-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new AWS podIdentity #5061
Add new AWS podIdentity #5061
Conversation
Thank you for your contribution! 🙏 We will review your PR as soon as possible. While you are waiting, make sure to:
Learn more about: |
To add further confusion, AWS has just released a new alternative to IRSA called Pod Identity 😄 I'm not sure of the relevance it will have, if any, on this PR but would be worth to have a look to see the potential impact of this feature. |
/run-e2e aws |
/run-e2e aws |
66de066
to
02a2bf1
Compare
/run-e2e aws |
Co-authored-by: Sami S <25616506+ThaSami@users.noreply.github.com> Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>
/run-e2e |
/run-e2e aws |
Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>
/run-e2e aws |
PTAL @zroubalik , @tomkerkhove @blakepettersson @ThaSami |
/run-e2e aws |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job, I have a few comments in general about documentation.
Will do another review once kedacore/keda-docs#1251 (comment) is resolved
…ueKey Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
/run-e2e aws |
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
/run-e2e aws |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great work!
few minor nits for your consideration provided below
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
/run-e2e aws |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, great work everybody, @blakepettersson @ThaSami @JorTurFer !
* Add new AWS podIdentity Co-authored-by: Sami S <25616506+ThaSami@users.noreply.github.com> Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> * use new resources Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> * fix logs Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> * rename scalerIndex to triggerIndex and ScalerUniqueKey to TriggerUniqueKey Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> * add missing headers Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> * propagate ctx Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> * Add documentation commments Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> * Add explanation to new files Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> * Add semgrep exclusion Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> * go mod updates Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> * update comment Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> * update clientset Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> * apply feedback Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> --------- Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es> Co-authored-by: Sami S <25616506+ThaSami@users.noreply.github.com>
Special KUDOS to @ThaSami, who has developed almost all the WebIdentity and caching code
This PR Introduced a new authentication option for AWS, relying 100% on TriggerAuthentication CRD for getting all the required information instead of mixing TriggerAuthentication and trigger.metadata section. For this, 2 new fields have been added:
roleArn
: Similar to already existing clientId, this new field is used for manually providing the AWS roleArn that KEDA has to use.identityOwner
: This field is used for specifying if you want to use KEDA's roleArn or the workload roleArn (recovered from the workload service account annotations). This field is an enum with 3 valid values: unset,keda
,workload
(unset is treaded askeda
)These fields are mutually exclusive and there is a validation in admission webhooks to check this.
This new authentication allows 3 different working ways:
identityOwner: keda
): In this scenario, KEDA's role has the required permission for accessing to the resources.identityOwner: workload
orroleArn: VALUE
): In this scenario, KEDA will use its own role to assume workloads role via AssumeRole API. This requires that KEDA's role can assume other role inside AWS AIM. (and it's the assume role who has the access instead of KEDA's role)identityOwner: workload
orroleArn: VALUE
): In this scenario, KEDA will request the role via WebIdentityRole API. This requires an OIDC federation between KEDA's service account and the role that KEDA has to assume.(and it's the assume role who has the access instead of KEDA's role)Additionally, this PR adds a cache for storing the aws credentials across all the usages instead of creating a credential instance per scaler. This means that if we are using the same role on several scalers, KEDA will use the same instance/token for all the scalers instead of requesting (and refreshing) a token for each scaler. To know if the aws config is in use in other scalers, we will use a new unique key introduced as scaler.Config level which is based on resourceType,namespace,resourceName,triggerIndex to be unique accross all the resources.
This new caching system has been included only as part of this new authenticaiton and also using
AWS_ACCESS_KEY
andAWS_ACCESS_SECRET
.Checklist
Fixes #4134
Fixes #5178
Fixes #5297
Relates to: