feat: Provide support for specifying identity to use for Azure managed identity auth #2741
Conversation
stephaneey
force-pushed
the
stephaneey/podidentity
branch
from
09e3b24
to
15d5205
Compare
tomkerkhove
changed the title
|
Would you mind sending a PR for our docs please? |
No problem. I was waiting for this PR to move on :) |
There was a problem hiding this comment.
First, thanks a ton for this huge effort, not only the code, also the research that you have done.
❤️ ❤️ ❤️
From technological pov I can't say anything because I'm not an expert in Azure Identities, the idea that you proposed in the issue IMO is achieved.
From code and KEDA pov, I left some comments inline and in general I prefer to avoid using magic strings if there is a constant for it.
Things like kedav1alpha1.AuthPodIdentity{Provider: "azure"}} could be kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderAzure}}.
It's more verbose, but we avoid magic strings and give us the option to change it in the future if it's needed
|
Let us know if you need any other feedback @stephaneey! |
Signed-off-by: Stephane Eyskens <[email protected]>
stephaneey
force-pushed
the
stephaneey/podidentity
branch
from
f29b10d
to
53f17e0
Compare
Signed-off-by: Stephane Eyskens <[email protected]>
|
@tomkerkhove I applied all the changes on my own branch. Should I make a new PR? |
|
Nope, you can just push them here indeed, thanks! Would you mind rebasing/merging latest from main to fix the conflicts please? |
Hey @tomkerkhove Sorry to bother but I'm not sure what I'm supposed to do here. I applied all the changes to this branch on my own repo: https://github.com/stephaneey/keda/tree/stephaneey/podidentity Thanks |
|
No need to create a new PR or we will lose the context from this one. What you should do is:
This should help you : https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/merging-an-upstream-repository-into-your-fork |
|
It's alwasy better to do |
Signed-off-by: Stephane Eyskens <[email protected]>
Signed-off-by: Stephane Eyskens <[email protected]>
|
Thanks for your review. I resolved the conflicts and the PR is being validated. Best regards |
|
Thanks a ton! |
Signed-off-by: Stephane Eyskens <[email protected]>
|
/run-e2e azure* |
Signed-off-by: Stephane Eyskens <[email protected]>
Where should it be documented? I don't see a "general" category in the docs. Can you elaborate on what is expected to avoid back & forth conversations? I already "documented" the changes in the initial issue #2656. I have forked the docs repo.. Thanks |
|
All docs live in kedacore/keda-docs (see PR description) where we need to document this new feature in how people can configure to use a different identity (not perse how it works under the covers) |
|
Feel free to have a look at our contribution guide. |
That's exactly what I did (as mentioned I already cloned the doc repo & created my own branch) and why I come back to ask what is expected. The contribution guide just says that you must open a PR for the doc...On Keda Docs, there are only instructions for:
So my question is: where should I document my changes, given none of the above category corresponds. The closest one could be a blog post. Do you confirm? Thanks |
|
No, we already have a documentation page for trigger authentication where you can just extend the pod Identity option for Azure. https://keda.sh/docs/latest/concepts/authentication/ Just make sure this is only in v2.7. Every documentation page also has a "suggest a change" button that takes you to the exact file. |
|
The reason why it's not in that section is because there is no dedicated page per auth provider. But I'll update the guidance to look for the suggest a change button as well if need be. |
|
Ok thanks, I'll have a look at it |
CHANGELOG.md
Outdated
| @@ -39,7 +39,7 @@ | |||
| - **General**: Support for `ValueMetricType` in `ScaledObject` for all scalers except CPU/Memory ([#2030](https://github.com/kedacore/keda/issues/2030)) | |||
|
|
|||
| ### Improvements | |||
|
|
|||
| - **TriggerAuthentication:** Provide support for specifying identity to use for Azure managed identity auth ([#2656](https://github.com/kedacore/keda/issues/2656)) | |||
There was a problem hiding this comment.
Please, rename this to General,
- General: Provide support for specifying identity to use for Azure managed identity auth (#2656)
| @@ -149,7 +149,7 @@ func parseAzureEventHubMetadata(config *ScalerConfig) (*eventHubMetadata, error) | |||
| } | |||
| meta.eventHubInfo.ActiveDirectoryEndpoint = activeDirectoryEndpoint | |||
|
|
|||
| if config.PodIdentity == "" || config.PodIdentity == v1alpha1.PodIdentityProviderNone { | |||
| if (config.PodIdentity == kedav1alpha1.AuthPodIdentity{}) || (config.PodIdentity == kedav1alpha1.AuthPodIdentity{Provider: "none"}) { | |||
There was a problem hiding this comment.
Replace this magic string (kedav1alpha1.PodIdentityProviderNone)
| @@ -214,7 +214,7 @@ func (checkpointer *defaultCheckpointer) extractCheckpoint(get *azblob.DownloadR | |||
| } | |||
|
|
|||
| func getCheckpoint(ctx context.Context, httpClient util.HTTPDoer, info EventHubInfo, checkpointer checkpointer) (Checkpoint, error) { | |||
| blobCreds, storageEndpoint, err := ParseAzureStorageBlobConnection(ctx, httpClient, kedav1alpha1.PodIdentityProviderNone, info.StorageConnection, "", "") | |||
| blobCreds, storageEndpoint, err := ParseAzureStorageBlobConnection(ctx, httpClient, kedav1alpha1.AuthPodIdentity{Provider: "none"}, info.StorageConnection, "", "") | |||
There was a problem hiding this comment.
Replace this magic string (kedav1alpha1.PodIdentityProviderNone)
| @@ -339,7 +340,7 @@ func TestShouldParseCheckpointForGoSdk(t *testing.T) { | |||
| func createNewCheckpointInStorage(urlPath string, containerName string, partitionID string, checkpoint string, metadata map[string]string) (context.Context, error) { | |||
| ctx := context.Background() | |||
|
|
|||
| credential, endpoint, _ := ParseAzureStorageBlobConnection(ctx, http.DefaultClient, "none", StorageConnectionString, "", "") | |||
| credential, endpoint, _ := ParseAzureStorageBlobConnection(ctx, http.DefaultClient, kedav1alpha1.AuthPodIdentity{Provider: "none"}, StorageConnectionString, "", "") | |||
There was a problem hiding this comment.
Replace this magic string (kedav1alpha1.PodIdentityProviderNone)
| @@ -216,7 +216,7 @@ func TestAzureAppInsightsGetMetricSpecForScaling(t *testing.T) { | |||
| } | |||
| mockAzureAppInsightsScaler := azureAppInsightsScaler{ | |||
| metadata: meta, | |||
| podIdentity: kedav1alpha1.PodIdentityProviderAzure, | |||
| podIdentity: kedav1alpha1.AuthPodIdentity{Provider: "azure"}, | |||
| @@ -165,8 +165,8 @@ func parseAzureLogAnalyticsMetadata(config *ScalerConfig) (*azureLogAnalyticsMet | |||
| meta.clientSecret = clientSecret | |||
|
|
|||
| meta.podIdentity = "" | |||
| case kedav1alpha1.PodIdentityProviderAzure: | |||
| meta.podIdentity = string(config.PodIdentity) | |||
| case kedav1alpha1.AuthPodIdentity{Provider: "azure"}: | |||
| @@ -176,7 +176,7 @@ func parseAzureMonitorMetadata(config *ScalerConfig) (*azureMonitorMetadata, err | |||
|
|
|||
| // parseAzurePodIdentityParams gets the activeDirectory clientID and password | |||
| func parseAzurePodIdentityParams(config *ScalerConfig) (clientID string, clientPassword string, err error) { | |||
| if config.PodIdentity == "" || config.PodIdentity == kedav1alpha1.PodIdentityProviderNone { | |||
| if (config.PodIdentity == kedav1alpha1.AuthPodIdentity{}) || (config.PodIdentity == kedav1alpha1.AuthPodIdentity{Provider: "none"}) { | |||
| if val == "true" { | ||
| config.PodIdentity = kedav1alpha1.PodIdentityProviderAzure | ||
| config.PodIdentity = kedav1alpha1.AuthPodIdentity{Provider: "azure"} |
| @@ -241,7 +241,7 @@ func TestResolveAuthRef(t *testing.T) { | |||
| }, | |||
| soar: &kedav1alpha1.ScaledObjectAuthRef{Name: triggerAuthenticationName}, | |||
| expected: map[string]string{"host": secretData}, | |||
| expectedPodIdentity: kedav1alpha1.PodIdentityProviderNone, | |||
| expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: "none"}, | |||
| authParams["awsRoleArn"] = podTemplateSpec.ObjectMeta.Annotations[kedav1alpha1.PodIdentityAnnotationKiam] | ||
| } | ||
| return authParams, podIdentity, nil | ||
| } | ||
|
|
||
| authParams, _ := resolveAuthRef(ctx, client, logger, triggerAuthRef, nil, namespace) | ||
| return authParams, kedav1alpha1.PodIdentityProviderNone, nil | ||
| return authParams, kedav1alpha1.AuthPodIdentity{Provider: "none"}, nil |
|
Feel free to let us know if you need any help @stephaneey |
|
Bump @stephaneey, anything we can help you with? Do note that our workload identity support is close as well - #2907 |
Hi Tom, Indeed, sorry for the late reply. I guess we'd better discard the PR with the arrival of workload identities and the low value added to the product. Best Regards |
|
Oh I don't think this is low value add as it allows for identity segregation but maybe you don't have time to work on it anymore? |
Well, indeed, it's a bit tricky these days and I spent more time in fixing conflicts than writing the actual code. The review process takes time (it's normal and even a very good practice to ensure high quality), but this leads to new conflicts each time I adjust the changes to the remarks, so it's a never ending story and I don't have much time to allocate (my bad). I don't know if someone can take this over, else, it was a nice attempt :) |
|
No problem at all - I will merge this in to Thanks for the initial start.
We are always happy to hear feedback on how we can improve though |
This PR aims at improving the way pod managed identities are used with Azure Services and Azure Storage in particular. Workloads can specify the identity to be used by the operator when peeking the Azure service
Checklist
Relates to #2656.