Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide support for Azure Key Vault in TriggerAuthentication. #2727

Merged
merged 10 commits into from
Mar 16, 2022

Conversation

v-shenoy
Copy link
Contributor

@v-shenoy v-shenoy commented Mar 9, 2022

Authentication via Azure Key Vault is now supported.
Sample for the new TriggerAuthenticationSpec -

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: triggerAuthName
  namespace: default
spec:
  azureKeyVault:
    vaultUri: <vault-address>
    credentials:  
      clientId: <azureAD-clientID>
      clientSecret:
        valueFrom:
          secretKeyRef:
            name: <secret-name>
            key: <key-within-secret>
      tenantId: <azureAD-tenantID>
    secrets: 
    - parameter: <param-name-for-authenticating>
      name: <secret-name-in-key-vault>
      version: <secret-version> # Optional

Edit 1 - Updated spec and checklist.
Edit 2- Raised documentation PR.
Edit 3 - Update checklist with tests added.

Checklist

  • Commits are signed with Developer Certificate of Origin (DCO - learn more)
  • Tests have been added
  • A PR is opened to update our Helm chart (repo) (if applicable, ie. when deployment manifests are modified)
  • A PR is opened to update the documentation on (repo) (if applicable)
  • Changelog has been updated and is aligned with our changelog requirements

Fixes #900

@v-shenoy v-shenoy requested a review from a team as a code owner March 9, 2022 11:37
@v-shenoy v-shenoy marked this pull request as draft March 9, 2022 11:38
@tomkerkhove
Copy link
Member

Can we also support managed identity or not?

@tomkerkhove
Copy link
Member

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: triggerAuthName
  namespace: default
spec:
  azureKeyVault:
    vaultUri: <vault-address>
    credentials:  
      clientId: <azureAD-clientID>
      clientSecret:
        kubeSecret: <kubernetes-secret-containing-azureAD-secret>
        key: <key-within-the-kubernetes-secret>
      tenantId: <azureAD-tenantID>
    secrets: 
    - parameter: <param-name-for-authenticating>
      name: <secret-name-in-key-vault>
      version: <secret-version> # Optional

Some quick feedback on azureKeyVault.credentials.clientSecret. Can we align with the existing secret ref approach in Kubernetes?

@v-shenoy
Copy link
Contributor Author

v-shenoy commented Mar 9, 2022

Can we also support managed identity or not?

I am not really sure how to go about this. Need some guidance.

@v-shenoy
Copy link
Contributor Author

v-shenoy commented Mar 9, 2022

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: triggerAuthName
  namespace: default
spec:
  azureKeyVault:
    vaultUri: <vault-address>
    credentials:  
      clientId: <azureAD-clientID>
      clientSecret:
        kubeSecret: <kubernetes-secret-containing-azureAD-secret>
        key: <key-within-the-kubernetes-secret>
      tenantId: <azureAD-tenantID>
    secrets: 
    - parameter: <param-name-for-authenticating>
      name: <secret-name-in-key-vault>
      version: <secret-version> # Optional

Some quick feedback on azureKeyVault.credentials.clientSecret. Can we align with the existing secret ref approach in Kubernetes?

Which secret ref approach are you referring to?

@tomkerkhove
Copy link
Member

The native Kubernetes approach - https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables:

valueFrom:
  secretKeyRef:
    name: mysecret
    key: username

@v-shenoy
Copy link
Contributor Author

v-shenoy commented Mar 9, 2022

The native Kubernetes approach - https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables:

valueFrom:
  secretKeyRef:
    name: mysecret
    key: username

So, when you say align with it, you mean just renaming the object to use valueFrom, secretKeyRef instead of clientSecret? Because (and this might be a gap in my knowledge), I am not aware of a way where you can directly just reference secrets from a CRD.

@tomkerkhove
Copy link
Member

I would go with this:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: triggerAuthName
  namespace: default
spec:
  azureKeyVault:
    vaultUri: <vault-address>
    credentials:  
      clientId: <azureAD-clientID>
      clientSecret:
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      tenantId: <azureAD-tenantID>
    secrets: 
    - parameter: <param-name-for-authenticating>
      name: <secret-name-in-key-vault>
      version: <secret-version> # Optional

@v-shenoy
Copy link
Contributor Author

v-shenoy commented Mar 9, 2022

I would go with this:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: triggerAuthName
  namespace: default
spec:
  azureKeyVault:
    vaultUri: <vault-address>
    credentials:  
      clientId: <azureAD-clientID>
      clientSecret:
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      tenantId: <azureAD-tenantID>
    secrets: 
    - parameter: <param-name-for-authenticating>
      name: <secret-name-in-key-vault>
      version: <secret-version> # Optional

I'll make the changes.

@v-shenoy
Copy link
Contributor Author

v-shenoy commented Mar 9, 2022

Also, could you point me to where all do I need to make changes for the helm charts (besides the YAMLs for the CRDs)? I am not too familiar with those.

@tomkerkhove
Copy link
Member

Since this is our data plane I don't think we need any

@v-shenoy
Copy link
Contributor Author

v-shenoy commented Mar 9, 2022

@tomkerkhove
Copy link
Member

CRDs is a different story but I'll need @zroubalik for this.

@tomkerkhove
Copy link
Member

Also, would you mind opening a documentation PR for this nice addition please?

@v-shenoy
Copy link
Contributor Author

Also, would you mind opening a documentation PR for this nice addition please?

Yeah, I am in the middle of doing it.

@v-shenoy
Copy link
Contributor Author

As the helm charts need to be updated due to the CRD changes, what version, appVersion do I use here?

@tomkerkhove
Copy link
Member

As the helm charts need to be updated due to the CRD changes, what version, appVersion do I use here?

It's very kind but you don't have to do anything, CRD updates are part of our release process: https://github.com/kedacore/keda/blob/main/RELEASE-PROCESS.MD#6-prepare-our-helm-chart

@v-shenoy
Copy link
Contributor Author

Raised a PR for the documentation - kedacore/keda-docs#704

@v-shenoy v-shenoy marked this pull request as ready for review March 10, 2022 10:01
@JorTurFer
Copy link
Member

I'm not an expert in Azure Key Vault, but the code looks good.
Could you add an e2e test that uses the Key Vault?
Can we provide it @tomkerkhove?

@tomkerkhove
Copy link
Member

Certainly, we can store a Service Bus connection string in the vault to ensure it can authenticate to it. That way, we can re-use existing SB tests - What do you think?

@JorTurFer
Copy link
Member

JorTurFer commented Mar 11, 2022

I'd do another test only for checking this. AFAIR, if the connection string fails, KEDA doesn't create the HPA, we could store one connection string on KeyVault and try to use it. Or maybe doing the query manually just for checking that response is not an error.

But I'd go with another test

@tomkerkhove
Copy link
Member

Let's do this:

  • add unit tests in this PR
  • add e2e tests for key vault in this PR
  • add e2e test using key vault with Azure storage scaler
  • I will open issue for service bus e2e tests as follow-up by somebody having time

@v-shenoy
Copy link
Contributor Author

v-shenoy commented Mar 12, 2022

I don't think it makes sense to have unit test considering the AzureKeyVaultHandler is only initialized and just fetches secrets. Have added the e2e test using queue trigger. Please take a look. @tomkerkhove @JorTurFer @zroubalik

@tomkerkhove
Copy link
Member

I don't think it makes sense to have unit test considering the AzureKeyVaultHandler is only initialized and just fetches secrets.

I don't think this can hurt, no?

@v-shenoy
Copy link
Contributor Author

v-shenoy commented Mar 14, 2022

The struct exposes only two methods, Initialize, Read. Not really sure how to test those without providing actual uri, creds and try to fetch a secret. But that would not be a unit test.

@tomkerkhove
Copy link
Member

Fine by me if it's fine for the others

Signed-off-by: Vighnesh Shenoy <[email protected]>
Copy link
Member

@zroubalik zroubalik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, just some minor nits

tests/.env Outdated Show resolved Hide resolved
pkg/scaling/resolver/azure_keyvault_handler.go Outdated Show resolved Hide resolved
CHANGELOG.md Outdated Show resolved Hide resolved
Signed-off-by: Vighnesh Shenoy <[email protected]>
Signed-off-by: Vighnesh Shenoy <[email protected]>
Signed-off-by: Vighnesh Shenoy <[email protected]>
@zroubalik
Copy link
Member

zroubalik commented Mar 16, 2022

/run-e2e azure-keyvault-queue.test.ts
Update: You can check the progres here

Copy link
Member

@zroubalik zroubalik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@zroubalik zroubalik merged commit 4e1b63b into kedacore:main Mar 16, 2022
@v-shenoy v-shenoy deleted the azure-key-vault-support branch March 16, 2022 09:56
@SebastianSchuetze
Copy link

Last question for me. Does this support also managed identity as requested or does this come later?

@v-shenoy
Copy link
Contributor Author

v-shenoy commented Mar 16, 2022

Last question for me. Does this support also managed identity as requested or does this come later?

@SebastianSchuetze It doesn't currently, it will have to be taken up later.

RamCohen pushed a commit to RamCohen/keda that referenced this pull request Mar 23, 2022
@mingue
Copy link

mingue commented Apr 26, 2022

Looking into using this once released, but will this also be supported for ClusterTriggerAuthentication? The updated documentation doesn't make any exception to exclude this feature. If so where will it get the credentials for the clientSecret:

clientSecret:
  valueFrom:
    secretKeyRef: # Where is this secret coming from in a ClusterTriggerAuthentication?
      name: <secret-name>
      key: <key-within-secret>

@tomkerkhove
Copy link
Member

That's something we should improve in our docs indeed, @v-shenoy I presume this would be from a secret in the same namespace as the ClusterTriggerAuthentication itself, right?

@v-shenoy
Copy link
Contributor Author

v-shenoy commented Apr 27, 2022

Yes, it would be. Do we add this to the documentation, or should we have cluster trigger authentication be able to fetch secrets from other namespaces as well by specifying a namespace key in the object? (Only for Cluster, not normal trigger auth)

@tomkerkhove
Copy link
Member

No, I think the current approach is perfect but let's improve the docs a bit.

@v-shenoy
Copy link
Contributor Author

Last question for me. Does this support also managed identity as requested or does this come later?

While this thread is active, @SebastianSchuetze Pod Identity support is being added to key vault, along with workload identity.

@v-shenoy
Copy link
Contributor Author

Added clarification - kedacore/keda-docs#753

@tomkerkhove
Copy link
Member

Merged, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Provide Azure Key Vault support in TriggerAuthentication
6 participants