Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh expired/rotated AWS credentials without emitting a scaler failure #2578

Closed
JacobHenner opened this issue Jan 28, 2022 · 4 comments
Closed
Labels
feature-request All issues for new features that have not been committed to needs-discussion stale All issues that are marked as stale due to inactivity

Comments

@JacobHenner
Copy link
Contributor

Proposal

In #2573, support for AWS temporary credentials (using session tokens) was introduced.

Assuming Secrets are kept up-to-date with valid session tokens, scalers using temporary credentials will error once after token expiration. The scaler cache for the corresponding ScaledObject will be cleared, the scaler will be rebuilt using the updated temporary credentials, and the scaler will resume operation.

This approach has a potentially undesired side effect - an HPA Scaler Error will be recorded in the metrics each time a temporary credential expires, even if the replacement scaler reloads valid credentials and succeeds immediately following the expiration failure. Since users might be relying on scaler error metrics to indicate unexpected failures, these newly reported failures might be confusing or misleading.

To resolve this (assuming the AWS libraries in use can propagate back credential expiration errors), we could:

  • Create a new type of metric for creds expiration - but I think that'd be similarly confusing (one event at expiration time is expected, > 1 event at expiration time is bad and indicates actual scaler failure).
  • Only report a failure for credential expiration errors if there are >= 2 consecutive failures
    • We might want to consider a similar approach for static credentials too, as they can also be rotated (generally with a much lower frequency).
  • Build an independent credential refresh mechanism - e.g. Watch created HPA and TriggerAuthentication resources #511, TriggerAuthentication Secret is not reloaded when Secret changes #563
  • (something else?)

Use-Case

No response

Anything else?

No response

@JacobHenner JacobHenner added feature-request All issues for new features that have not been committed to needs-discussion labels Jan 28, 2022
@tomkerkhove tomkerkhove moved this to Backlog in Roadmap - KEDA Core Feb 10, 2022
@stale
Copy link

stale bot commented Mar 30, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale All issues that are marked as stale due to inactivity label Mar 30, 2022
@JacobHenner
Copy link
Contributor Author

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

Not stale

@stale stale bot removed the stale All issues that are marked as stale due to inactivity label Mar 30, 2022
@stale
Copy link

stale bot commented May 29, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale All issues that are marked as stale due to inactivity label May 29, 2022
@stale
Copy link

stale bot commented Jun 5, 2022

This issue has been automatically closed due to inactivity.

@stale stale bot closed this as completed Jun 5, 2022
Repository owner moved this from To Do to Ready To Ship in Roadmap - KEDA Core Jun 5, 2022
@tomkerkhove tomkerkhove moved this from Ready To Ship to Done in Roadmap - KEDA Core Aug 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request All issues for new features that have not been committed to needs-discussion stale All issues that are marked as stale due to inactivity
Projects
Archived in project
Development

No branches or pull requests

1 participant