Add support for cluster-scoped trigger authentication, ClusterTrigger…

…Authentication. (#1452) This allows creating a single authentication for Keda, for scalers where that makes sense. Signed-off-by: Noah Kantrowitz <noah@coderanger.net> Co-authored-by: Zbynek Roubalik <726523+zroubalik@users.noreply.github.com>
kedacore · Jan 6, 2021 · 79a7407 · 79a7407
1 parent 68a479c
commit 79a7407
Show file tree

Hide file tree

Showing 9 changed files with 397 additions and 16 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,7 +19,8 @@
 ### New
 - Can use Pod Identity with Azure Event Hub scaler ([#994](https://github.com/kedacore/keda/issues/994))
 - Introducing InfluxDB scaler ([#1239](https://github.com/kedacore/keda/issues/1239))
-- Add Redis cluster support for Redis list and Redis streams scalers.
+- Add Redis cluster support for Redis list and Redis streams scalers ([#1437](https://github.com/kedacore/keda/pull/1437))
+- Global authentication credentials can be managed using ClusterTriggerAuthentication objects ([#1452](https://github.com/kedacore/keda/pull/1452))
 
 ### Improvements
 - Support add ScaledJob's label to its job ([#1311](https://github.com/kedacore/keda/issues/1311))

diff --git a/api/v1alpha1/scaledobject_types.go b/api/v1alpha1/scaledobject_types.go
@@ -107,10 +107,13 @@ type ScaledObjectList struct {
 	Items           []ScaledObject `json:"items"`
 }
 
-// ScaledObjectAuthRef points to the TriggerAuthentication object that
+// ScaledObjectAuthRef points to the TriggerAuthentication or ClusterTriggerAuthentication object that
 // is used to authenticate the scaler with the environment
 type ScaledObjectAuthRef struct {
 	Name string `json:"name"`
+	// Kind of the resource being referred to. Defaults to TriggerAuthentication.
+	// +optional
+	Kind string `json:"kind,omitempty"`
 }
 
 func init() {

diff --git a/api/v1alpha1/triggerauthentication_types.go b/api/v1alpha1/triggerauthentication_types.go
@@ -6,6 +6,31 @@ import (
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
+// ClusterTriggerAuthentication defines how a trigger can authenticate globally
+// +genclient
+// +genclient:nonNamespaced
+// +kubebuilder:resource:path=clustertriggerauthentications,scope=Cluster,shortName=cta;clustertriggerauth
+// +kubebuilder:printcolumn:name="PodIdentity",type="string",JSONPath=".spec.podIdentity.provider"
+// +kubebuilder:printcolumn:name="Secret",type="string",JSONPath=".spec.secretTargetRef[*].name"
+// +kubebuilder:printcolumn:name="Env",type="string",JSONPath=".spec.env[*].name"
+type ClusterTriggerAuthentication struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec TriggerAuthenticationSpec `json:"spec"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterTriggerAuthenticationList contains a list of ClusterTriggerAuthentication
+type ClusterTriggerAuthenticationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []ClusterTriggerAuthentication `json:"items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
 // TriggerAuthentication defines how a trigger can authenticate
 // +genclient
 // +kubebuilder:resource:path=triggerauthentications,scope=Namespaced,shortName=ta;triggerauth
@@ -130,5 +155,6 @@ type VaultSecret struct {
 }
 
 func init() {
+	SchemeBuilder.Register(&ClusterTriggerAuthentication{}, &ClusterTriggerAuthenticationList{})
 	SchemeBuilder.Register(&TriggerAuthentication{}, &TriggerAuthenticationList{})
 }
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/keda.sh_clustertriggerauthentications.yaml b/config/crd/bases/keda.sh_clustertriggerauthentications.yaml
@@ -0,0 +1,153 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: clustertriggerauthentications.keda.sh
+spec:
+  group: keda.sh
+  names:
+    kind: ClusterTriggerAuthentication
+    listKind: ClusterTriggerAuthenticationList
+    plural: clustertriggerauthentications
+    shortNames:
+    - cta
+    - clustertriggerauth
+    singular: clustertriggerauthentication
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.podIdentity.provider
+      name: PodIdentity
+      type: string
+    - jsonPath: .spec.secretTargetRef[*].name
+      name: Secret
+      type: string
+    - jsonPath: .spec.env[*].name
+      name: Env
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ClusterTriggerAuthentication defines how a trigger can authenticate
+          globally
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TriggerAuthenticationSpec defines the various ways to authenticate
+            properties:
+              env:
+                items:
+                  description: AuthEnvironment is used to authenticate using environment
+                    variables in the destination ScaleTarget spec
+                  properties:
+                    containerName:
+                      type: string
+                    name:
+                      type: string
+                    parameter:
+                      type: string
+                  required:
+                  - name
+                  - parameter
+                  type: object
+                type: array
+              hashiCorpVault:
+                description: HashiCorpVault is used to authenticate using Hashicorp
+                  Vault
+                properties:
+                  address:
+                    type: string
+                  authentication:
+                    description: VaultAuthentication contains the list of Hashicorp
+                      Vault authentication methods
+                    type: string
+                  credential:
+                    description: Credential defines the Hashicorp Vault credentials
+                      depending on the authentication method
+                    properties:
+                      serviceAccount:
+                        type: string
+                      token:
+                        type: string
+                    type: object
+                  mount:
+                    type: string
+                  role:
+                    type: string
+                  secrets:
+                    items:
+                      description: VaultSecret defines the mapping between the path
+                        of the secret in Vault to the parameter
+                      properties:
+                        key:
+                          type: string
+                        parameter:
+                          type: string
+                        path:
+                          type: string
+                      required:
+                      - key
+                      - parameter
+                      - path
+                      type: object
+                    type: array
+                required:
+                - address
+                - authentication
+                - secrets
+                type: object
+              podIdentity:
+                description: AuthPodIdentity allows users to select the platform native
+                  identity mechanism
+                properties:
+                  provider:
+                    description: PodIdentityProvider contains the list of providers
+                    type: string
+                required:
+                - provider
+                type: object
+              secretTargetRef:
+                items:
+                  description: AuthSecretTargetRef is used to authenticate using a
+                    reference to a secret
+                  properties:
+                    key:
+                      type: string
+                    name:
+                      type: string
+                    parameter:
+                      type: string
+                  required:
+                  - key
+                  - name
+                  - parameter
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/config/crd/bases/keda.sh_scaledjobs.yaml b/config/crd/bases/keda.sh_scaledjobs.yaml
@@ -6363,8 +6363,13 @@ spec:
                   properties:
                     authenticationRef:
                       description: ScaledObjectAuthRef points to the TriggerAuthentication
-                        object that is used to authenticate the scaler with the environment
+                        or ClusterTriggerAuthentication object that is used to authenticate
+                        the scaler with the environment
                       properties:
+                        kind:
+                          description: Kind of the resource being referred to. Defaults
+                            to TriggerAuthentication.
+                          type: string
                         name:
                           type: string
                       required:

diff --git a/config/crd/bases/keda.sh_scaledobjects.yaml b/config/crd/bases/keda.sh_scaledobjects.yaml
@@ -224,8 +224,13 @@ spec:
                   properties:
                     authenticationRef:
                       description: ScaledObjectAuthRef points to the TriggerAuthentication
-                        object that is used to authenticate the scaler with the environment
+                        or ClusterTriggerAuthentication object that is used to authenticate
+                        the scaler with the environment
                       properties:
+                        kind:
+                          description: Kind of the resource being referred to. Defaults
+                            to TriggerAuthentication.
+                          type: string
                         name:
                           type: string
                       required: