviderNone: client, err = admin.NewClientFromConnectionString(s.metadata.connection, nil) case kedav1alpha1.PodIdentityProviderAzure, kedav1alpha1.PodIdentityProviderAzureWorkload: - creds, chainedErr := azure.NewChainedCredential(s.podIdentity.IdentityID, s.podIdentity.Provider) + creds, chainedErr := azure.NewChainedCredential(*s.podIdentity.IdentityID, s.podIdentity.Provider) if chainedErr != nil { return nil, chainedErr } diff --git a/pkg/scaling/resolver/azure_keyvault_handler.go b/pkg/scaling/resolver/azure_keyvault_handler.go index 62263accb53..c64256e448c 100644 --- a/pkg/scaling/resolver/azure_keyvault_handler.go +++ b/pkg/scaling/resolver/azure_keyvault_handler.go @@ -133,12 +133,12 @@ func (vh *AzureKeyVaultHandler) getAuthConfig(ctx context.Context, client client case kedav1alpha1.PodIdentityProviderAzure: config := auth.NewMSIConfig() config.Resource = keyVaultResourceURL - config.ClientID = podIdentity.IdentityID + config.ClientID = *podIdentity.IdentityID return config, nil case kedav1alpha1.PodIdentityProviderAzureWorkload: - return azure.NewAzureADWorkloadIdentityConfig(ctx, podIdentity.IdentityID, keyVaultResourceURL), nil + return azure.NewAzureADWorkloadIdentityConfig(ctx, *podIdentity.IdentityID, keyVaultResourceURL), nil default: - return nil, fmt.Errorf("key vault does not support pod identity provider - %s", podIdentity) + return nil, fmt.Errorf("key vault does not support pod identity provider - %s", podIdentity.Provider) } } diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go index 22fe7e81d4e..e51d065b06a 100644 --- a/pkg/scaling/resolver/scale_resolvers.go +++ b/pkg/scaling/resolver/scale_resolvers.go @@ -170,6 +170,15 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log authParams["awsRoleArn"] = serviceAccount.Annotations[kedav1alpha1.PodIdentityAnnotationEKS] } else if podIdentity.Provider == kedav1alpha1.PodIdentityProviderAwsKiam { authParams["awsRoleArn"] = podTemplateSpec.ObjectMeta.Annotations[kedav1alpha1.PodIdentityAnnotationKiam] + } else if podIdentity.Provider == kedav1alpha1.PodIdentityProviderAzure { + // Check if podidentity is empty or default + if podIdentity.IdentityID == nil { + // Set to empty in case of trigger nil pointer error + podIdentity.IdentityID = new(string) + } else if *podIdentity.IdentityID == "" { + return nil, kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, + fmt.Errorf("error getting IdentityID, IdentityID cannot be empty") + } } return authParams, podIdentity, nil } From 4857d65a3b5391eca534c797b4611c127035cfc4 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Mon, 19 Jun 2023 09:56:56 +0800 Subject: [PATCH 02/32] Update CHANGELOG.md Co-authored-by: Tom Kerkhove Signed-off-by: SpiritZhou --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5e2eaeb3ed..c53fb7c2bb3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,7 +53,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio ### Improvements - **General**: Metrics Adapter: remove deprecated Prometheus Metrics and non-gRPC code ([#3930](https://github.com/kedacore/keda/issues/3930)) -- **Azure PodIdentity**:Add validation of identity id to block empty identity id ([#4528](https://github.com/kedacore/keda/issues/4528)) +- **Azure Pod Identity**: Add validation of identity ID to prevent usage of empty identity ID ([#4528](https://github.com/kedacore/keda/issues/4528)) - **Azure Data Explorer Scaler**: Use azidentity SDK ([#4489](https://github.com/kedacore/keda/issues/4489)) - **External Scaler**: Add tls options in TriggerAuth metadata. ([#3565](https://github.com/kedacore/keda/issues/3565)) - **GCP PubSub Scaler**: Make it more flexible for metrics ([#4243](https://github.com/kedacore/keda/issues/4243)) From 6edb42555f9a9aa4ca8cbf6fb5b241b588beff9e Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Mon, 3 Jul 2023 14:24:49 +0800 Subject: [PATCH 03/32] Update Signed-off-by: SpiritZhou --- .../v1alpha1/triggerauthentication_types.go | 8 +++++++ pkg/scalers/azure/azure_app_insights.go | 4 ++-- pkg/scalers/azure/azure_data_explorer.go | 2 +- pkg/scalers/azure/azure_eventhub.go | 4 ++-- ...e_managed_prometheus_http_round_tripper.go | 2 +- pkg/scalers/azure/azure_storage.go | 8 +++---- pkg/scalers/azure_blob_scaler.go | 2 +- pkg/scalers/azure_log_analytics_scaler.go | 8 +++---- pkg/scalers/azure_monitor_scaler.go | 2 +- pkg/scalers/azure_queue_scaler.go | 2 +- pkg/scalers/azure_servicebus_scaler.go | 4 ++-- pkg/scalers/rabbitmq_scaler.go | 2 +- pkg/scalers/rabbitmq_scaler_test.go | 5 +++-- .../resolver/azure_keyvault_handler.go | 4 ++-- pkg/scaling/resolver/scale_resolvers.go | 9 ++------ pkg/util/conver_types.go | 22 +++++++++++++++++++ 16 files changed, 57 insertions(+), 31 deletions(-) create mode 100644 pkg/util/conver_types.go diff --git a/apis/keda/v1alpha1/triggerauthentication_types.go b/apis/keda/v1alpha1/triggerauthentication_types.go index 60306b6bae9..08fc77fe461 100644 --- a/apis/keda/v1alpha1/triggerauthentication_types.go +++ b/apis/keda/v1alpha1/triggerauthentication_types.go @@ -119,6 +119,14 @@ type AuthPodIdentity struct { IdentityID *string `json:"identityId"` } +func (a *AuthPodIdentity) GetIdentityID() string { + if a.IdentityID == nil { + return "" + } else { + return *a.IdentityID + } +} + // AuthSecretTargetRef is used to authenticate using a reference to a secret type AuthSecretTargetRef struct { Parameter string `json:"parameter"` diff --git a/pkg/scalers/azure/azure_app_insights.go b/pkg/scalers/azure/azure_app_insights.go index 94bb60ca5f4..461d61a2cf9 100644 --- a/pkg/scalers/azure/azure_app_insights.go +++ b/pkg/scalers/azure/azure_app_insights.go @@ -69,10 +69,10 @@ func getAuthConfig(ctx context.Context, info AppInsightsInfo, podIdentity kedav1 case kedav1alpha1.PodIdentityProviderAzure: config := auth.NewMSIConfig() config.Resource = info.AppInsightsResourceURL - config.ClientID = *podIdentity.IdentityID + config.ClientID = podIdentity.GetIdentityID() return config case kedav1alpha1.PodIdentityProviderAzureWorkload: - return NewAzureADWorkloadIdentityConfig(ctx, *podIdentity.IdentityID, info.AppInsightsResourceURL) + return NewAzureADWorkloadIdentityConfig(ctx, podIdentity.GetIdentityID(), info.AppInsightsResourceURL) } return nil } diff --git a/pkg/scalers/azure/azure_data_explorer.go b/pkg/scalers/azure/azure_data_explorer.go index 8f6d3983d7f..3785ddc644b 100644 --- a/pkg/scalers/azure/azure_data_explorer.go +++ b/pkg/scalers/azure/azure_data_explorer.go @@ -91,7 +91,7 @@ func getDataExplorerAuthConfig(metadata *DataExplorerMetadata) (*kusto.Connectio case kedav1alpha1.PodIdentityProviderAzure, kedav1alpha1.PodIdentityProviderAzureWorkload: azureDataExplorerLogger.V(1).Info(fmt.Sprintf("Creating Azure Data Explorer Client using podIdentity %s", metadata.PodIdentity.Provider)) - creds, chainedErr := NewChainedCredential(*metadata.PodIdentity.IdentityID, metadata.PodIdentity.Provider) + creds, chainedErr := NewChainedCredential(metadata.PodIdentity.GetIdentityID(), metadata.PodIdentity.Provider) if chainedErr != nil { return nil, chainedErr } diff --git a/pkg/scalers/azure/azure_eventhub.go b/pkg/scalers/azure/azure_eventhub.go index 520cab279e4..d4ca34b879c 100644 --- a/pkg/scalers/azure/azure_eventhub.go +++ b/pkg/scalers/azure/azure_eventhub.go @@ -53,7 +53,7 @@ func GetEventHubClient(ctx context.Context, info EventHubInfo) (*eventhub.Hub, e envJWTProviderOption := aad.JWTProviderWithAzureEnvironment(&env) resourceURLJWTProviderOption := aad.JWTProviderWithResourceURI(info.EventHubResourceURL) clientIDJWTProviderOption := func(config *aad.TokenProviderConfiguration) error { - config.ClientID = *info.PodIdentity.IdentityID + config.ClientID = info.PodIdentity.GetIdentityID() return nil } @@ -68,7 +68,7 @@ func GetEventHubClient(ctx context.Context, info EventHubInfo) (*eventhub.Hub, e // User wants to use AAD Workload Identity env := azure.Environment{ActiveDirectoryEndpoint: info.ActiveDirectoryEndpoint, ServiceBusEndpointSuffix: info.ServiceBusEndpointSuffix} hubEnvOptions := eventhub.HubWithEnvironment(env) - provider := NewAzureADWorkloadIdentityTokenProvider(ctx, *info.PodIdentity.IdentityID, info.EventHubResourceURL) + provider := NewAzureADWorkloadIdentityTokenProvider(ctx, info.PodIdentity.GetIdentityID(), info.EventHubResourceURL) return eventhub.NewHub(info.Namespace, info.EventHubName, provider, hubEnvOptions) } diff --git a/pkg/scalers/azure/azure_managed_prometheus_http_round_tripper.go b/pkg/scalers/azure/azure_managed_prometheus_http_round_tripper.go index 1374fb2372f..16e1aa1bdfe 100644 --- a/pkg/scalers/azure/azure_managed_prometheus_http_round_tripper.go +++ b/pkg/scalers/azure/azure_managed_prometheus_http_round_tripper.go @@ -36,7 +36,7 @@ func TryAndGetAzureManagedPrometheusHTTPRoundTripper(podIdentity kedav1alpha1.Au return nil, fmt.Errorf("trigger metadata cannot be nil") } - chainedCred, err := NewChainedCredential(*podIdentity.IdentityID, podIdentity.Provider) + chainedCred, err := NewChainedCredential(podIdentity.GetIdentityID(), podIdentity.Provider) if err != nil { return nil, err } diff --git a/pkg/scalers/azure/azure_storage.go b/pkg/scalers/azure/azure_storage.go index 5bad8c4a386..12ac8e9f18d 100644 --- a/pkg/scalers/azure/azure_storage.go +++ b/pkg/scalers/azure/azure_storage.go @@ -111,7 +111,7 @@ func ParseAzureStorageQueueConnection(ctx context.Context, httpClient util.HTTPD return credential, endpoint, nil default: - return nil, nil, fmt.Errorf("azure queues doesn't support %s pod identity type", podIdentity) + return nil, nil, fmt.Errorf("azure queues doesn't support %s pod identity type", podIdentity.Provider) } } @@ -139,7 +139,7 @@ func ParseAzureStorageBlobConnection(ctx context.Context, httpClient util.HTTPDo return credential, endpoint, nil default: - return nil, nil, fmt.Errorf("azure queues doesn't support %s pod identity type", podIdentity) + return nil, nil, fmt.Errorf("azure queues doesn't support %s pod identity type", podIdentity.Provider) } } @@ -207,9 +207,9 @@ func parseAccessTokenAndEndpoint(ctx context.Context, httpClient util.HTTPDoer, switch podIdentity.Provider { case kedav1alpha1.PodIdentityProviderAzure: - token, err = GetAzureADPodIdentityToken(ctx, httpClient, *podIdentity.IdentityID, storageResource) + token, err = GetAzureADPodIdentityToken(ctx, httpClient, podIdentity.GetIdentityID(), storageResource) case kedav1alpha1.PodIdentityProviderAzureWorkload: - token, err = GetAzureADWorkloadIdentityToken(ctx, *podIdentity.IdentityID, storageResource) + token, err = GetAzureADWorkloadIdentityToken(ctx, podIdentity.GetIdentityID(), storageResource) } if err != nil { diff --git a/pkg/scalers/azure_blob_scaler.go b/pkg/scalers/azure_blob_scaler.go index 9324c742095..47ec6fc0ee0 100644 --- a/pkg/scalers/azure_blob_scaler.go +++ b/pkg/scalers/azure_blob_scaler.go @@ -173,7 +173,7 @@ func parseAzureBlobMetadata(config *ScalerConfig, logger logr.Logger) (*azure.Bl return nil, kedav1alpha1.AuthPodIdentity{}, fmt.Errorf("no accountName given") } default: - return nil, kedav1alpha1.AuthPodIdentity{}, fmt.Errorf("pod identity %s not supported for azure storage blobs", config.PodIdentity) + return nil, kedav1alpha1.AuthPodIdentity{}, fmt.Errorf("pod identity %s not supported for azure storage blobs", config.PodIdentity.Provider) } meta.ScalerIndex = config.ScalerIndex diff --git a/pkg/scalers/azure_log_analytics_scaler.go b/pkg/scalers/azure_log_analytics_scaler.go index f0323b9fb26..2714dd3f77c 100644 --- a/pkg/scalers/azure_log_analytics_scaler.go +++ b/pkg/scalers/azure_log_analytics_scaler.go @@ -163,7 +163,7 @@ func parseAzureLogAnalyticsMetadata(config *ScalerConfig) (*azureLogAnalyticsMet case kedav1alpha1.PodIdentityProviderAzure, kedav1alpha1.PodIdentityProviderAzureWorkload: meta.podIdentity = config.PodIdentity default: - return nil, fmt.Errorf("error parsing metadata. Details: Log Analytics Scaler doesn't support pod identity %s", config.PodIdentity) + return nil, fmt.Errorf("error parsing metadata. Details: Log Analytics Scaler doesn't support pod identity %s", config.PodIdentity.Provider) } // Getting workspaceId @@ -480,7 +480,7 @@ func (s *azureLogAnalyticsScaler) getAuthorizationToken(ctx context.Context) (to switch s.metadata.podIdentity.Provider { case kedav1alpha1.PodIdentityProviderAzureWorkload: - aadToken, err := azure.GetAzureADWorkloadIdentityToken(ctx, *s.metadata.podIdentity.IdentityID, s.metadata.logAnalyticsResourceURL) + aadToken, err := azure.GetAzureADWorkloadIdentityToken(ctx, s.metadata.podIdentity.GetIdentityID(), s.metadata.logAnalyticsResourceURL) if err != nil { return tokenData{}, nil } @@ -565,10 +565,10 @@ func (s *azureLogAnalyticsScaler) executeAADApicall(ctx context.Context) ([]byte func (s *azureLogAnalyticsScaler) executeIMDSApicall(ctx context.Context) ([]byte, int, error) { var urlStr string - if *s.metadata.podIdentity.IdentityID == "" { + if s.metadata.podIdentity.GetIdentityID() == "" { urlStr = fmt.Sprintf(azure.MSIURL, s.metadata.logAnalyticsResourceURL) } else { - urlStr = fmt.Sprintf(azure.MSIURLWithClientID, s.metadata.logAnalyticsResourceURL, url.QueryEscape(*s.metadata.podIdentity.IdentityID)) + urlStr = fmt.Sprintf(azure.MSIURLWithClientID, s.metadata.logAnalyticsResourceURL, url.QueryEscape(s.metadata.podIdentity.GetIdentityID())) } request, err := http.NewRequestWithContext(ctx, http.MethodGet, urlStr, nil) diff --git a/pkg/scalers/azure_monitor_scaler.go b/pkg/scalers/azure_monitor_scaler.go index f4ef32ca953..f6a044814ec 100644 --- a/pkg/scalers/azure_monitor_scaler.go +++ b/pkg/scalers/azure_monitor_scaler.go @@ -207,7 +207,7 @@ func parseAzurePodIdentityParams(config *ScalerConfig) (clientID string, clientP case kedav1alpha1.PodIdentityProviderAzure, kedav1alpha1.PodIdentityProviderAzureWorkload: // no params required to be parsed default: - return "", "", fmt.Errorf("azure Monitor doesn't support pod identity %s", config.PodIdentity) + return "", "", fmt.Errorf("azure Monitor doesn't support pod identity %s", config.PodIdentity.Provider) } return clientID, clientPassword, nil diff --git a/pkg/scalers/azure_queue_scaler.go b/pkg/scalers/azure_queue_scaler.go index 1088bd7e5b9..23fcd15815f 100644 --- a/pkg/scalers/azure_queue_scaler.go +++ b/pkg/scalers/azure_queue_scaler.go @@ -150,7 +150,7 @@ func parseAzureQueueMetadata(config *ScalerConfig, logger logr.Logger) (*azureQu return nil, kedav1alpha1.AuthPodIdentity{}, fmt.Errorf("no accountName given") } default: - return nil, kedav1alpha1.AuthPodIdentity{}, fmt.Errorf("pod identity %s not supported for azure storage queues", config.PodIdentity) + return nil, kedav1alpha1.AuthPodIdentity{}, fmt.Errorf("pod identity %s not supported for azure storage queues", config.PodIdentity.Provider) } meta.scalerIndex = config.ScalerIndex diff --git a/pkg/scalers/azure_servicebus_scaler.go b/pkg/scalers/azure_servicebus_scaler.go index bcb974cb223..7ad8ee71acd 100755 --- a/pkg/scalers/azure_servicebus_scaler.go +++ b/pkg/scalers/azure_servicebus_scaler.go @@ -214,7 +214,7 @@ func parseAzureServiceBusMetadata(config *ScalerConfig, logger logr.Logger) (*az } default: - return nil, fmt.Errorf("azure service bus doesn't support pod identity %s", config.PodIdentity) + return nil, fmt.Errorf("azure service bus doesn't support pod identity %s", config.PodIdentity.Provider) } meta.scalerIndex = config.ScalerIndex @@ -297,7 +297,7 @@ func (s *azureServiceBusScaler) getServiceBusAdminClient() (*admin.Client, error case "", kedav1alpha1.PodIdentityProviderNone: client, err = admin.NewClientFromConnectionString(s.metadata.connection, nil) case kedav1alpha1.PodIdentityProviderAzure, kedav1alpha1.PodIdentityProviderAzureWorkload: - creds, chainedErr := azure.NewChainedCredential(*s.podIdentity.IdentityID, s.podIdentity.Provider) + creds, chainedErr := azure.NewChainedCredential(s.podIdentity.GetIdentityID(), s.podIdentity.Provider) if chainedErr != nil { return nil, chainedErr } diff --git a/pkg/scalers/rabbitmq_scaler.go b/pkg/scalers/rabbitmq_scaler.go index abdaea3ea02..86956fff2c8 100644 --- a/pkg/scalers/rabbitmq_scaler.go +++ b/pkg/scalers/rabbitmq_scaler.go @@ -242,7 +242,7 @@ func parseRabbitMQMetadata(config *ScalerConfig) (*rabbitMQMetadata, error) { if config.PodIdentity.Provider == v1alpha1.PodIdentityProviderAzureWorkload { if config.AuthParams["workloadIdentityResource"] != "" { - meta.workloadIdentityClientID = config.PodIdentity.IdentityID + meta.workloadIdentityClientID = *config.PodIdentity.IdentityID meta.workloadIdentityResource = config.AuthParams["workloadIdentityResource"] } } diff --git a/pkg/scalers/rabbitmq_scaler_test.go b/pkg/scalers/rabbitmq_scaler_test.go index c1dcf1f301e..8c808f5bfce 100644 --- a/pkg/scalers/rabbitmq_scaler_test.go +++ b/pkg/scalers/rabbitmq_scaler_test.go @@ -13,6 +13,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/kedacore/keda/v2/apis/keda/v1alpha1" + kedautil "github.com/kedacore/keda/v2/pkg/util" ) const ( @@ -152,9 +153,9 @@ var testRabbitMQAuthParamData = []parseRabbitMQAuthParamTestData{ // failure, TLS invalid {map[string]string{"queueName": "sample", "hostFromEnv": host}, v1alpha1.AuthPodIdentity{}, map[string]string{"tls": "yes", "ca": "caaa", "cert": "ceert", "key": "kee"}, true, true, false}, // success, WorkloadIdentity - {map[string]string{"queueName": "sample", "hostFromEnv": host, "protocol": "http"}, v1alpha1.AuthPodIdentity{Provider: v1alpha1.PodIdentityProviderAzureWorkload, IdentityID: "client-id"}, map[string]string{"workloadIdentityResource": "rabbitmq-resource-id"}, false, false, true}, + {map[string]string{"queueName": "sample", "hostFromEnv": host, "protocol": "http"}, v1alpha1.AuthPodIdentity{Provider: v1alpha1.PodIdentityProviderAzureWorkload, IdentityID: kedautil.StringPointer("client-id")}, map[string]string{"workloadIdentityResource": "rabbitmq-resource-id"}, false, false, true}, // failure, WoekloadIdentity not supported for amqp - {map[string]string{"queueName": "sample", "hostFromEnv": host, "protocol": "amqp"}, v1alpha1.AuthPodIdentity{Provider: v1alpha1.PodIdentityProviderAzureWorkload, IdentityID: "client-id"}, map[string]string{"workloadIdentityResource": "rabbitmq-resource-id"}, true, false, false}, + {map[string]string{"queueName": "sample", "hostFromEnv": host, "protocol": "amqp"}, v1alpha1.AuthPodIdentity{Provider: v1alpha1.PodIdentityProviderAzureWorkload, IdentityID: kedautil.StringPointer("client-id")}, map[string]string{"workloadIdentityResource": "rabbitmq-resource-id"}, true, false, false}, } var rabbitMQMetricIdentifiers = []rabbitMQMetricIdentifier{ {&testRabbitMQMetadata[1], 0, "s0-rabbitmq-sample"}, diff --git a/pkg/scaling/resolver/azure_keyvault_handler.go b/pkg/scaling/resolver/azure_keyvault_handler.go index c64256e448c..f7fe36544c2 100644 --- a/pkg/scaling/resolver/azure_keyvault_handler.go +++ b/pkg/scaling/resolver/azure_keyvault_handler.go @@ -133,11 +133,11 @@ func (vh *AzureKeyVaultHandler) getAuthConfig(ctx context.Context, client client case kedav1alpha1.PodIdentityProviderAzure: config := auth.NewMSIConfig() config.Resource = keyVaultResourceURL - config.ClientID = *podIdentity.IdentityID + config.ClientID = podIdentity.GetIdentityID() return config, nil case kedav1alpha1.PodIdentityProviderAzureWorkload: - return azure.NewAzureADWorkloadIdentityConfig(ctx, *podIdentity.IdentityID, keyVaultResourceURL), nil + return azure.NewAzureADWorkloadIdentityConfig(ctx, podIdentity.GetIdentityID(), keyVaultResourceURL), nil default: return nil, fmt.Errorf("key vault does not support pod identity provider - %s", podIdentity.Provider) } diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go index 6b3c0095f32..e13105c3f16 100644 --- a/pkg/scaling/resolver/scale_resolvers.go +++ b/pkg/scaling/resolver/scale_resolvers.go @@ -192,13 +192,8 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log } else if podIdentity.Provider == kedav1alpha1.PodIdentityProviderAwsKiam { authParams["awsRoleArn"] = podTemplateSpec.ObjectMeta.Annotations[kedav1alpha1.PodIdentityAnnotationKiam] } else if podIdentity.Provider == kedav1alpha1.PodIdentityProviderAzure { - // Check if podidentity is empty or default - if podIdentity.IdentityID == nil { - // Set to empty in case of trigger nil pointer error - podIdentity.IdentityID = new(string) - } else if *podIdentity.IdentityID == "" { - return nil, kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, - fmt.Errorf("error getting IdentityID, IdentityID cannot be empty") + if podIdentity.GetIdentityID() == "" { + logger.Info("WARNING: IdentityID of PodIdentity is empty or nil") } } return authParams, podIdentity, nil diff --git a/pkg/util/conver_types.go b/pkg/util/conver_types.go new file mode 100644 index 00000000000..6d7559a8ee9 --- /dev/null +++ b/pkg/util/conver_types.go @@ -0,0 +1,22 @@ +/* +Copyright 2023 The KEDA Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package util + +// String returns a pointer to the string value passed in. +func StringPointer(v string) *string { + return &v +} From 70c5a143e8d165128033be8dbba5754b6d3ef1d3 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Wed, 5 Jul 2023 15:30:21 +0800 Subject: [PATCH 04/32] Add webhooks Signed-off-by: SpiritZhou --- .../v1alpha1/triggerauthentication_webhook.go | 124 ++++++++++++++++++ cmd/webhooks/main.go | 8 ++ config/webhooks/validation_webhooks.yaml | 48 +++++++ 3 files changed, 180 insertions(+) create mode 100644 apis/keda/v1alpha1/triggerauthentication_webhook.go diff --git a/apis/keda/v1alpha1/triggerauthentication_webhook.go b/apis/keda/v1alpha1/triggerauthentication_webhook.go new file mode 100644 index 00000000000..d6c0a739bf2 --- /dev/null +++ b/apis/keda/v1alpha1/triggerauthentication_webhook.go @@ -0,0 +1,124 @@ +/* +Copyright 2023 The KEDA Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "encoding/json" + "fmt" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +var triggerauthenticationlog = logf.Log.WithName("triggerauthentication-validation-webhook") + +func (so *TriggerAuthentication) SetupWebhookWithManager(mgr ctrl.Manager) error { + return ctrl.NewWebhookManagedBy(mgr). + For(so). + Complete() +} + +func (so *ClusterTriggerAuthentication) SetupWebhookWithManager(mgr ctrl.Manager) error { + return ctrl.NewWebhookManagedBy(mgr). + For(so). + Complete() +} + +// +kubebuilder:webhook:path=/validate-keda-sh-v1alpha1-triggerauthentication,mutating=false,failurePolicy=ignore,sideEffects=None,groups=keda.sh,resources=triggerauthentications,verbs=create;update,versions=v1alpha1,name=vstriggerauthentication.kb.io,admissionReviewVersions=v1 + +var _ webhook.Validator = &TriggerAuthentication{} + +// ValidateCreate implements webhook.Validator so a webhook will be registered for the type +func (ta *TriggerAuthentication) ValidateCreate() (admission.Warnings, error) { + val, _ := json.MarshalIndent(ta, "", " ") + triggerauthenticationlog.Info(fmt.Sprintf("validating triggerauthentication creation for %s", string(val))) + return validateSpec(&ta.Spec) +} + +func (ta *TriggerAuthentication) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { + val, _ := json.MarshalIndent(ta, "", " ") + scaledobjectlog.V(1).Info(fmt.Sprintf("validating triggerauthentication update for %s", string(val))) + + oldTa := old.(*TriggerAuthentication) + if isTriggerAuthenticationRemovingFinalizer(ta.ObjectMeta, oldTa.ObjectMeta, ta.Spec, oldTa.Spec) { + triggerauthenticationlog.V(1).Info("finalizer removal, skipping validation") + return nil, nil + } + return validateSpec(&ta.Spec) +} + +func (so *TriggerAuthentication) ValidateDelete() (admission.Warnings, error) { + return nil, nil +} + +// +kubebuilder:webhook:path=/validate-keda-sh-v1alpha1-clustertriggerauthentication,mutating=false,failurePolicy=ignore,sideEffects=None,groups=keda.sh,resources=clustertriggerauthentications,verbs=create;update,versions=v1alpha1,name=vsclustertriggerauthentication.kb.io,admissionReviewVersions=v1 + +var _ webhook.Validator = &ClusterTriggerAuthentication{} + +// ValidateCreate implements webhook.Validator so a webhook will be registered for the type +func (cta *ClusterTriggerAuthentication) ValidateCreate() (admission.Warnings, error) { + val, _ := json.MarshalIndent(cta, "", " ") + triggerauthenticationlog.Info(fmt.Sprintf("validating clustertriggerauthentication creation for %s", string(val))) + return validateSpec(&cta.Spec) +} + +func (cta *ClusterTriggerAuthentication) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { + val, _ := json.MarshalIndent(cta, "", " ") + scaledobjectlog.V(1).Info(fmt.Sprintf("validating clustertriggerauthentication update for %s", string(val))) + + oldCta := old.(*ClusterTriggerAuthentication) + if isTriggerAuthenticationRemovingFinalizer(cta.ObjectMeta, oldCta.ObjectMeta, cta.Spec, oldCta.Spec) { + triggerauthenticationlog.V(1).Info("finalizer removal, skipping validation") + return nil, nil + } + + return validateSpec(&cta.Spec) +} + +func (so *ClusterTriggerAuthentication) ValidateDelete() (admission.Warnings, error) { + return nil, nil +} + +func isTriggerAuthenticationRemovingFinalizer(om metav1.ObjectMeta, oldOm metav1.ObjectMeta, spec TriggerAuthenticationSpec, oldSpec TriggerAuthenticationSpec) bool { + + taSpec, _ := json.MarshalIndent(spec, "", " ") + oldTaSpec, _ := json.MarshalIndent(oldSpec, "", " ") + taSpecString := string(taSpec) + oldTaSpecString := string(oldTaSpec) + + return len(om.Finalizers) == 0 && len(oldOm.Finalizers) == 1 && taSpecString == oldTaSpecString +} + +func validateSpec(spec *TriggerAuthenticationSpec) (admission.Warnings, error) { + if spec.PodIdentity != nil { + switch spec.PodIdentity.Provider { + case PodIdentityProviderAzure: + fallthrough + case PodIdentityProviderAzureWorkload: + if spec.PodIdentity.IdentityID != nil && *spec.PodIdentity.IdentityID == "" { + return nil, fmt.Errorf("identityid of PodIdentity should not be empty") + } + default: + return nil, nil + } + } + return nil, nil +} diff --git a/cmd/webhooks/main.go b/cmd/webhooks/main.go index 9a79928a200..ab410cccaec 100644 --- a/cmd/webhooks/main.go +++ b/cmd/webhooks/main.go @@ -131,4 +131,12 @@ func setupWebhook(mgr manager.Manager) { setupLog.Error(err, "unable to create webhook", "webhook", "ScaledObject") os.Exit(1) } + if err := (&kedav1alpha1.TriggerAuthentication{}).SetupWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "TriggerAuthentication") + os.Exit(1) + } + if err := (&kedav1alpha1.ClusterTriggerAuthentication{}).SetupWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "ClusterTriggerAuthentication") + os.Exit(1) + } } diff --git a/config/webhooks/validation_webhooks.yaml b/config/webhooks/validation_webhooks.yaml index 4eb57d09b7c..3561df56e22 100644 --- a/config/webhooks/validation_webhooks.yaml +++ b/config/webhooks/validation_webhooks.yaml @@ -33,3 +33,51 @@ webhooks: - scaledobjects sideEffects: None timeoutSeconds: 10 +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: keda-admission-webhooks + namespace: keda + path: /validate-keda-sh-v1alpha1-triggerauthentication + failurePolicy: Ignore + matchPolicy: Equivalent + name: vstriggerauthentication.kb.io + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - keda.sh + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - triggerauthentications + sideEffects: None + timeoutSeconds: 10 +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: keda-admission-webhooks + namespace: keda + path: /validate-keda-sh-v1alpha1-clustertriggerauthentication + failurePolicy: Ignore + matchPolicy: Equivalent + name: vsclustertriggerauthentication.kb.io + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - keda.sh + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertriggerauthentications + sideEffects: None + timeoutSeconds: 10 From c74f1649cc6ed0fc6b385e5645cd33a4a662f290 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Thu, 6 Jul 2023 11:22:59 +0800 Subject: [PATCH 05/32] Update Signed-off-by: SpiritZhou --- .../v1alpha1/scaledobject_webhook_test.go | 208 +++++++++--------- apis/keda/v1alpha1/suite_test.go | 141 ++++++++++++ .../triggerauthentication_webhook_test.go | 90 ++++++++ 3 files changed, 329 insertions(+), 110 deletions(-) create mode 100644 apis/keda/v1alpha1/suite_test.go create mode 100644 apis/keda/v1alpha1/triggerauthentication_webhook_test.go diff --git a/apis/keda/v1alpha1/scaledobject_webhook_test.go b/apis/keda/v1alpha1/scaledobject_webhook_test.go index fbde5787df1..cf0f434a567 100644 --- a/apis/keda/v1alpha1/scaledobject_webhook_test.go +++ b/apis/keda/v1alpha1/scaledobject_webhook_test.go @@ -18,132 +18,120 @@ package v1alpha1 import ( "context" - "crypto/tls" - "fmt" - "net" - "path/filepath" - "testing" - "time" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - admissionv1beta1 "k8s.io/api/admission/v1beta1" appsv1 "k8s.io/api/apps/v1" v2 "k8s.io/api/autoscaling/v2" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" - clientgoscheme "k8s.io/client-go/kubernetes/scheme" - "k8s.io/client-go/rest" "k8s.io/utils/pointer" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/envtest" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/log/zap" //+kubebuilder:scaffold:imports ) // These tests use Ginkgo (BDD-style Go testing framework). Refer to // http://onsi.github.io/ginkgo/ to learn more about Ginkgo. -var cfg *rest.Config -var k8sClient client.Client -var testEnv *envtest.Environment -var ctx context.Context -var cancel context.CancelFunc - -const ( - workloadName = "deployment-name" - soName = "test-so" -) - -func TestAPIs(t *testing.T) { - RegisterFailHandler(Fail) - - RunSpecs(t, "Webhook Suite") -} - -var _ = BeforeSuite(func() { - logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) - - ctx, cancel = context.WithCancel(context.Background()) - - By("bootstrapping test environment") - testEnv = &envtest.Environment{ - CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crd", "bases")}, - ErrorIfCRDPathMissing: false, - WebhookInstallOptions: envtest.WebhookInstallOptions{ - Paths: []string{filepath.Join("..", "..", "..", "config", "webhooks")}, - }, - } - - var err error - // cfg is defined in this file globally. - done := make(chan interface{}) - go func() { - defer GinkgoRecover() - cfg, err = testEnv.Start() - close(done) - }() - Eventually(done).WithTimeout(time.Minute).Should(BeClosed()) - Expect(err).NotTo(HaveOccurred()) - Expect(cfg).NotTo(BeNil()) - - scheme := runtime.NewScheme() - err = AddToScheme(scheme) - Expect(err).NotTo(HaveOccurred()) - - err = clientgoscheme.AddToScheme(scheme) - Expect(err).NotTo(HaveOccurred()) - - err = admissionv1beta1.AddToScheme(scheme) - Expect(err).NotTo(HaveOccurred()) - - //+kubebuilder:scaffold:scheme - - k8sClient, err = client.New(cfg, client.Options{Scheme: scheme}) - Expect(err).NotTo(HaveOccurred()) - Expect(k8sClient).NotTo(BeNil()) - - // start webhook server using Manager - webhookInstallOptions := &testEnv.WebhookInstallOptions - mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - Scheme: scheme, - Host: webhookInstallOptions.LocalServingHost, - Port: webhookInstallOptions.LocalServingPort, - CertDir: webhookInstallOptions.LocalServingCertDir, - LeaderElection: false, - MetricsBindAddress: "0", - }) - Expect(err).NotTo(HaveOccurred()) - - err = (&ScaledObject{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - //+kubebuilder:scaffold:webhook - - go func() { - defer GinkgoRecover() - err = mgr.Start(ctx) - Expect(err).NotTo(HaveOccurred()) - }() - - // wait for the webhook server to get ready - dialer := &net.Dialer{Timeout: time.Second} - addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort) - Eventually(func() error { - conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) - if err != nil { - return err - } - conn.Close() - return nil - }).Should(Succeed()) - -}) +// var cfg *rest.Config +// var k8sClient client.Client +// var testEnv *envtest.Environment +// var ctx context.Context +// var cancel context.CancelFunc + +// const ( +// workloadName = "deployment-name" +// soName = "test-so" +// ) + +// func TestAPIs(t *testing.T) { +// RegisterFailHandler(Fail) + +// RunSpecs(t, "Webhook Suite") +// } + +// var _ = BeforeSuite(func() { +// logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) + +// ctx, cancel = context.WithCancel(context.Background()) + +// By("bootstrapping test environment") +// testEnv = &envtest.Environment{ +// CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crd", "bases")}, +// ErrorIfCRDPathMissing: false, +// WebhookInstallOptions: envtest.WebhookInstallOptions{ +// Paths: []string{filepath.Join("..", "..", "..", "config", "webhooks")}, +// }, +// } +// fmt.Println("xxxxxxxxxxf") +// var err error +// // cfg is defined in this file globally. +// done := make(chan interface{}) +// go func() { +// defer GinkgoRecover() +// cfg, err = testEnv.Start() +// close(done) +// }() +// Eventually(done).WithTimeout(time.Minute).Should(BeClosed()) +// Expect(err).NotTo(HaveOccurred()) +// Expect(cfg).NotTo(BeNil()) + +// scheme := runtime.NewScheme() +// err = AddToScheme(scheme) +// Expect(err).NotTo(HaveOccurred()) + +// err = clientgoscheme.AddToScheme(scheme) +// Expect(err).NotTo(HaveOccurred()) + +// err = admissionv1beta1.AddToScheme(scheme) +// Expect(err).NotTo(HaveOccurred()) + +// //+kubebuilder:scaffold:scheme + +// k8sClient, err = client.New(cfg, client.Options{Scheme: scheme}) +// Expect(err).NotTo(HaveOccurred()) +// Expect(k8sClient).NotTo(BeNil()) + +// // start webhook server using Manager +// webhookInstallOptions := &testEnv.WebhookInstallOptions +// mgr, err := ctrl.NewManager(cfg, ctrl.Options{ +// Scheme: scheme, +// Host: webhookInstallOptions.LocalServingHost, +// Port: webhookInstallOptions.LocalServingPort, +// CertDir: webhookInstallOptions.LocalServingCertDir, +// LeaderElection: false, +// MetricsBindAddress: "0", +// }) +// Expect(err).NotTo(HaveOccurred()) + +// err = (&ScaledObject{}).SetupWebhookWithManager(mgr) +// Expect(err).NotTo(HaveOccurred()) + +// err = (&TriggerAuthentication{}).SetupWebhookWithManager(mgr) +// Expect(err).NotTo(HaveOccurred()) + +// //+kubebuilder:scaffold:webhook + +// go func() { +// defer GinkgoRecover() +// err = mgr.Start(ctx) +// Expect(err).NotTo(HaveOccurred()) +// }() + +// // wait for the webhook server to get ready +// dialer := &net.Dialer{Timeout: time.Second} +// addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort) +// Eventually(func() error { +// conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) +// if err != nil { +// return err +// } +// conn.Close() +// return nil +// }).Should(Succeed()) + +// }) var _ = It("should validate the so creation when there isn't any hpa", func() { diff --git a/apis/keda/v1alpha1/suite_test.go b/apis/keda/v1alpha1/suite_test.go new file mode 100644 index 00000000000..a156b1abcba --- /dev/null +++ b/apis/keda/v1alpha1/suite_test.go @@ -0,0 +1,141 @@ +/* +Copyright 2023 The KEDA Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "context" + "crypto/tls" + "fmt" + "net" + "path/filepath" + "testing" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + admissionv1beta1 "k8s.io/api/admission/v1beta1" + "k8s.io/apimachinery/pkg/runtime" + clientgoscheme "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/rest" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/envtest" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + //+kubebuilder:scaffold:imports +) + +// These tests use Ginkgo (BDD-style Go testing framework). Refer to +// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. + +var cfg *rest.Config +var k8sClient client.Client +var testEnv *envtest.Environment +var ctx context.Context +var cancel context.CancelFunc + +const ( + workloadName = "deployment-name" + soName = "test-so" +) + +func TestAPIs(t *testing.T) { + RegisterFailHandler(Fail) + + RunSpecs(t, "Webhook Suite") +} + +var _ = BeforeSuite(func() { + logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) + + ctx, cancel = context.WithCancel(context.Background()) + + By("bootstrapping test environment") + testEnv = &envtest.Environment{ + CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crd", "bases")}, + ErrorIfCRDPathMissing: false, + WebhookInstallOptions: envtest.WebhookInstallOptions{ + Paths: []string{filepath.Join("..", "..", "..", "config", "webhooks")}, + }, + } + var err error + // cfg is defined in this file globally. + done := make(chan interface{}) + go func() { + defer GinkgoRecover() + cfg, err = testEnv.Start() + close(done) + }() + Eventually(done).WithTimeout(time.Minute).Should(BeClosed()) + Expect(err).NotTo(HaveOccurred()) + Expect(cfg).NotTo(BeNil()) + + scheme := runtime.NewScheme() + err = AddToScheme(scheme) + Expect(err).NotTo(HaveOccurred()) + + err = clientgoscheme.AddToScheme(scheme) + Expect(err).NotTo(HaveOccurred()) + + err = admissionv1beta1.AddToScheme(scheme) + Expect(err).NotTo(HaveOccurred()) + + //+kubebuilder:scaffold:scheme + + k8sClient, err = client.New(cfg, client.Options{Scheme: scheme}) + Expect(err).NotTo(HaveOccurred()) + Expect(k8sClient).NotTo(BeNil()) + + // start webhook server using Manager + webhookInstallOptions := &testEnv.WebhookInstallOptions + mgr, err := ctrl.NewManager(cfg, ctrl.Options{ + Scheme: scheme, + Host: webhookInstallOptions.LocalServingHost, + Port: webhookInstallOptions.LocalServingPort, + CertDir: webhookInstallOptions.LocalServingCertDir, + LeaderElection: false, + MetricsBindAddress: "0", + }) + Expect(err).NotTo(HaveOccurred()) + + err = (&ScaledObject{}).SetupWebhookWithManager(mgr) + Expect(err).NotTo(HaveOccurred()) + + err = (&TriggerAuthentication{}).SetupWebhookWithManager(mgr) + Expect(err).NotTo(HaveOccurred()) + + //+kubebuilder:scaffold:webhook + + go func() { + defer GinkgoRecover() + err = mgr.Start(ctx) + Expect(err).NotTo(HaveOccurred()) + }() + + // wait for the webhook server to get ready + dialer := &net.Dialer{Timeout: time.Second} + addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort) + Eventually(func() error { + conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) + if err != nil { + return err + } + conn.Close() + return nil + }).Should(Succeed()) + +}) diff --git a/apis/keda/v1alpha1/triggerauthentication_webhook_test.go b/apis/keda/v1alpha1/triggerauthentication_webhook_test.go new file mode 100644 index 00000000000..63fa0927d6d --- /dev/null +++ b/apis/keda/v1alpha1/triggerauthentication_webhook_test.go @@ -0,0 +1,90 @@ +/* +Copyright 2023 The KEDA Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "context" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + //+kubebuilder:scaffold:imports +) + +var _ = It("validate triggerauthentication when IdentityID is nil", func() { + namespaceName := "nilidentityid" + namespace := createNamespace(namespaceName) + err := k8sClient.Create(context.Background(), namespace) + Expect(err).ToNot(HaveOccurred()) + + spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, nil) + ta := createTriggerAuthentication("nilidentityidta", namespaceName, "apps/v1", "TriggerAuthentication", spec) + Eventually(func() error { + return k8sClient.Create(context.Background(), ta) + }).ShouldNot(HaveOccurred()) +}) + +var _ = It("validate triggerauthentication when IdentityID is empty", func() { + namespaceName := "emptyidentityid" + namespace := createNamespace(namespaceName) + err := k8sClient.Create(context.Background(), namespace) + Expect(err).ToNot(HaveOccurred()) + + identityId := "" + spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityId) + ta := createTriggerAuthentication("emptyidentityidta", namespaceName, "apps/v1", "TriggerAuthentication", spec) + Eventually(func() error { + return k8sClient.Create(context.Background(), ta) + }).Should(HaveOccurred()) +}) + +var _ = It("validate triggerauthentication when IdentityID is not empty", func() { + namespaceName := "identityid" + namespace := createNamespace(namespaceName) + err := k8sClient.Create(context.Background(), namespace) + Expect(err).ToNot(HaveOccurred()) + + identityId := "12345" + spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityId) + ta := createTriggerAuthentication("emptyidentityidta", namespaceName, "apps/v1", "TriggerAuthentication", spec) + Eventually(func() error { + return k8sClient.Create(context.Background(), ta) + }).ShouldNot(HaveOccurred()) +}) + +func createTriggerAuthenticationSpecWithPodIdentity(provider PodIdentityProvider, identityId *string) TriggerAuthenticationSpec { + return TriggerAuthenticationSpec{ + PodIdentity: &AuthPodIdentity{ + Provider: provider, + IdentityID: identityId, + }, + } +} + +func createTriggerAuthentication(name, namespace, targetAPI, targetKind string, spec TriggerAuthenticationSpec) *TriggerAuthentication { + return &TriggerAuthentication{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + TypeMeta: metav1.TypeMeta{ + Kind: targetKind, + APIVersion: "keda.sh", + }, + Spec: spec, + } +} From 31178f24475b1badc834b475387c5e950bfb08dd Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Thu, 6 Jul 2023 14:18:59 +0800 Subject: [PATCH 06/32] Update Signed-off-by: SpiritZhou --- pkg/scalers/rabbitmq_scaler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/scalers/rabbitmq_scaler.go b/pkg/scalers/rabbitmq_scaler.go index 86956fff2c8..9cd21e2602c 100644 --- a/pkg/scalers/rabbitmq_scaler.go +++ b/pkg/scalers/rabbitmq_scaler.go @@ -242,7 +242,7 @@ func parseRabbitMQMetadata(config *ScalerConfig) (*rabbitMQMetadata, error) { if config.PodIdentity.Provider == v1alpha1.PodIdentityProviderAzureWorkload { if config.AuthParams["workloadIdentityResource"] != "" { - meta.workloadIdentityClientID = *config.PodIdentity.IdentityID + meta.workloadIdentityClientID = config.PodIdentity.GetIdentityID() meta.workloadIdentityResource = config.AuthParams["workloadIdentityResource"] } } From 966fb3553ebff88c8926020216a74d06a55eb676 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Thu, 6 Jul 2023 16:04:37 +0800 Subject: [PATCH 07/32] Update Signed-off-by: SpiritZhou --- pkg/scaling/resolver/scale_resolvers_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/scaling/resolver/scale_resolvers_test.go b/pkg/scaling/resolver/scale_resolvers_test.go index 859b5a7c701..7db11297362 100644 --- a/pkg/scaling/resolver/scale_resolvers_test.go +++ b/pkg/scaling/resolver/scale_resolvers_test.go @@ -422,7 +422,7 @@ func TestResolveAuthRef(t *testing.T) { t.Errorf("Returned authParams are different: %s", diff) } if gotPodIdentity != test.expectedPodIdentity { - t.Errorf("Unexpected podidentity, wanted: %q got: %q", test.expectedPodIdentity, gotPodIdentity) + t.Errorf("Unexpected podidentity, wanted: %q got: %q", test.expectedPodIdentity.Provider, gotPodIdentity.Provider) } }) } From e43e3f03295d5fd72c2c07b2dd94e2a30d434705 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Thu, 6 Jul 2023 16:49:12 +0800 Subject: [PATCH 08/32] fix Signed-off-by: SpiritZhou --- .../v1alpha1/scaledobject_webhook_test.go | 1 - apis/keda/v1alpha1/suite_test.go | 4 +- .../v1alpha1/triggerauthentication_types.go | 3 +- .../v1alpha1/triggerauthentication_webhook.go | 13 +++-- .../triggerauthentication_webhook_test.go | 54 ++++++++++++++++--- 5 files changed, 56 insertions(+), 19 deletions(-) diff --git a/apis/keda/v1alpha1/scaledobject_webhook_test.go b/apis/keda/v1alpha1/scaledobject_webhook_test.go index cf0f434a567..cdd5c45b4b2 100644 --- a/apis/keda/v1alpha1/scaledobject_webhook_test.go +++ b/apis/keda/v1alpha1/scaledobject_webhook_test.go @@ -28,7 +28,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/utils/pointer" - //+kubebuilder:scaffold:imports ) // These tests use Ginkgo (BDD-style Go testing framework). Refer to diff --git a/apis/keda/v1alpha1/suite_test.go b/apis/keda/v1alpha1/suite_test.go index a156b1abcba..bb2b8bf54c7 100644 --- a/apis/keda/v1alpha1/suite_test.go +++ b/apis/keda/v1alpha1/suite_test.go @@ -36,7 +36,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/envtest" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" - //+kubebuilder:scaffold:imports ) // These tests use Ginkgo (BDD-style Go testing framework). Refer to @@ -114,9 +113,10 @@ var _ = BeforeSuite(func() { err = (&ScaledObject{}).SetupWebhookWithManager(mgr) Expect(err).NotTo(HaveOccurred()) - err = (&TriggerAuthentication{}).SetupWebhookWithManager(mgr) Expect(err).NotTo(HaveOccurred()) + err = (&ClusterTriggerAuthentication{}).SetupWebhookWithManager(mgr) + Expect(err).NotTo(HaveOccurred()) //+kubebuilder:scaffold:webhook diff --git a/apis/keda/v1alpha1/triggerauthentication_types.go b/apis/keda/v1alpha1/triggerauthentication_types.go index d1ced1d2a52..4603a68eec1 100755 --- a/apis/keda/v1alpha1/triggerauthentication_types.go +++ b/apis/keda/v1alpha1/triggerauthentication_types.go @@ -138,9 +138,8 @@ type AuthPodIdentity struct { func (a *AuthPodIdentity) GetIdentityID() string { if a.IdentityID == nil { return "" - } else { - return *a.IdentityID } + return *a.IdentityID } // AuthSecretTargetRef is used to authenticate using a reference to a secret diff --git a/apis/keda/v1alpha1/triggerauthentication_webhook.go b/apis/keda/v1alpha1/triggerauthentication_webhook.go index d6c0a739bf2..8c8b3d17d71 100644 --- a/apis/keda/v1alpha1/triggerauthentication_webhook.go +++ b/apis/keda/v1alpha1/triggerauthentication_webhook.go @@ -30,15 +30,15 @@ import ( var triggerauthenticationlog = logf.Log.WithName("triggerauthentication-validation-webhook") -func (so *TriggerAuthentication) SetupWebhookWithManager(mgr ctrl.Manager) error { +func (ta *TriggerAuthentication) SetupWebhookWithManager(mgr ctrl.Manager) error { return ctrl.NewWebhookManagedBy(mgr). - For(so). + For(ta). Complete() } -func (so *ClusterTriggerAuthentication) SetupWebhookWithManager(mgr ctrl.Manager) error { +func (cta *ClusterTriggerAuthentication) SetupWebhookWithManager(mgr ctrl.Manager) error { return ctrl.NewWebhookManagedBy(mgr). - For(so). + For(cta). Complete() } @@ -65,7 +65,7 @@ func (ta *TriggerAuthentication) ValidateUpdate(old runtime.Object) (admission.W return validateSpec(&ta.Spec) } -func (so *TriggerAuthentication) ValidateDelete() (admission.Warnings, error) { +func (ta *TriggerAuthentication) ValidateDelete() (admission.Warnings, error) { return nil, nil } @@ -93,12 +93,11 @@ func (cta *ClusterTriggerAuthentication) ValidateUpdate(old runtime.Object) (adm return validateSpec(&cta.Spec) } -func (so *ClusterTriggerAuthentication) ValidateDelete() (admission.Warnings, error) { +func (cta *ClusterTriggerAuthentication) ValidateDelete() (admission.Warnings, error) { return nil, nil } func isTriggerAuthenticationRemovingFinalizer(om metav1.ObjectMeta, oldOm metav1.ObjectMeta, spec TriggerAuthenticationSpec, oldSpec TriggerAuthenticationSpec) bool { - taSpec, _ := json.MarshalIndent(spec, "", " ") oldTaSpec, _ := json.MarshalIndent(oldSpec, "", " ") taSpecString := string(taSpec) diff --git a/apis/keda/v1alpha1/triggerauthentication_webhook_test.go b/apis/keda/v1alpha1/triggerauthentication_webhook_test.go index 63fa0927d6d..fefaa8f8c2b 100644 --- a/apis/keda/v1alpha1/triggerauthentication_webhook_test.go +++ b/apis/keda/v1alpha1/triggerauthentication_webhook_test.go @@ -22,7 +22,6 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - //+kubebuilder:scaffold:imports ) var _ = It("validate triggerauthentication when IdentityID is nil", func() { @@ -32,7 +31,7 @@ var _ = It("validate triggerauthentication when IdentityID is nil", func() { Expect(err).ToNot(HaveOccurred()) spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, nil) - ta := createTriggerAuthentication("nilidentityidta", namespaceName, "apps/v1", "TriggerAuthentication", spec) + ta := createTriggerAuthentication("nilidentityidta", namespaceName, "TriggerAuthentication", spec) Eventually(func() error { return k8sClient.Create(context.Background(), ta) }).ShouldNot(HaveOccurred()) @@ -44,9 +43,9 @@ var _ = It("validate triggerauthentication when IdentityID is empty", func() { err := k8sClient.Create(context.Background(), namespace) Expect(err).ToNot(HaveOccurred()) - identityId := "" - spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityId) - ta := createTriggerAuthentication("emptyidentityidta", namespaceName, "apps/v1", "TriggerAuthentication", spec) + identityID := "" + spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityID) + ta := createTriggerAuthentication("emptyidentityidta", namespaceName, "TriggerAuthentication", spec) Eventually(func() error { return k8sClient.Create(context.Background(), ta) }).Should(HaveOccurred()) @@ -60,7 +59,48 @@ var _ = It("validate triggerauthentication when IdentityID is not empty", func() identityId := "12345" spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityId) - ta := createTriggerAuthentication("emptyidentityidta", namespaceName, "apps/v1", "TriggerAuthentication", spec) + ta := createTriggerAuthentication("identityidta", namespaceName, "TriggerAuthentication", spec) + Eventually(func() error { + return k8sClient.Create(context.Background(), ta) + }).ShouldNot(HaveOccurred()) +}) + +var _ = It("validate clustertriggerauthentication when IdentityID is nil", func() { + namespaceName := "clusternilidentityid" + namespace := createNamespace(namespaceName) + err := k8sClient.Create(context.Background(), namespace) + Expect(err).ToNot(HaveOccurred()) + + spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, nil) + ta := createTriggerAuthentication("clusternilidentityidta", namespaceName, "ClusterTriggerAuthentication", spec) + Eventually(func() error { + return k8sClient.Create(context.Background(), ta) + }).ShouldNot(HaveOccurred()) +}) + +var _ = It("validate clustertriggerauthentication when IdentityID is empty", func() { + namespaceName := "clusteremptyidentityid" + namespace := createNamespace(namespaceName) + err := k8sClient.Create(context.Background(), namespace) + Expect(err).ToNot(HaveOccurred()) + + identityID := "" + spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityID) + ta := createTriggerAuthentication("clusteremptyidentityidta", namespaceName, "ClusterTriggerAuthentication", spec) + Eventually(func() error { + return k8sClient.Create(context.Background(), ta) + }).Should(HaveOccurred()) +}) + +var _ = It("validate clustertriggerauthentication when IdentityID is not empty", func() { + namespaceName := "clusteridentityid" + namespace := createNamespace(namespaceName) + err := k8sClient.Create(context.Background(), namespace) + Expect(err).ToNot(HaveOccurred()) + + identityId := "12345" + spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityId) + ta := createTriggerAuthentication("clusteridentityidta", namespaceName, "ClusterTriggerAuthentication", spec) Eventually(func() error { return k8sClient.Create(context.Background(), ta) }).ShouldNot(HaveOccurred()) @@ -75,7 +115,7 @@ func createTriggerAuthenticationSpecWithPodIdentity(provider PodIdentityProvider } } -func createTriggerAuthentication(name, namespace, targetAPI, targetKind string, spec TriggerAuthenticationSpec) *TriggerAuthentication { +func createTriggerAuthentication(name, namespace, targetKind string, spec TriggerAuthenticationSpec) *TriggerAuthentication { return &TriggerAuthentication{ ObjectMeta: metav1.ObjectMeta{ Name: name, From 1898b7b5e394b35180b73b1816bc755504796945 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Thu, 6 Jul 2023 17:06:22 +0800 Subject: [PATCH 09/32] Update Signed-off-by: SpiritZhou --- .../v1alpha1/triggerauthentication_webhook_test.go | 12 ++++++------ pkg/scaling/resolver/scale_resolvers.go | 8 +++++--- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/apis/keda/v1alpha1/triggerauthentication_webhook_test.go b/apis/keda/v1alpha1/triggerauthentication_webhook_test.go index fefaa8f8c2b..cee473d8899 100644 --- a/apis/keda/v1alpha1/triggerauthentication_webhook_test.go +++ b/apis/keda/v1alpha1/triggerauthentication_webhook_test.go @@ -57,8 +57,8 @@ var _ = It("validate triggerauthentication when IdentityID is not empty", func() err := k8sClient.Create(context.Background(), namespace) Expect(err).ToNot(HaveOccurred()) - identityId := "12345" - spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityId) + identityID := "12345" + spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityID) ta := createTriggerAuthentication("identityidta", namespaceName, "TriggerAuthentication", spec) Eventually(func() error { return k8sClient.Create(context.Background(), ta) @@ -98,19 +98,19 @@ var _ = It("validate clustertriggerauthentication when IdentityID is not empty", err := k8sClient.Create(context.Background(), namespace) Expect(err).ToNot(HaveOccurred()) - identityId := "12345" - spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityId) + identityID := "12345" + spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityID) ta := createTriggerAuthentication("clusteridentityidta", namespaceName, "ClusterTriggerAuthentication", spec) Eventually(func() error { return k8sClient.Create(context.Background(), ta) }).ShouldNot(HaveOccurred()) }) -func createTriggerAuthenticationSpecWithPodIdentity(provider PodIdentityProvider, identityId *string) TriggerAuthenticationSpec { +func createTriggerAuthenticationSpecWithPodIdentity(provider PodIdentityProvider, identityID *string) TriggerAuthenticationSpec { return TriggerAuthenticationSpec{ PodIdentity: &AuthPodIdentity{ Provider: provider, - IdentityID: identityId, + IdentityID: identityID, }, } } diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go index e75358b1ebb..0373aa5fe8d 100644 --- a/pkg/scaling/resolver/scale_resolvers.go +++ b/pkg/scaling/resolver/scale_resolvers.go @@ -181,7 +181,8 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log if podTemplateSpec != nil { authParams, podIdentity := resolveAuthRef(ctx, client, logger, triggerAuthRef, &podTemplateSpec.Spec, namespace, secretsLister) - if podIdentity.Provider == kedav1alpha1.PodIdentityProviderAwsEKS { + switch podIdentity.Provider { + case kedav1alpha1.PodIdentityProviderAwsEKS: serviceAccountName := defaultServiceAccount if podTemplateSpec.Spec.ServiceAccountName != "" { serviceAccountName = podTemplateSpec.Spec.ServiceAccountName @@ -193,12 +194,13 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log fmt.Errorf("error getting service account: '%s', error: %w", serviceAccountName, err) } authParams["awsRoleArn"] = serviceAccount.Annotations[kedav1alpha1.PodIdentityAnnotationEKS] - } else if podIdentity.Provider == kedav1alpha1.PodIdentityProviderAwsKiam { + case kedav1alpha1.PodIdentityProviderAwsKiam: authParams["awsRoleArn"] = podTemplateSpec.ObjectMeta.Annotations[kedav1alpha1.PodIdentityAnnotationKiam] - } else if podIdentity.Provider == kedav1alpha1.PodIdentityProviderAzure { + case kedav1alpha1.PodIdentityProviderAzure: if podIdentity.GetIdentityID() == "" { logger.Info("WARNING: IdentityID of PodIdentity is empty or nil") } + default: } return authParams, podIdentity, nil } From 294a0b8f842413bdc57155eacdff53436ebd3f5c Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Thu, 6 Jul 2023 17:17:31 +0800 Subject: [PATCH 10/32] Update Signed-off-by: SpiritZhou --- .../triggerauthentication_webhook_test.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/apis/keda/v1alpha1/triggerauthentication_webhook_test.go b/apis/keda/v1alpha1/triggerauthentication_webhook_test.go index cee473d8899..b18585ff97b 100644 --- a/apis/keda/v1alpha1/triggerauthentication_webhook_test.go +++ b/apis/keda/v1alpha1/triggerauthentication_webhook_test.go @@ -30,7 +30,7 @@ var _ = It("validate triggerauthentication when IdentityID is nil", func() { err := k8sClient.Create(context.Background(), namespace) Expect(err).ToNot(HaveOccurred()) - spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, nil) + spec := createTriggerAuthenticationSpecWithPodIdentity(nil) ta := createTriggerAuthentication("nilidentityidta", namespaceName, "TriggerAuthentication", spec) Eventually(func() error { return k8sClient.Create(context.Background(), ta) @@ -44,7 +44,7 @@ var _ = It("validate triggerauthentication when IdentityID is empty", func() { Expect(err).ToNot(HaveOccurred()) identityID := "" - spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityID) + spec := createTriggerAuthenticationSpecWithPodIdentity(&identityID) ta := createTriggerAuthentication("emptyidentityidta", namespaceName, "TriggerAuthentication", spec) Eventually(func() error { return k8sClient.Create(context.Background(), ta) @@ -58,7 +58,7 @@ var _ = It("validate triggerauthentication when IdentityID is not empty", func() Expect(err).ToNot(HaveOccurred()) identityID := "12345" - spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityID) + spec := createTriggerAuthenticationSpecWithPodIdentity(&identityID) ta := createTriggerAuthentication("identityidta", namespaceName, "TriggerAuthentication", spec) Eventually(func() error { return k8sClient.Create(context.Background(), ta) @@ -71,7 +71,7 @@ var _ = It("validate clustertriggerauthentication when IdentityID is nil", func( err := k8sClient.Create(context.Background(), namespace) Expect(err).ToNot(HaveOccurred()) - spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, nil) + spec := createTriggerAuthenticationSpecWithPodIdentity(nil) ta := createTriggerAuthentication("clusternilidentityidta", namespaceName, "ClusterTriggerAuthentication", spec) Eventually(func() error { return k8sClient.Create(context.Background(), ta) @@ -85,7 +85,7 @@ var _ = It("validate clustertriggerauthentication when IdentityID is empty", fun Expect(err).ToNot(HaveOccurred()) identityID := "" - spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityID) + spec := createTriggerAuthenticationSpecWithPodIdentity(&identityID) ta := createTriggerAuthentication("clusteremptyidentityidta", namespaceName, "ClusterTriggerAuthentication", spec) Eventually(func() error { return k8sClient.Create(context.Background(), ta) @@ -99,17 +99,17 @@ var _ = It("validate clustertriggerauthentication when IdentityID is not empty", Expect(err).ToNot(HaveOccurred()) identityID := "12345" - spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, &identityID) + spec := createTriggerAuthenticationSpecWithPodIdentity(&identityID) ta := createTriggerAuthentication("clusteridentityidta", namespaceName, "ClusterTriggerAuthentication", spec) Eventually(func() error { return k8sClient.Create(context.Background(), ta) }).ShouldNot(HaveOccurred()) }) -func createTriggerAuthenticationSpecWithPodIdentity(provider PodIdentityProvider, identityID *string) TriggerAuthenticationSpec { +func createTriggerAuthenticationSpecWithPodIdentity(identityID *string) TriggerAuthenticationSpec { return TriggerAuthenticationSpec{ PodIdentity: &AuthPodIdentity{ - Provider: provider, + Provider: PodIdentityProviderAzure, IdentityID: identityID, }, } From 8f130857c5ffb95e002ca97b3f63e93d2c97f6b1 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Thu, 6 Jul 2023 17:23:07 +0800 Subject: [PATCH 11/32] Update Signed-off-by: SpiritZhou --- apis/keda/v1alpha1/triggerauthentication_webhook.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apis/keda/v1alpha1/triggerauthentication_webhook.go b/apis/keda/v1alpha1/triggerauthentication_webhook.go index 8c8b3d17d71..fd0415bda02 100644 --- a/apis/keda/v1alpha1/triggerauthentication_webhook.go +++ b/apis/keda/v1alpha1/triggerauthentication_webhook.go @@ -113,7 +113,7 @@ func validateSpec(spec *TriggerAuthenticationSpec) (admission.Warnings, error) { fallthrough case PodIdentityProviderAzureWorkload: if spec.PodIdentity.IdentityID != nil && *spec.PodIdentity.IdentityID == "" { - return nil, fmt.Errorf("identityid of PodIdentity should not be empty") + return nil, fmt.Errorf("identityid of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"") } default: return nil, nil From 5de4f46beb95dc54373a37e5e4ad8294e8e086b2 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Fri, 7 Jul 2023 15:12:38 +0800 Subject: [PATCH 12/32] Add e2e test Signed-off-by: SpiritZhou --- .../azure_aad_pod_identityte_test.go | 153 ++++++++++++++++++ 1 file changed, 153 insertions(+) create mode 100644 tests/scalers/azure/azure_aad_pod_identity/azure_aad_pod_identityte_test.go diff --git a/tests/scalers/azure/azure_aad_pod_identity/azure_aad_pod_identityte_test.go b/tests/scalers/azure/azure_aad_pod_identity/azure_aad_pod_identityte_test.go new file mode 100644 index 00000000000..487245af525 --- /dev/null +++ b/tests/scalers/azure/azure_aad_pod_identity/azure_aad_pod_identityte_test.go @@ -0,0 +1,153 @@ +//go:build e2e +// +build e2e + +package azure_aad_pod_identity_test + +import ( + "context" + "fmt" + "testing" + + "github.com/joho/godotenv" + "github.com/stretchr/testify/assert" + "k8s.io/client-go/kubernetes" + + . "github.com/kedacore/keda/v2/tests/helper" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// Load environment variables from .env file +var _ = godotenv.Load("../../../.env") + +const ( + testName = "azure-aad-pod-identity-test" +) + +var ( + testNamespace = fmt.Sprintf("%s-ns", testName) + triggerAuthEmptyIdName = fmt.Sprintf("%s-ta-empty", testName) + triggerAuthNilIdName = fmt.Sprintf("%s-ta-nil", testName) + clusterTriggerAuthEmptyIdName = fmt.Sprintf("%s-cta-empty", testName) + clusterTriggerAuthNilIdName = fmt.Sprintf("%s-cta-nil", testName) +) + +type templateData struct { + TestNamespace string + TriggerAuthEmptyIdName string + TriggerAuthNilIdName string + ClusterTriggerAuthEmptyIdName string + ClusterTriggerAuthNilIdName string +} + +const ( + triggerAuthEmptyIdTemplate = ` +apiVersion: keda.sh/v1alpha1 +kind: TriggerAuthentication +metadata: + name: {{.TriggerAuthEmptyIdName}} + namespace: {{.TestNamespace}} +spec: + podIdentity: + provider: azure + identityId: "" +` + + triggerAuthNilIdTemplate = ` +apiVersion: keda.sh/v1alpha1 +kind: TriggerAuthentication +metadata: + name: {{.TriggerAuthNilIdName}} + namespace: {{.TestNamespace}} +spec: + podIdentity: + provider: azure +` + clusterTriggerAuthEmptyIdTemplate = ` +apiVersion: keda.sh/v1alpha1 +kind: ClusterTriggerAuthentication +metadata: + name: {{.ClusterTriggerAuthEmptyIdName}} +spec: + podIdentity: + provider: azure + identityId: "" +` + + clusterTriggerAuthNilIdTemplate = ` +apiVersion: keda.sh/v1alpha1 +kind: ClusterTriggerAuthentication +metadata: + name: {{.ClusterTriggerAuthNilIdName}} +spec: + podIdentity: + provider: azure +` +) + +func TestScaler(t *testing.T) { + // setup + t.Log("--- setting up ---") + + // Create kubernetes resources + kc := GetKubernetesClient(t) + data, templates := getTemplateData() + + CreateKubernetesResources(t, kc, testNamespace, data, templates) + + // test auth + testTriggerAuthenticationWithEmptyID(t, kc, data) + testTriggerAuthenticationWithNilID(t, kc, data) + testClusterTriggerAuthenticationWithEmptyID(t, kc, data) + testClusterTriggerAuthenticationWithNilID(t, kc, data) + + // cleanup + DeleteKubernetesResources(t, testNamespace, data, templates) +} + +func getTemplateData() (templateData, []Template) { + return templateData{ + TestNamespace: testNamespace, + TriggerAuthEmptyIdName: triggerAuthEmptyIdName, + TriggerAuthNilIdName: triggerAuthNilIdName, + ClusterTriggerAuthEmptyIdName: clusterTriggerAuthEmptyIdName, + ClusterTriggerAuthNilIdName: clusterTriggerAuthNilIdName, + }, []Template{} +} + +// expect triggerauthentication should not be created with empty identity id +func testTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Clientset, data templateData) { + t.Log("--- create triggerauthentication with empty identity id ---") + + err := KubectlApplyWithErrors(t, data, "triggerAuthEmptyIdTemplate", triggerAuthEmptyIdTemplate) + assert.Errorf(t, err, "can deploy TriggerAuthtication - %s", err) +} + +// expect triggerauthentication can be created without identity id property +func testTriggerAuthenticationWithNilID(t *testing.T, kc *kubernetes.Clientset, data templateData) { + t.Log("--- create triggerauthentication with nil identity id ---") + + kedaKc := GetKedaKubernetesClient(t) + KubectlApplyWithTemplate(t, data, "triggerAuthNilIdTemplate", triggerAuthNilIdTemplate) + + triggerauthentication, _ := kedaKc.TriggerAuthentications(testNamespace).Get(context.Background(), triggerAuthNilIdName, v1.GetOptions{}) + assert.NotNil(t, triggerauthentication) +} + +// expect clustertriggerauthentication should not be created with empty identity id +func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Clientset, data templateData) { + t.Log("--- create clustertriggerauthentication with empty identity id ---") + + err := KubectlApplyWithErrors(t, data, "clusterTriggerAuthEmptyIdTemplate", clusterTriggerAuthEmptyIdTemplate) + assert.Errorf(t, err, "can deploy ClusterTriggerAuthtication - %s", err) +} + +// expect clustertriggerauthentication can be created without identity id property +func testClusterTriggerAuthenticationWithNilID(t *testing.T, kc *kubernetes.Clientset, data templateData) { + t.Log("--- create clustertriggerauthentication with nil identity id ---") + + kedaKc := GetKedaKubernetesClient(t) + KubectlApplyWithTemplate(t, data, "clusterTriggerAuthNilIdTemplate", clusterTriggerAuthNilIdTemplate) + + clustertriggerauthentication, _ := kedaKc.ClusterTriggerAuthentications().Get(context.Background(), clusterTriggerAuthNilIdTemplate, v1.GetOptions{}) + assert.NotNil(t, clustertriggerauthentication) +} From 42f14a1345d0fa59ecae4cfe8182fb85105f3d96 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Fri, 7 Jul 2023 15:43:50 +0800 Subject: [PATCH 13/32] Fix Signed-off-by: SpiritZhou --- .../azure_aad_pod_identityte_test.go | 71 +++++++++---------- 1 file changed, 35 insertions(+), 36 deletions(-) diff --git a/tests/scalers/azure/azure_aad_pod_identity/azure_aad_pod_identityte_test.go b/tests/scalers/azure/azure_aad_pod_identity/azure_aad_pod_identityte_test.go index 487245af525..327d798363f 100644 --- a/tests/scalers/azure/azure_aad_pod_identity/azure_aad_pod_identityte_test.go +++ b/tests/scalers/azure/azure_aad_pod_identity/azure_aad_pod_identityte_test.go @@ -10,10 +10,9 @@ import ( "github.com/joho/godotenv" "github.com/stretchr/testify/assert" - "k8s.io/client-go/kubernetes" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" . "github.com/kedacore/keda/v2/tests/helper" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) // Load environment variables from .env file @@ -25,26 +24,26 @@ const ( var ( testNamespace = fmt.Sprintf("%s-ns", testName) - triggerAuthEmptyIdName = fmt.Sprintf("%s-ta-empty", testName) - triggerAuthNilIdName = fmt.Sprintf("%s-ta-nil", testName) - clusterTriggerAuthEmptyIdName = fmt.Sprintf("%s-cta-empty", testName) - clusterTriggerAuthNilIdName = fmt.Sprintf("%s-cta-nil", testName) + triggerAuthEmptyIDName = fmt.Sprintf("%s-ta-empty", testName) + triggerAuthNilIDName = fmt.Sprintf("%s-ta-nil", testName) + clusterTriggerAuthEmptyIDName = fmt.Sprintf("%s-cta-empty", testName) + clusterTriggerAuthNilIDName = fmt.Sprintf("%s-cta-nil", testName) ) type templateData struct { TestNamespace string - TriggerAuthEmptyIdName string - TriggerAuthNilIdName string - ClusterTriggerAuthEmptyIdName string - ClusterTriggerAuthNilIdName string + TriggerAuthEmptyIDName string + TriggerAuthNilIDName string + ClusterTriggerAuthEmptyIDName string + ClusterTriggerAuthNilIDName string } const ( - triggerAuthEmptyIdTemplate = ` + triggerAuthEmptyIDTemplate = ` apiVersion: keda.sh/v1alpha1 kind: TriggerAuthentication metadata: - name: {{.TriggerAuthEmptyIdName}} + name: {{.TriggerAuthEmptyIDName}} namespace: {{.TestNamespace}} spec: podIdentity: @@ -52,32 +51,32 @@ spec: identityId: "" ` - triggerAuthNilIdTemplate = ` + triggerAuthNilIDTemplate = ` apiVersion: keda.sh/v1alpha1 kind: TriggerAuthentication metadata: - name: {{.TriggerAuthNilIdName}} + name: {{.TriggerAuthNilIDName}} namespace: {{.TestNamespace}} spec: podIdentity: provider: azure ` - clusterTriggerAuthEmptyIdTemplate = ` + clusterTriggerAuthEmptyIDTemplate = ` apiVersion: keda.sh/v1alpha1 kind: ClusterTriggerAuthentication metadata: - name: {{.ClusterTriggerAuthEmptyIdName}} + name: {{.ClusterTriggerAuthEmptyIDName}} spec: podIdentity: provider: azure identityId: "" ` - clusterTriggerAuthNilIdTemplate = ` + clusterTriggerAuthNilIDTemplate = ` apiVersion: keda.sh/v1alpha1 kind: ClusterTriggerAuthentication metadata: - name: {{.ClusterTriggerAuthNilIdName}} + name: {{.ClusterTriggerAuthNilIDName}} spec: podIdentity: provider: azure @@ -95,10 +94,10 @@ func TestScaler(t *testing.T) { CreateKubernetesResources(t, kc, testNamespace, data, templates) // test auth - testTriggerAuthenticationWithEmptyID(t, kc, data) - testTriggerAuthenticationWithNilID(t, kc, data) - testClusterTriggerAuthenticationWithEmptyID(t, kc, data) - testClusterTriggerAuthenticationWithNilID(t, kc, data) + testTriggerAuthenticationWithEmptyID(t, data) + testTriggerAuthenticationWithNilID(t, data) + testClusterTriggerAuthenticationWithEmptyID(t, data) + testClusterTriggerAuthenticationWithNilID(t, data) // cleanup DeleteKubernetesResources(t, testNamespace, data, templates) @@ -107,47 +106,47 @@ func TestScaler(t *testing.T) { func getTemplateData() (templateData, []Template) { return templateData{ TestNamespace: testNamespace, - TriggerAuthEmptyIdName: triggerAuthEmptyIdName, - TriggerAuthNilIdName: triggerAuthNilIdName, - ClusterTriggerAuthEmptyIdName: clusterTriggerAuthEmptyIdName, - ClusterTriggerAuthNilIdName: clusterTriggerAuthNilIdName, + TriggerAuthEmptyIDName: triggerAuthEmptyIDName, + TriggerAuthNilIDName: triggerAuthNilIDName, + ClusterTriggerAuthEmptyIDName: clusterTriggerAuthEmptyIDName, + ClusterTriggerAuthNilIDName: clusterTriggerAuthNilIDName, }, []Template{} } // expect triggerauthentication should not be created with empty identity id -func testTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Clientset, data templateData) { +func testTriggerAuthenticationWithEmptyID(t *testing.T, data templateData) { t.Log("--- create triggerauthentication with empty identity id ---") - err := KubectlApplyWithErrors(t, data, "triggerAuthEmptyIdTemplate", triggerAuthEmptyIdTemplate) + err := KubectlApplyWithErrors(t, data, "triggerAuthEmptyIDTemplate", triggerAuthEmptyIDTemplate) assert.Errorf(t, err, "can deploy TriggerAuthtication - %s", err) } // expect triggerauthentication can be created without identity id property -func testTriggerAuthenticationWithNilID(t *testing.T, kc *kubernetes.Clientset, data templateData) { +func testTriggerAuthenticationWithNilID(t *testing.T, data templateData) { t.Log("--- create triggerauthentication with nil identity id ---") kedaKc := GetKedaKubernetesClient(t) - KubectlApplyWithTemplate(t, data, "triggerAuthNilIdTemplate", triggerAuthNilIdTemplate) + KubectlApplyWithTemplate(t, data, "triggerAuthNilITemplate", triggerAuthNilIDTemplate) - triggerauthentication, _ := kedaKc.TriggerAuthentications(testNamespace).Get(context.Background(), triggerAuthNilIdName, v1.GetOptions{}) + triggerauthentication, _ := kedaKc.TriggerAuthentications(testNamespace).Get(context.Background(), triggerAuthNilIDName, v1.GetOptions{}) assert.NotNil(t, triggerauthentication) } // expect clustertriggerauthentication should not be created with empty identity id -func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Clientset, data templateData) { +func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, data templateData) { t.Log("--- create clustertriggerauthentication with empty identity id ---") - err := KubectlApplyWithErrors(t, data, "clusterTriggerAuthEmptyIdTemplate", clusterTriggerAuthEmptyIdTemplate) + err := KubectlApplyWithErrors(t, data, "clusterTriggerAuthEmptyIDTemplate", clusterTriggerAuthEmptyIDTemplate) assert.Errorf(t, err, "can deploy ClusterTriggerAuthtication - %s", err) } // expect clustertriggerauthentication can be created without identity id property -func testClusterTriggerAuthenticationWithNilID(t *testing.T, kc *kubernetes.Clientset, data templateData) { +func testClusterTriggerAuthenticationWithNilID(t *testing.T, data templateData) { t.Log("--- create clustertriggerauthentication with nil identity id ---") kedaKc := GetKedaKubernetesClient(t) - KubectlApplyWithTemplate(t, data, "clusterTriggerAuthNilIdTemplate", clusterTriggerAuthNilIdTemplate) + KubectlApplyWithTemplate(t, data, "clusterTriggerAuthNilIDTemplate", clusterTriggerAuthNilIDTemplate) - clustertriggerauthentication, _ := kedaKc.ClusterTriggerAuthentications().Get(context.Background(), clusterTriggerAuthNilIdTemplate, v1.GetOptions{}) + clustertriggerauthentication, _ := kedaKc.ClusterTriggerAuthentications().Get(context.Background(), clusterTriggerAuthNilIDTemplate, v1.GetOptions{}) assert.NotNil(t, clustertriggerauthentication) } From 9538860f957c624821a3360bbbceb3404024a8ec Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Mon, 10 Jul 2023 09:57:43 +0800 Subject: [PATCH 14/32] Update Signed-off-by: SpiritZhou --- pkg/scaling/resolver/scale_resolvers.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go index 0373aa5fe8d..57c7ec38ed2 100644 --- a/pkg/scaling/resolver/scale_resolvers.go +++ b/pkg/scaling/resolver/scale_resolvers.go @@ -198,7 +198,7 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log authParams["awsRoleArn"] = podTemplateSpec.ObjectMeta.Annotations[kedav1alpha1.PodIdentityAnnotationKiam] case kedav1alpha1.PodIdentityProviderAzure: if podIdentity.GetIdentityID() == "" { - logger.Info("WARNING: IdentityID of PodIdentity is empty or nil") + logger.Info("IdentityID of PodIdentity is empty.") } default: } From 0516b7054c6d53afe253af1427efce6c135a2226 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Mon, 10 Jul 2023 15:56:44 +0800 Subject: [PATCH 15/32] Update CHANGELOG.md Co-authored-by: Tom Kerkhove Signed-off-by: SpiritZhou --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c0fe534c850..3f85a5327a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -52,8 +52,8 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio ### Improvements -- **Azure Pod Identity**: Add validation of identity ID to prevent usage of empty identity ID ([#4528](https://github.com/kedacore/keda/issues/4528)) - **General:**: Add ScaledObject/ScaledJob names to output of `kubectl get triggerauthentication/clustertriggerauthentication` ([#796](https://github.com/kedacore/keda/issues/796)) +- **Azure Pod Identity**: Introduce validation to prevent usage of empty identity ID for Azure identity providers ([#4528](https://github.com/kedacore/keda/issues/4528)) ### Fixes From 113b11520be09b58caaf07c9436c0b9ccee040db Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Mon, 10 Jul 2023 15:58:09 +0800 Subject: [PATCH 16/32] Update Signed-off-by: SpiritZhou --- .../v1alpha1/scaledobject_webhook_test.go | 102 ------------------ 1 file changed, 102 deletions(-) diff --git a/apis/keda/v1alpha1/scaledobject_webhook_test.go b/apis/keda/v1alpha1/scaledobject_webhook_test.go index cdd5c45b4b2..1325f2d5288 100644 --- a/apis/keda/v1alpha1/scaledobject_webhook_test.go +++ b/apis/keda/v1alpha1/scaledobject_webhook_test.go @@ -30,108 +30,6 @@ import ( "k8s.io/utils/pointer" ) -// These tests use Ginkgo (BDD-style Go testing framework). Refer to -// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. - -// var cfg *rest.Config -// var k8sClient client.Client -// var testEnv *envtest.Environment -// var ctx context.Context -// var cancel context.CancelFunc - -// const ( -// workloadName = "deployment-name" -// soName = "test-so" -// ) - -// func TestAPIs(t *testing.T) { -// RegisterFailHandler(Fail) - -// RunSpecs(t, "Webhook Suite") -// } - -// var _ = BeforeSuite(func() { -// logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) - -// ctx, cancel = context.WithCancel(context.Background()) - -// By("bootstrapping test environment") -// testEnv = &envtest.Environment{ -// CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crd", "bases")}, -// ErrorIfCRDPathMissing: false, -// WebhookInstallOptions: envtest.WebhookInstallOptions{ -// Paths: []string{filepath.Join("..", "..", "..", "config", "webhooks")}, -// }, -// } -// fmt.Println("xxxxxxxxxxf") -// var err error -// // cfg is defined in this file globally. -// done := make(chan interface{}) -// go func() { -// defer GinkgoRecover() -// cfg, err = testEnv.Start() -// close(done) -// }() -// Eventually(done).WithTimeout(time.Minute).Should(BeClosed()) -// Expect(err).NotTo(HaveOccurred()) -// Expect(cfg).NotTo(BeNil()) - -// scheme := runtime.NewScheme() -// err = AddToScheme(scheme) -// Expect(err).NotTo(HaveOccurred()) - -// err = clientgoscheme.AddToScheme(scheme) -// Expect(err).NotTo(HaveOccurred()) - -// err = admissionv1beta1.AddToScheme(scheme) -// Expect(err).NotTo(HaveOccurred()) - -// //+kubebuilder:scaffold:scheme - -// k8sClient, err = client.New(cfg, client.Options{Scheme: scheme}) -// Expect(err).NotTo(HaveOccurred()) -// Expect(k8sClient).NotTo(BeNil()) - -// // start webhook server using Manager -// webhookInstallOptions := &testEnv.WebhookInstallOptions -// mgr, err := ctrl.NewManager(cfg, ctrl.Options{ -// Scheme: scheme, -// Host: webhookInstallOptions.LocalServingHost, -// Port: webhookInstallOptions.LocalServingPort, -// CertDir: webhookInstallOptions.LocalServingCertDir, -// LeaderElection: false, -// MetricsBindAddress: "0", -// }) -// Expect(err).NotTo(HaveOccurred()) - -// err = (&ScaledObject{}).SetupWebhookWithManager(mgr) -// Expect(err).NotTo(HaveOccurred()) - -// err = (&TriggerAuthentication{}).SetupWebhookWithManager(mgr) -// Expect(err).NotTo(HaveOccurred()) - -// //+kubebuilder:scaffold:webhook - -// go func() { -// defer GinkgoRecover() -// err = mgr.Start(ctx) -// Expect(err).NotTo(HaveOccurred()) -// }() - -// // wait for the webhook server to get ready -// dialer := &net.Dialer{Timeout: time.Second} -// addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort) -// Eventually(func() error { -// conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) -// if err != nil { -// return err -// } -// conn.Close() -// return nil -// }).Should(Succeed()) - -// }) - var _ = It("should validate the so creation when there isn't any hpa", func() { namespaceName := "valid" From 5b95650f8284351f50e5615f7b11ee1bec02c6bb Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Wed, 12 Jul 2023 10:28:41 +0800 Subject: [PATCH 17/32] Update Signed-off-by: SpiritZhou --- pkg/scaling/resolver/scale_resolvers.go | 4 ++-- .../trigger_authentication_validation_test.go} | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) rename tests/{scalers/azure/azure_aad_pod_identity/azure_aad_pod_identityte_test.go => internals/trigger_authentication_validation/trigger_authentication_validation_test.go} (99%) diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go index 57c7ec38ed2..60015c212d0 100644 --- a/pkg/scaling/resolver/scale_resolvers.go +++ b/pkg/scaling/resolver/scale_resolvers.go @@ -197,8 +197,8 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log case kedav1alpha1.PodIdentityProviderAwsKiam: authParams["awsRoleArn"] = podTemplateSpec.ObjectMeta.Annotations[kedav1alpha1.PodIdentityAnnotationKiam] case kedav1alpha1.PodIdentityProviderAzure: - if podIdentity.GetIdentityID() == "" { - logger.Info("IdentityID of PodIdentity is empty.") + if *podIdentity.IdentityID == "" { + return nil, kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, fmt.Errorf("IdentityID of PodIdentity should not be empty") } default: } diff --git a/tests/scalers/azure/azure_aad_pod_identity/azure_aad_pod_identityte_test.go b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go similarity index 99% rename from tests/scalers/azure/azure_aad_pod_identity/azure_aad_pod_identityte_test.go rename to tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go index 327d798363f..b97f76fa53c 100644 --- a/tests/scalers/azure/azure_aad_pod_identity/azure_aad_pod_identityte_test.go +++ b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go @@ -1,7 +1,7 @@ //go:build e2e // +build e2e -package azure_aad_pod_identity_test +package trigger_authentication_validation_test import ( "context" From a18352870c1470771fce5783536330eacae341fe Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Thu, 13 Jul 2023 10:12:36 +0800 Subject: [PATCH 18/32] Update pkg/scaling/resolver/scale_resolvers.go Co-authored-by: Jorge Turrado Ferrero Signed-off-by: SpiritZhou --- pkg/scaling/resolver/scale_resolvers.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go index 60015c212d0..407dc93f2b9 100644 --- a/pkg/scaling/resolver/scale_resolvers.go +++ b/pkg/scaling/resolver/scale_resolvers.go @@ -197,7 +197,7 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log case kedav1alpha1.PodIdentityProviderAwsKiam: authParams["awsRoleArn"] = podTemplateSpec.ObjectMeta.Annotations[kedav1alpha1.PodIdentityAnnotationKiam] case kedav1alpha1.PodIdentityProviderAzure: - if *podIdentity.IdentityID == "" { + if podIdentity.IdentityID != nil && *podIdentity.IdentityID == "" { return nil, kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, fmt.Errorf("IdentityID of PodIdentity should not be empty") } default: From 8126a3330c3c702371e3bcad89a428b89f92cb3f Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Thu, 13 Jul 2023 10:40:16 +0800 Subject: [PATCH 19/32] Update Signed-off-by: SpiritZhou --- .../trigger_authentication_validation_test.go | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go index b97f76fa53c..bc1607921cb 100644 --- a/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go +++ b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go @@ -11,6 +11,7 @@ import ( "github.com/joho/godotenv" "github.com/stretchr/testify/assert" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" . "github.com/kedacore/keda/v2/tests/helper" ) @@ -94,10 +95,10 @@ func TestScaler(t *testing.T) { CreateKubernetesResources(t, kc, testNamespace, data, templates) // test auth - testTriggerAuthenticationWithEmptyID(t, data) - testTriggerAuthenticationWithNilID(t, data) - testClusterTriggerAuthenticationWithEmptyID(t, data) - testClusterTriggerAuthenticationWithNilID(t, data) + testTriggerAuthenticationWithEmptyID(t, kc, data) + testTriggerAuthenticationWithNilID(t, kc, data) + testClusterTriggerAuthenticationWithEmptyID(t, kc, data) + testClusterTriggerAuthenticationWithNilID(t, kc, data) // cleanup DeleteKubernetesResources(t, testNamespace, data, templates) @@ -114,7 +115,7 @@ func getTemplateData() (templateData, []Template) { } // expect triggerauthentication should not be created with empty identity id -func testTriggerAuthenticationWithEmptyID(t *testing.T, data templateData) { +func testTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Clientset, data templateData) { t.Log("--- create triggerauthentication with empty identity id ---") err := KubectlApplyWithErrors(t, data, "triggerAuthEmptyIDTemplate", triggerAuthEmptyIDTemplate) @@ -122,7 +123,7 @@ func testTriggerAuthenticationWithEmptyID(t *testing.T, data templateData) { } // expect triggerauthentication can be created without identity id property -func testTriggerAuthenticationWithNilID(t *testing.T, data templateData) { +func testTriggerAuthenticationWithNilID(t *testing.T, kc *kubernetes.Clientset, data templateData) { t.Log("--- create triggerauthentication with nil identity id ---") kedaKc := GetKedaKubernetesClient(t) @@ -133,7 +134,7 @@ func testTriggerAuthenticationWithNilID(t *testing.T, data templateData) { } // expect clustertriggerauthentication should not be created with empty identity id -func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, data templateData) { +func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Clientset, data templateData) { t.Log("--- create clustertriggerauthentication with empty identity id ---") err := KubectlApplyWithErrors(t, data, "clusterTriggerAuthEmptyIDTemplate", clusterTriggerAuthEmptyIDTemplate) @@ -141,7 +142,7 @@ func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, data templateData } // expect clustertriggerauthentication can be created without identity id property -func testClusterTriggerAuthenticationWithNilID(t *testing.T, data templateData) { +func testClusterTriggerAuthenticationWithNilID(t *testing.T, kc *kubernetes.Clientset, data templateData) { t.Log("--- create clustertriggerauthentication with nil identity id ---") kedaKc := GetKedaKubernetesClient(t) From e00f69339fdd1d58c55a668222a79a7a5f7b69fa Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Wed, 19 Jul 2023 10:30:14 +0800 Subject: [PATCH 20/32] Update Signed-off-by: SpiritZhou --- .../trigger_authentication_validation_test.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go index bc1607921cb..9c1e3798052 100644 --- a/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go +++ b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go @@ -115,6 +115,8 @@ func getTemplateData() (templateData, []Template) { } // expect triggerauthentication should not be created with empty identity id +// +//revive:disable:unused-parameter func testTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Clientset, data templateData) { t.Log("--- create triggerauthentication with empty identity id ---") @@ -123,6 +125,8 @@ func testTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Clientset } // expect triggerauthentication can be created without identity id property +// +//revive:disable:unused-parameter func testTriggerAuthenticationWithNilID(t *testing.T, kc *kubernetes.Clientset, data templateData) { t.Log("--- create triggerauthentication with nil identity id ---") @@ -134,6 +138,8 @@ func testTriggerAuthenticationWithNilID(t *testing.T, kc *kubernetes.Clientset, } // expect clustertriggerauthentication should not be created with empty identity id +// +//revive:disable:unused-parameter func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Clientset, data templateData) { t.Log("--- create clustertriggerauthentication with empty identity id ---") @@ -142,6 +148,8 @@ func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Cl } // expect clustertriggerauthentication can be created without identity id property +// +//revive:disable:unused-parameter func testClusterTriggerAuthenticationWithNilID(t *testing.T, kc *kubernetes.Clientset, data templateData) { t.Log("--- create clustertriggerauthentication with nil identity id ---") From ccc4bdc0d1455a175eabc3ce032de52795a1dc0c Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Wed, 19 Jul 2023 11:07:09 +0800 Subject: [PATCH 21/32] Update Signed-off-by: SpiritZhou --- .../trigger_authentication_validation_test.go | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go index 9c1e3798052..47eb7640935 100644 --- a/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go +++ b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go @@ -115,9 +115,7 @@ func getTemplateData() (templateData, []Template) { } // expect triggerauthentication should not be created with empty identity id -// -//revive:disable:unused-parameter -func testTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Clientset, data templateData) { +func testTriggerAuthenticationWithEmptyID(t *testing.T, _ *kubernetes.Clientset, data templateData) { t.Log("--- create triggerauthentication with empty identity id ---") err := KubectlApplyWithErrors(t, data, "triggerAuthEmptyIDTemplate", triggerAuthEmptyIDTemplate) @@ -125,9 +123,7 @@ func testTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Clientset } // expect triggerauthentication can be created without identity id property -// -//revive:disable:unused-parameter -func testTriggerAuthenticationWithNilID(t *testing.T, kc *kubernetes.Clientset, data templateData) { +func testTriggerAuthenticationWithNilID(t *testing.T, _ *kubernetes.Clientset, data templateData) { t.Log("--- create triggerauthentication with nil identity id ---") kedaKc := GetKedaKubernetesClient(t) @@ -138,9 +134,7 @@ func testTriggerAuthenticationWithNilID(t *testing.T, kc *kubernetes.Clientset, } // expect clustertriggerauthentication should not be created with empty identity id -// -//revive:disable:unused-parameter -func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Clientset, data templateData) { +func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, _ *kubernetes.Clientset, data templateData) { t.Log("--- create clustertriggerauthentication with empty identity id ---") err := KubectlApplyWithErrors(t, data, "clusterTriggerAuthEmptyIDTemplate", clusterTriggerAuthEmptyIDTemplate) @@ -148,9 +142,7 @@ func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, kc *kubernetes.Cl } // expect clustertriggerauthentication can be created without identity id property -// -//revive:disable:unused-parameter -func testClusterTriggerAuthenticationWithNilID(t *testing.T, kc *kubernetes.Clientset, data templateData) { +func testClusterTriggerAuthenticationWithNilID(t *testing.T, _ *kubernetes.Clientset, data templateData) { t.Log("--- create clustertriggerauthentication with nil identity id ---") kedaKc := GetKedaKubernetesClient(t) From b7ce1d96f41b45fe77315fb3e4a0b8672a41ded0 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Fri, 18 Aug 2023 11:21:49 +0800 Subject: [PATCH 22/32] Update Signed-off-by: SpiritZhou --- .../v1alpha1/triggerauthentication_webhook.go | 4 +- pkg/scaling/resolver/scale_resolvers.go | 2 +- .../trigger_authentication_validation_test.go | 101 +++++++++++++++--- 3 files changed, 88 insertions(+), 19 deletions(-) diff --git a/apis/keda/v1alpha1/triggerauthentication_webhook.go b/apis/keda/v1alpha1/triggerauthentication_webhook.go index fd0415bda02..72b14e1b388 100644 --- a/apis/keda/v1alpha1/triggerauthentication_webhook.go +++ b/apis/keda/v1alpha1/triggerauthentication_webhook.go @@ -109,9 +109,7 @@ func isTriggerAuthenticationRemovingFinalizer(om metav1.ObjectMeta, oldOm metav1 func validateSpec(spec *TriggerAuthenticationSpec) (admission.Warnings, error) { if spec.PodIdentity != nil { switch spec.PodIdentity.Provider { - case PodIdentityProviderAzure: - fallthrough - case PodIdentityProviderAzureWorkload: + case PodIdentityProviderAzure, PodIdentityProviderAzureWorkload: if spec.PodIdentity.IdentityID != nil && *spec.PodIdentity.IdentityID == "" { return nil, fmt.Errorf("identityid of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"") } diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go index 407dc93f2b9..bcba35d9fed 100644 --- a/pkg/scaling/resolver/scale_resolvers.go +++ b/pkg/scaling/resolver/scale_resolvers.go @@ -196,7 +196,7 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log authParams["awsRoleArn"] = serviceAccount.Annotations[kedav1alpha1.PodIdentityAnnotationEKS] case kedav1alpha1.PodIdentityProviderAwsKiam: authParams["awsRoleArn"] = podTemplateSpec.ObjectMeta.Annotations[kedav1alpha1.PodIdentityAnnotationKiam] - case kedav1alpha1.PodIdentityProviderAzure: + case kedav1alpha1.PodIdentityProviderAzure, kedav1alpha1.PodIdentityProviderAzureWorkload: if podIdentity.IdentityID != nil && *podIdentity.IdentityID == "" { return nil, kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, fmt.Errorf("IdentityID of PodIdentity should not be empty") } diff --git a/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go index 47eb7640935..8cca254d2ba 100644 --- a/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go +++ b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go @@ -24,19 +24,27 @@ const ( ) var ( - testNamespace = fmt.Sprintf("%s-ns", testName) - triggerAuthEmptyIDName = fmt.Sprintf("%s-ta-empty", testName) - triggerAuthNilIDName = fmt.Sprintf("%s-ta-nil", testName) - clusterTriggerAuthEmptyIDName = fmt.Sprintf("%s-cta-empty", testName) - clusterTriggerAuthNilIDName = fmt.Sprintf("%s-cta-nil", testName) + testNamespace = fmt.Sprintf("%s-ns", testName) + triggerAuthEmptyIDName = fmt.Sprintf("%s-ta-empty", testName) + triggerAuthNilIDName = fmt.Sprintf("%s-ta-nil", testName) + clusterTriggerAuthEmptyIDName = fmt.Sprintf("%s-cta-empty", testName) + clusterTriggerAuthNilIDName = fmt.Sprintf("%s-cta-nil", testName) + triggerAuthWorkloadEmptyIDName = fmt.Sprintf("%s-ta-workload-empty", testName) + triggerAuthWorkloadNilIDName = fmt.Sprintf("%s-ta-workload-nil", testName) + clusterTriggerAuthWorkloadEmptyIDName = fmt.Sprintf("%s-cta-workload-empty", testName) + clusterTriggerAuthWorkloadNilIDName = fmt.Sprintf("%s-cta-workload-nil", testName) ) type templateData struct { - TestNamespace string - TriggerAuthEmptyIDName string - TriggerAuthNilIDName string - ClusterTriggerAuthEmptyIDName string - ClusterTriggerAuthNilIDName string + TestNamespace string + TriggerAuthEmptyIDName string + TriggerAuthNilIDName string + ClusterTriggerAuthEmptyIDName string + ClusterTriggerAuthNilIDName string + TriggerAuthWorkloadEmptyIDName string + TriggerAuthWorkloadNilIDName string + ClusterTriggerAuthWorkloadEmptyIDName string + ClusterTriggerAuthWorkloadNilIDName string } const ( @@ -82,6 +90,49 @@ spec: podIdentity: provider: azure ` + + triggerAuthWorkloadEmptyIDTemplate = ` +apiVersion: keda.sh/v1alpha1 +kind: TriggerAuthentication +metadata: + name: {{.TriggerAuthEmptyIDName}} + namespace: {{.TestNamespace}} +spec: + podIdentity: + provider: azure-workload + identityId: "" +` + + triggerAuthWorkloadNilIDTemplate = ` +apiVersion: keda.sh/v1alpha1 +kind: TriggerAuthentication +metadata: + name: {{.TriggerAuthNilIDName}} + namespace: {{.TestNamespace}} +spec: + podIdentity: + provider: azure-workload +` + clusterTriggerAuthWorkloadEmptyIDTemplate = ` +apiVersion: keda.sh/v1alpha1 +kind: ClusterTriggerAuthentication +metadata: + name: {{.ClusterTriggerAuthEmptyIDName}} +spec: + podIdentity: + provider: azure-workload + identityId: "" +` + + clusterTriggerAuthWorkloadNilIDTemplate = ` +apiVersion: keda.sh/v1alpha1 +kind: ClusterTriggerAuthentication +metadata: + name: {{.ClusterTriggerAuthNilIDName}} +spec: + podIdentity: + provider: azure-workload +` ) func TestScaler(t *testing.T) { @@ -106,11 +157,15 @@ func TestScaler(t *testing.T) { func getTemplateData() (templateData, []Template) { return templateData{ - TestNamespace: testNamespace, - TriggerAuthEmptyIDName: triggerAuthEmptyIDName, - TriggerAuthNilIDName: triggerAuthNilIDName, - ClusterTriggerAuthEmptyIDName: clusterTriggerAuthEmptyIDName, - ClusterTriggerAuthNilIDName: clusterTriggerAuthNilIDName, + TestNamespace: testNamespace, + TriggerAuthEmptyIDName: triggerAuthEmptyIDName, + TriggerAuthNilIDName: triggerAuthNilIDName, + ClusterTriggerAuthEmptyIDName: clusterTriggerAuthWorkloadEmptyIDName, + ClusterTriggerAuthNilIDName: clusterTriggerAuthWorkloadNilIDName, + TriggerAuthWorkloadEmptyIDName: triggerAuthWorkloadEmptyIDName, + TriggerAuthWorkloadNilIDName: triggerAuthWorkloadNilIDName, + ClusterTriggerAuthWorkloadEmptyIDName: clusterTriggerAuthWorkloadEmptyIDName, + ClusterTriggerAuthWorkloadNilIDName: clusterTriggerAuthWorkloadNilIDName, }, []Template{} } @@ -120,6 +175,9 @@ func testTriggerAuthenticationWithEmptyID(t *testing.T, _ *kubernetes.Clientset, err := KubectlApplyWithErrors(t, data, "triggerAuthEmptyIDTemplate", triggerAuthEmptyIDTemplate) assert.Errorf(t, err, "can deploy TriggerAuthtication - %s", err) + + err = KubectlApplyWithErrors(t, data, "triggerAuthWorkloadEmptyIDTemplate", triggerAuthWorkloadEmptyIDTemplate) + assert.Errorf(t, err, "can deploy TriggerAuthtication with azureworkload - %s", err) } // expect triggerauthentication can be created without identity id property @@ -131,6 +189,11 @@ func testTriggerAuthenticationWithNilID(t *testing.T, _ *kubernetes.Clientset, d triggerauthentication, _ := kedaKc.TriggerAuthentications(testNamespace).Get(context.Background(), triggerAuthNilIDName, v1.GetOptions{}) assert.NotNil(t, triggerauthentication) + + KubectlApplyWithTemplate(t, data, "triggerAuthWorkloadNilITemplate", triggerAuthWorkloadNilIDTemplate) + + triggerauthentication, _ = kedaKc.TriggerAuthentications(testNamespace).Get(context.Background(), triggerAuthWorkloadNilIDName, v1.GetOptions{}) + assert.NotNil(t, triggerauthentication) } // expect clustertriggerauthentication should not be created with empty identity id @@ -139,6 +202,9 @@ func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, _ *kubernetes.Cli err := KubectlApplyWithErrors(t, data, "clusterTriggerAuthEmptyIDTemplate", clusterTriggerAuthEmptyIDTemplate) assert.Errorf(t, err, "can deploy ClusterTriggerAuthtication - %s", err) + + err = KubectlApplyWithErrors(t, data, "clusterTriggerAuthWorkloadEmptyIDName", clusterTriggerAuthWorkloadEmptyIDName) + assert.Errorf(t, err, "can deploy ClusterTriggerAuthtication with azureworkload - %s", err) } // expect clustertriggerauthentication can be created without identity id property @@ -150,4 +216,9 @@ func testClusterTriggerAuthenticationWithNilID(t *testing.T, _ *kubernetes.Clien clustertriggerauthentication, _ := kedaKc.ClusterTriggerAuthentications().Get(context.Background(), clusterTriggerAuthNilIDTemplate, v1.GetOptions{}) assert.NotNil(t, clustertriggerauthentication) + + KubectlApplyWithTemplate(t, data, "clusterTriggerAuthWorkloadNilIDTemplate", clusterTriggerAuthWorkloadNilIDTemplate) + + clustertriggerauthentication, _ = kedaKc.ClusterTriggerAuthentications().Get(context.Background(), clusterTriggerAuthWorkloadNilIDTemplate, v1.GetOptions{}) + assert.NotNil(t, clustertriggerauthentication) } From 58d32c8343cdc4aab499fc7d0e258e838c479ebe Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Fri, 18 Aug 2023 11:37:34 +0800 Subject: [PATCH 23/32] Update Signed-off-by: SpiritZhou --- .../trigger_authentication_validation_test.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go index 8cca254d2ba..503e9a0a6a5 100644 --- a/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go +++ b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go @@ -95,7 +95,7 @@ spec: apiVersion: keda.sh/v1alpha1 kind: TriggerAuthentication metadata: - name: {{.TriggerAuthEmptyIDName}} + name: {{.TriggerAuthWorkloadEmptyIDName}} namespace: {{.TestNamespace}} spec: podIdentity: @@ -107,7 +107,7 @@ spec: apiVersion: keda.sh/v1alpha1 kind: TriggerAuthentication metadata: - name: {{.TriggerAuthNilIDName}} + name: {{.TriggerAuthWorkloadNilIDName}} namespace: {{.TestNamespace}} spec: podIdentity: @@ -117,7 +117,7 @@ spec: apiVersion: keda.sh/v1alpha1 kind: ClusterTriggerAuthentication metadata: - name: {{.ClusterTriggerAuthEmptyIDName}} + name: {{.ClusterTriggerAuthWorkloadEmptyIDName}} spec: podIdentity: provider: azure-workload @@ -128,7 +128,7 @@ spec: apiVersion: keda.sh/v1alpha1 kind: ClusterTriggerAuthentication metadata: - name: {{.ClusterTriggerAuthNilIDName}} + name: {{.ClusterTriggerAuthWorkloadNilIDName}} spec: podIdentity: provider: azure-workload @@ -203,7 +203,7 @@ func testClusterTriggerAuthenticationWithEmptyID(t *testing.T, _ *kubernetes.Cli err := KubectlApplyWithErrors(t, data, "clusterTriggerAuthEmptyIDTemplate", clusterTriggerAuthEmptyIDTemplate) assert.Errorf(t, err, "can deploy ClusterTriggerAuthtication - %s", err) - err = KubectlApplyWithErrors(t, data, "clusterTriggerAuthWorkloadEmptyIDName", clusterTriggerAuthWorkloadEmptyIDName) + err = KubectlApplyWithErrors(t, data, "clusterTriggerAuthWorkloadEmptyIDTemplate", clusterTriggerAuthWorkloadEmptyIDTemplate) assert.Errorf(t, err, "can deploy ClusterTriggerAuthtication with azureworkload - %s", err) } From 82ee9aa042a99a95ce07b1c1c99d68e23e6e2ad0 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Fri, 18 Aug 2023 11:54:06 +0800 Subject: [PATCH 24/32] Update Signed-off-by: SpiritZhou --- .../trigger_authentication_validation_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go index 503e9a0a6a5..f15099cfd7b 100644 --- a/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go +++ b/tests/internals/trigger_authentication_validation/trigger_authentication_validation_test.go @@ -160,8 +160,8 @@ func getTemplateData() (templateData, []Template) { TestNamespace: testNamespace, TriggerAuthEmptyIDName: triggerAuthEmptyIDName, TriggerAuthNilIDName: triggerAuthNilIDName, - ClusterTriggerAuthEmptyIDName: clusterTriggerAuthWorkloadEmptyIDName, - ClusterTriggerAuthNilIDName: clusterTriggerAuthWorkloadNilIDName, + ClusterTriggerAuthEmptyIDName: clusterTriggerAuthEmptyIDName, + ClusterTriggerAuthNilIDName: clusterTriggerAuthNilIDName, TriggerAuthWorkloadEmptyIDName: triggerAuthWorkloadEmptyIDName, TriggerAuthWorkloadNilIDName: triggerAuthWorkloadNilIDName, ClusterTriggerAuthWorkloadEmptyIDName: clusterTriggerAuthWorkloadEmptyIDName, From f0bd980ad4d90bc7513eff8f7fa522d883a6d4d3 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Fri, 18 Aug 2023 12:26:55 +0800 Subject: [PATCH 25/32] Update Signed-off-by: SpiritZhou --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ba222880a2..cd214ea49ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -55,8 +55,8 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio - **General:**: Add ScaledObject/ScaledJob names to output of `kubectl get triggerauthentication/clustertriggerauthentication` ([#796](https://github.com/kedacore/keda/issues/796)) - **General**: Add standalone CRD generation to release workflow ([#2726](https://github.com/kedacore/keda/issues/2726)) -- **General**: Adding a changelog validating script to check for formatting and order ([#3190](https://github.com/kedacore/keda/issues/3190)) - **Azure Pod Identity**: Introduce validation to prevent usage of empty identity ID for Azure identity providers ([#4528](https://github.com/kedacore/keda/issues/4528)) +- **General**: Adding a changelog validating script to check for formatting and order ([#3190](https://github.com/kedacore/keda/issues/3190)) ### Fixes From 12f1fb41a0eb36f2b49c1aaf9c3c7694fa537e3c Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Fri, 18 Aug 2023 12:41:12 +0800 Subject: [PATCH 26/32] Fix order Signed-off-by: SpiritZhou --- CHANGELOG.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd214ea49ba..5e0c188e940 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -52,11 +52,10 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio - TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX)) ### Improvements - -- **General:**: Add ScaledObject/ScaledJob names to output of `kubectl get triggerauthentication/clustertriggerauthentication` ([#796](https://github.com/kedacore/keda/issues/796)) - **General**: Add standalone CRD generation to release workflow ([#2726](https://github.com/kedacore/keda/issues/2726)) -- **Azure Pod Identity**: Introduce validation to prevent usage of empty identity ID for Azure identity providers ([#4528](https://github.com/kedacore/keda/issues/4528)) - **General**: Adding a changelog validating script to check for formatting and order ([#3190](https://github.com/kedacore/keda/issues/3190)) +- **Azure Pod Identity**: Introduce validation to prevent usage of empty identity ID for Azure identity providers ([#4528](https://github.com/kedacore/keda/issues/4528)) +- **General:**: Add ScaledObject/ScaledJob names to output of `kubectl get triggerauthentication/clustertriggerauthentication` ([#796](https://github.com/kedacore/keda/issues/796)) ### Fixes From 00a359fff202e2229a4a9fd44a02a1e835b6f734 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Mon, 21 Aug 2023 15:39:32 +0800 Subject: [PATCH 27/32] Update CHANGELOG.md Co-authored-by: Tom Kerkhove Signed-off-by: SpiritZhou --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e0c188e940..fb2926fcc93 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -54,8 +54,8 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio ### Improvements - **General**: Add standalone CRD generation to release workflow ([#2726](https://github.com/kedacore/keda/issues/2726)) - **General**: Adding a changelog validating script to check for formatting and order ([#3190](https://github.com/kedacore/keda/issues/3190)) -- **Azure Pod Identity**: Introduce validation to prevent usage of empty identity ID for Azure identity providers ([#4528](https://github.com/kedacore/keda/issues/4528)) - **General:**: Add ScaledObject/ScaledJob names to output of `kubectl get triggerauthentication/clustertriggerauthentication` ([#796](https://github.com/kedacore/keda/issues/796)) +- **Azure Pod Identity**: Introduce validation to prevent usage of empty identity ID for Azure identity providers ([#4528](https://github.com/kedacore/keda/issues/4528)) ### Fixes From 1d2344c67bd221afd0633dc367c6ca43ca2a6b6e Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Mon, 21 Aug 2023 16:18:35 +0800 Subject: [PATCH 28/32] Update CHANGELOG.md Signed-off-by: SpiritZhou --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb2926fcc93..6da4506bb76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -54,7 +54,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio ### Improvements - **General**: Add standalone CRD generation to release workflow ([#2726](https://github.com/kedacore/keda/issues/2726)) - **General**: Adding a changelog validating script to check for formatting and order ([#3190](https://github.com/kedacore/keda/issues/3190)) -- **General:**: Add ScaledObject/ScaledJob names to output of `kubectl get triggerauthentication/clustertriggerauthentication` ([#796](https://github.com/kedacore/keda/issues/796)) +- **General**: Add ScaledObject/ScaledJob names to output of `kubectl get triggerauthentication/clustertriggerauthentication` ([#796](https://github.com/kedacore/keda/issues/796)) - **Azure Pod Identity**: Introduce validation to prevent usage of empty identity ID for Azure identity providers ([#4528](https://github.com/kedacore/keda/issues/4528)) ### Fixes From dfa0e7f5eb32b1d19e84e0699c5ed4d373cac5ee Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Mon, 21 Aug 2023 16:47:48 +0800 Subject: [PATCH 29/32] Update CHANGELOG.md Signed-off-by: SpiritZhou --- CHANGELOG.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6da4506bb76..f217a01a6ff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -52,11 +52,12 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio - TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX)) ### Improvements + +- **General**: Add ScaledObject/ScaledJob names to output of `kubectl get triggerauthentication/clustertriggerauthentication` ([#796](https://github.com/kedacore/keda/issues/796)) - **General**: Add standalone CRD generation to release workflow ([#2726](https://github.com/kedacore/keda/issues/2726)) - **General**: Adding a changelog validating script to check for formatting and order ([#3190](https://github.com/kedacore/keda/issues/3190)) -- **General**: Add ScaledObject/ScaledJob names to output of `kubectl get triggerauthentication/clustertriggerauthentication` ([#796](https://github.com/kedacore/keda/issues/796)) - **Azure Pod Identity**: Introduce validation to prevent usage of empty identity ID for Azure identity providers ([#4528](https://github.com/kedacore/keda/issues/4528)) - + ### Fixes - TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX)) From c00289d41692d5916a39994b3c81e6fd560ba568 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Mon, 21 Aug 2023 17:08:48 +0800 Subject: [PATCH 30/32] Update CHANGELOG.md Signed-off-by: SpiritZhou --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f217a01a6ff..3e847f1396e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -52,12 +52,11 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio - TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX)) ### Improvements - - **General**: Add ScaledObject/ScaledJob names to output of `kubectl get triggerauthentication/clustertriggerauthentication` ([#796](https://github.com/kedacore/keda/issues/796)) - **General**: Add standalone CRD generation to release workflow ([#2726](https://github.com/kedacore/keda/issues/2726)) - **General**: Adding a changelog validating script to check for formatting and order ([#3190](https://github.com/kedacore/keda/issues/3190)) - **Azure Pod Identity**: Introduce validation to prevent usage of empty identity ID for Azure identity providers ([#4528](https://github.com/kedacore/keda/issues/4528)) - +- ### Fixes - TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX)) From 0f93a62f8e07cc3bac53f8eefd7dfb0906388e76 Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Mon, 21 Aug 2023 17:23:00 +0800 Subject: [PATCH 31/32] Update CHANGELOG.md Signed-off-by: SpiritZhou --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e847f1396e..1ae41737aff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -56,7 +56,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio - **General**: Add standalone CRD generation to release workflow ([#2726](https://github.com/kedacore/keda/issues/2726)) - **General**: Adding a changelog validating script to check for formatting and order ([#3190](https://github.com/kedacore/keda/issues/3190)) - **Azure Pod Identity**: Introduce validation to prevent usage of empty identity ID for Azure identity providers ([#4528](https://github.com/kedacore/keda/issues/4528)) -- + ### Fixes - TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX)) From 78307d74ebc04c33a48184fbb03402c1077b24df Mon Sep 17 00:00:00 2001 From: SpiritZhou Date: Fri, 25 Aug 2023 15:50:14 +0800 Subject: [PATCH 32/32] Update Signed-off-by: SpiritZhou --- pkg/scalers/azure/azure_monitor.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/scalers/azure/azure_monitor.go b/pkg/scalers/azure/azure_monitor.go index 6065bb778b8..0ed25ff561c 100644 --- a/pkg/scalers/azure/azure_monitor.go +++ b/pkg/scalers/azure/azure_monitor.go @@ -89,11 +89,11 @@ func createMetricsClient(ctx context.Context, info MonitorInfo, podIdentity keda case kedav1alpha1.PodIdentityProviderAzure: config := auth.NewMSIConfig() config.Resource = info.AzureResourceManagerEndpoint - config.ClientID = *podIdentity.IdentityID + config.ClientID = podIdentity.GetIdentityID() authConfig = config case kedav1alpha1.PodIdentityProviderAzureWorkload: - authConfig = NewAzureADWorkloadIdentityConfig(ctx, *podIdentity.IdentityID, info.AzureResourceManagerEndpoint) + authConfig = NewAzureADWorkloadIdentityConfig(ctx, podIdentity.GetIdentityID(), info.AzureResourceManagerEndpoint) } authorizer, _ := authConfig.Authorizer()