Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Roadmap: KEDA Scale with Managed Identity #592

Closed
SophCarp opened this issue Jan 23, 2023 · 50 comments
Closed

Roadmap: KEDA Scale with Managed Identity #592

SophCarp opened this issue Jan 23, 2023 · 50 comments
Assignees
Labels
enhancement New feature or request Networking Related to ACA networking roadmap This feature is on the roadmap Scale related to scaling behavior

Comments

@SophCarp
Copy link

SophCarp commented Jan 23, 2023

No ETA yet

@SophCarp SophCarp added enhancement New feature or request roadmap This feature is on the roadmap Networking Related to ACA networking Scale related to scaling behavior labels Jan 23, 2023
@ghost ghost added the Needs: triage 🔍 Pending a first pass to read, tag, and assign label Jan 23, 2023
@SophCarp SophCarp removed the Needs: triage 🔍 Pending a first pass to read, tag, and assign label Jan 23, 2023
@SophCarp SophCarp changed the title KEDA Scale with Managed Identity Roadmap KEDA Scale with Managed Identity Jan 30, 2023
@SophCarp SophCarp changed the title Roadmap KEDA Scale with Managed Identity Roadmap: KEDA Scale with Managed Identity Jan 30, 2023
@cachai2 cachai2 self-assigned this Mar 6, 2023
@Ralle1986
Copy link

any ETA on this ?

@preardon
Copy link

preardon commented Aug 4, 2023

Anything we can do to increase the priority on this?

@andreaskasc
Copy link

We would really need this feature. Is there any update for it?

@preardon
Copy link

preardon commented Oct 5, 2023

We would really need this feature. Is there any update for it?

Agreed, this is a bit of a blocker for us moving to ACA

@onionhammer
Copy link

Yes please, this would be tremendous

@KamilLach
Copy link

This will be a great improvement for our ACA architecture

@superzer0
Copy link

+1

@mikocot
Copy link

mikocot commented Nov 21, 2023

are there any particular difficulties implementing that?

@ezYakaEagle442
Copy link

Hi @SophCarp could you please share an ETA ?

@coin-op
Copy link

coin-op commented Jan 25, 2024

Please can this be sorted out @SophCarp. 1 year on a backlog!

@mjrousos
Copy link
Member

mjrousos commented Feb 7, 2024

Needing a SAS-based connection string for KEDA scaling is the only reason I need local authentication enabled on a Service Bus namespace for the solution I'm working on. Everything else authenticates with managed identity. It would be great to add support for that here.

@preardon
Copy link

preardon commented Feb 7, 2024

Needing SAS for KEDA is the reason why we've not moved to ACA or KEDA as yet, I refused to lower security

@vturecek
Copy link

vturecek commented Jun 5, 2024

Hi everyone, thanks for your patience on this. KEDA support for managed identity is rolling out, docs are getting prepped for publishing, and we will be announcing availability before the end of the month.

@Hi-Fi
Copy link

Hi-Fi commented Jun 25, 2024

Seems that KEDA got updated already at least in Sweden Central region. Should managed identities already work or is there some wrapper in between that requires also changes @vturecek?

@vturecek
Copy link

@Hi-Fi yes this now available in all regions with API version 2024-02-02-preview.

I am still waiting on editing and publication of additional documentation, but this should get you started: https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=portal%2Cdotnet#use-managed-identity-for-scale-rules

Thanks for your patience. I'll post links to additional documentation once it is published. Please let us know if you have any feedback.

@github-project-automation github-project-automation bot moved this from Planned (Committed) to In-Progress (Development) in Azure Container Apps Roadmap Jun 28, 2024
@alexpkent
Copy link

alexpkent commented Jul 1, 2024

I can confirm this is working however the docs on the above links are targeted at Storage Accounts and incorrect for Service Bus queue scaling for example.

Instead of the Scale Rule requiring a metadata property called accountName as the docs state, it needs a metadata property called namespace instead.

@vturecek
Copy link

vturecek commented Jul 2, 2024

@alexpkent the example here shows a Service Bus queue scale rule with the namespace set: https://learn.microsoft.com/en-us/azure/container-apps/scale-app?pivots=azure-cli#example-3

The other examples we have show Azure Storage queues with accountName, for example: https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=portal%2Cdotnet#scale-rules

Where do you see an example Service Bus queue scale rule with accountName instead of namespace set in the metadata?

@haflidif
Copy link

haflidif commented Jul 2, 2024

@vturecek Are there any examples on how to utilize this with the event driven configuration for azure-pipelines KEDA Scaler in Container App Jobs, or is that still not supporting Managed Identity to monitor the queue in Azure DevOps ? and you still need to use PAT there ?

@drdr-vincentvm
Copy link

@haflidif I got this working today after a bit of trial and error as I couldn't see how to do it from the docs.

Don't use organizationURLFromEnv in the metadata as you might expect. Keep using the auth element to specify the org, just remove the PAT from it.

See this bicep:

rules: [
  {
    name: 'azure-pipelines'
    type: 'azure-pipelines'
    metadata: {
      poolName: azureDevopsAgentPool
    }
    auth: [
      {
        secretRef: 'azure-devops-organization-url'
        triggerParameter: 'organizationURL'
      }
    ]
    identity: userManagedIdentity.id
  }
]

Set the org URL in your job secrets as well (just as a direct value, no key vault needed) and you're good to go.

I've now completely eliminated PATs in my self hosted agents on Container App Jobs, it's great.

@haflidif
Copy link

haflidif commented Jul 2, 2024

@haflidif I got this working today after a bit of trial and error as I couldn't see how to do it from the docs.

Don't use organizationURLFromEnv in the metadata as you might expect. Keep using the auth element to specify the org, just remove the PAT from it.

See this bicep:


rules: [

  {

    name: 'azure-pipelines'

    type: 'azure-pipelines'

    metadata: {

      poolName: azureDevopsAgentPool

    }

    auth: [

      {

        secretRef: 'azure-devops-organization-url'

        triggerParameter: 'organizationURL'

      }

    ]

    identity: userManagedIdentity.id

  }

]

Set the org URL in your job secrets as well (just as a direct value, no key vault needed) and you're good to go.

I've now completely eliminated PATs in my self hosted agents on Container App Jobs, it's great.

Awesome 👏 Thank you very much!

I'll try it out at keep you updated

@jemrpo
Copy link

jemrpo commented Jul 4, 2024

@haflidif I got this working today after a bit of trial and error as I couldn't see how to do it from the docs.

Don't use organizationURLFromEnv in the metadata as you might expect. Keep using the auth element to specify the org, just remove the PAT from it.

See this bicep:

rules: [
  {
    name: 'azure-pipelines'
    type: 'azure-pipelines'
    metadata: {
      poolName: azureDevopsAgentPool
    }
    auth: [
      {
        secretRef: 'azure-devops-organization-url'
        triggerParameter: 'organizationURL'
      }
    ]
    identity: userManagedIdentity.id
  }
]

Set the org URL in your job secrets as well (just as a direct value, no key vault needed) and you're good to go.

I've now completely eliminated PATs in my self hosted agents on Container App Jobs, it's great.

I confirm this works perfectly fine.

@andreaskasc
Copy link

andreaskasc commented Jul 8, 2024

Hi @vturecek,
I am trying to make it work with Azure Event Hubs scaler. The ACA deployment is done with bicep. The initial rule using connection strings is as following:
image
I tried replacing the auth section with just the identity but I haven't succeeded.
image
First off, I get a bicep syntax warning: The property "identity" is not allowed on objects of type "CustomScaleRule". Permissible properties include "auth". And when deploying it, I don't see the identity anywhere in the scaling rule definition and I get errors from KEDA logger, like "unable to get eventhub metadata: no storage connection string given".
Do you have any example using managed identity with Azure Event Hubs scaler?

Edit: I also tried putting the identity inside the metadata section, but still no luck.

@drdr-vincentvm
Copy link

@andreaskasc did you update the API version of your ACA resource to 2024-02-02-preview?

@rajravat
Copy link

is this only available for cli/api at the minute and not bicep? i cant see a 2024-02-02-preview for bicep and havent been able to get it to work (unless i use cli)

@drdr-vincentvm
Copy link

Yes, I've used it in bicep, I just ignore the warning that it doesn't know about 2024-02-02-preview, it doesn't stop the deployment from going through.

@rajravat
Copy link

Thanks, i managed to get it working with bicep + ignoring warning

@andreaskasc
Copy link

Thanks @drdr-vincentvm I made it work with the changed ACA API version.

For anyone using the Event Hubs scaler, this is how it is supposed to be:
image

However, since I am using bicep for deployments and this version is not there yet on the bicep module (https://learn.microsoft.com/en-us/azure/templates/microsoft.app/containerapps?pivots=deployment-language-bicep) I will not use it yet.
And the reason is that on one hand I am getting warnings on the deployment and I also do not have any validation on the bicep module itself. And on the other hand, I am getting some others errors not related to KEDA scaling on the probes of the ACA itself. Maybe I need to make some other changes in the bicep module definition for it, but I will wait until 2024-02-02-preview (or better an official version) is available on the bicep module.
@vturecek what is the plan for adding the new ACA version to the bicep module?

@mjrousos
Copy link
Member

mjrousos commented Aug 7, 2024

Has anyone got this working with Service Bus yet? I'm using version 2024-02-02-preview of the ACA API and the container app provisions without error but it doesn't scale.

Scale rule looks like this:

scaleRules: [
      {
        name: 'service-bus-queue-length-rule'
        custom: {
          type: 'azure-servicebus'
          metadata: {
            messageCount: '10'
            namespace: renderRequestServiceBusNamespace
            queueName: renderRequestServiceBusQueueName
          }
          identity: managedIdentity.id
        }
      }
    ]

Using that rule, I got warnings in the ACA system log: "error parsing azure service bus metadata: no connection setting given" so I tried adding the secretRef back and just removing the access key from the Service Bus connection information. It still didn't scale, though, so I may not be approaching it right.

@alexpkent
Copy link

alexpkent commented Aug 8, 2024

This worked for service bus for me, the only difference I can see if the messageCount property

"scale": {
                    "minExecutions": 0,
                    "maxExecutions": 10,
                    "pollingInterval": 30,
                    "rules": [
                        {
                            "name": "myqueuerule",
                            "type": "azure-servicebus",
                            "metadata": {
                                "messageCount": "1",
                                "namespace": "myservicebusnamespace",
                                "queueName": "myqueue"
                            }
                        }
                    ]
                }

@onionhammer
Copy link

When will this be released beyond the '-preview' tag?

@mjrousos
Copy link
Member

mjrousos commented Aug 9, 2024

This worked for service bus for me, the only difference I can see if the messageCount property

@alexpkent, did it work for you when using managed identity to authenticate with the service bus? I don't see an 'identity' property in your rule definiton.

@alexpkent
Copy link

This worked for service bus for me, the only difference I can see if the messageCount property

@alexpkent, did it work for you when using managed identity to authenticate with the service bus? I don't see an 'identity' property in your rule definiton.

Yes I am using a user assigned managed identity with 'Azure Service Bus Data Owner' on the service bus, I just didn't include that in the sample above. This identity is then assigned to the ACA Job itself not the ACA Environment.

@rckvwijk
Copy link

@haflidif I got this working today after a bit of trial and error as I couldn't see how to do it from the docs.

Don't use organizationURLFromEnv in the metadata as you might expect. Keep using the auth element to specify the org, just remove the PAT from it.

See this bicep:

rules: [
  {
    name: 'azure-pipelines'
    type: 'azure-pipelines'
    metadata: {
      poolName: azureDevopsAgentPool
    }
    auth: [
      {
        secretRef: 'azure-devops-organization-url'
        triggerParameter: 'organizationURL'
      }
    ]
    identity: userManagedIdentity.id
  }
]

Set the org URL in your job secrets as well (just as a direct value, no key vault needed) and you're good to go.

I've now completely eliminated PATs in my self hosted agents on Container App Jobs, it's great.

Is it possible that you share your bicep code? I'm trying to get it up and running but it's not really working, at least not reliably, for me. It can scale up but then it keeps the agent in Idle status instead of scaling down again. I'm not sure what the actual problem is tho.

@Choi-jk
Copy link

Choi-jk commented Aug 20, 2024

    scalingRules: [
      {
        name: 'topic-based-scaling'
        custom: {
          type: 'azure-servicebus'
          metadata: {
            topicName: serviceBusTopicName
            subscriptionName: serviceBusSubscriptionName
            namespace: serviceBusName
            messageCount: '2'
            activationMessageCount: '1'
          }
          // auth: [
          //   {
          //     secretRef: 'sb-connectionstring'
          //     triggerParameter: 'connection'
          //   }
          // ]
          identity: managedIdentityResourceId
        }
      }
    ]

I'm having issue using managed identity for scaling ACA.

what I'm experiencing

  1. Scaling container app's replica based on azure service bus doesn't works when using managed identity
  2. Warning states "Msg":"error parsing azure service bus metadata: no connection setting given","Reason":"KEDAScalerFailed"

what I've confirmed

  1. ACA api version set to 2024-02-02-preview
  2. managed identity has proper rbac for Azure service bus [Azure Service Bus Data Owner]
  3. ACA also has same managed identity assigned (not sure this is related but)
  4. authentication using "connection string" works with no problem (Just commenting out "identity" and give "auth" enables scaling)

If anyone have clues to this problem, please feel free to give advice.

@davidstarkcab
Copy link

What is the status of this? Is there an ETA for Generally Available?

@curib curib assigned jcjiang and unassigned SophCarp Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request Networking Related to ACA networking roadmap This feature is on the roadmap Scale related to scaling behavior
Projects
Status: Public Preview (Shipped and Improving)
Development

No branches or pull requests