-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add GCP identity authentication when using Pubsub Scaler #2225
Conversation
…ne identity Signed-off-by: Jose Maria Alvarez <[email protected]>
Signed-off-by: Jose Maria Alvarez <[email protected]>
f0f9fb3
to
3f2f52f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good! Please update Changelog and modify docs for 2.5. Thanks!
Signed-off-by: Jose Maria Alvarez <[email protected]>
@zroubalik please check if everything is fine. Thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for the contribution @jmalvarezf-lmes!
You are welcome! |
Nice, thanks! |
Did I understand correctly how to use it (see docs I attempted to create)? |
@hermanbanken yes, that is the idea. We have it running like this in our environment. We do not use workload identity, but the functionality is exactly the same. |
I completely missed kedacore/keda-docs#565... 😅 |
@hermanbanken lol 😄 but would be nice if you can add your improvements |
Hi,
This tries to partially fix this issue: #2048. Basically the fix consist on using the gcp identity framework so that when you do a request to stackdriver to get the number of undelivered messages, you use the service account associated to the machine (GCE), instead of using a service account in a secret. That allows to use this very useful scaler without creating a service account and a secret and you can use a Cluster Trigger Authentication widely to use the underlying service account. I couldn't create tests, as this relies on being executed on GCP. But I've tested it in our environment and it works.
Hope it is useful for you.
I wait for you to check this, and if it is useful, and you agree, I will change the docs to adapt to this new method.
Regards,
Jose Maria.