Skip to content

Commit

Permalink
Fix pod identity ignored when scaled target is CRD (#5351)
Browse files Browse the repository at this point in the history 
* Fix CRD PodIdentity not considered

Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>

* Update CHANGELOG

Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>

* Add expectedPodIndity to ResolveAuthRef tests

Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>

---------

Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
Co-authored-by: Juldrixx <juldrixx@gmail.com>
Co-authored-by: Sam Maxwell <sam@groundtruthlabs.com>
  • Loading branch information
@wozniakjan @juldrixx @sammaxwellxyz
3 people committed Jan 5, 2024
1 parent 35b96df commit 3118fbc
Show file tree
Hide file tree
Showing 3 changed files with 62 additions and 19 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ Here is an overview of all new **experimental** features:
- **General**: Admission webhook does not reject workloads with only resource limits provided ([#4802](https://github.com/kedacore/keda/issues/4802))
- **General**: Fix CVE-2023-39325 in golang.org/x/net ([#5122](https://github.com/kedacore/keda/issues/5122))
- **General**: Fix otelgrpc DoS vulnerability ([#5208](https://github.com/kedacore/keda/issues/5208))
- **General**: Fix PodIdentity not considered when scaled target is a CRD ([#5021](https://github.com/kedacore/keda/issues/5021))
- **General**: Prevented memory leak generated by not correctly cleaning http connections ([#5248](https://github.com/kedacore/keda/issues/5248))
- **General**: Prevented stuck status due to timeouts during scalers generation ([#5083](https://github.com/kedacore/keda/issues/5083))
- **General**: ScaledObject Validating Webhook should support dry-run=server requests ([#5306](https://github.com/kedacore/keda/issues/5306))
Expand Down
5 changes: 2 additions & 3 deletions pkg/scaling/resolver/scale_resolvers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,8 +214,7 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log
return authParams, podIdentity, nil
}

authParams, _, err := resolveAuthRef(ctx, client, logger, triggerAuthRef, nil, namespace, secretsLister)
return authParams, kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, err
return resolveAuthRef(ctx, client, logger, triggerAuthRef, nil, namespace, secretsLister)
}

// resolveAuthRef provides authentication parameters needed authenticate scaler with the environment.
Expand All @@ -224,7 +223,7 @@ func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logge
triggerAuthRef *kedav1alpha1.AuthenticationRef, podSpec *corev1.PodSpec,
namespace string, secretsLister corev1listers.SecretLister) (map[string]string, kedav1alpha1.AuthPodIdentity, error) {
result := make(map[string]string)
var podIdentity kedav1alpha1.AuthPodIdentity
podIdentity := kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}
var err error

if namespace != "" && triggerAuthRef != nil && triggerAuthRef.Name != "" {
Expand Down
75 changes: 59 additions & 16 deletions pkg/scaling/resolver/scale_resolvers_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -258,18 +258,21 @@ func TestResolveAuthRef(t *testing.T) {
comment string
}{
{
name: "foo",
expected: make(map[string]string),
name: "foo",
expected: make(map[string]string),
expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
},
{
name: "no triggerauth exists",
soar: &kedav1alpha1.AuthenticationRef{Name: "notthere"},
expected: make(map[string]string),
name: "no triggerauth exists",
soar: &kedav1alpha1.AuthenticationRef{Name: "notthere"},
expected: make(map[string]string),
expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
},
{
name: "no triggerauth exists",
soar: &kedav1alpha1.AuthenticationRef{Name: "notthere"},
expected: make(map[string]string),
name: "no triggerauth exists",
soar: &kedav1alpha1.AuthenticationRef{Name: "notthere"},
expected: make(map[string]string),
expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
},
{
name: "triggerauth exists, podidentity nil",
Expand All @@ -290,8 +293,9 @@ func TestResolveAuthRef(t *testing.T) {
},
},
},
soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName},
expected: map[string]string{"host": ""},
soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName},
expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
expected: map[string]string{"host": ""},
},
{
name: "triggerauth exists and secret",
Expand Down Expand Up @@ -358,10 +362,11 @@ func TestResolveAuthRef(t *testing.T) {
},
},
},
isError: true,
comment: "\"my-vault-address-doesnt-exist/v1/auth/token/lookup-self\": unsupported protocol scheme \"\"",
soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName},
expected: map[string]string{},
isError: true,
comment: "\"my-vault-address-doesnt-exist/v1/auth/token/lookup-self\": unsupported protocol scheme \"\"",
soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName},
expected: map[string]string{},
expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
},
{
name: "triggerauth exists and config map",
Expand Down Expand Up @@ -461,8 +466,9 @@ func TestResolveAuthRef(t *testing.T) {
},
},
},
soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName, Kind: "ClusterTriggerAuthentication"},
expected: map[string]string{"host": ""},
soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName, Kind: "ClusterTriggerAuthentication"},
expected: map[string]string{"host": ""},
expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
},
{
name: "clustertriggerauth exists and secret",
Expand Down Expand Up @@ -565,6 +571,43 @@ func TestResolveAuthRef(t *testing.T) {
expected: map[string]string{"host": ""},
expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
},
{
name: "clustertriggerauth exists and contains podIdentity configuration but no podSpec (target is a CRD)",
existing: []runtime.Object{
&kedav1alpha1.ClusterTriggerAuthentication{
ObjectMeta: metav1.ObjectMeta{
Name: triggerAuthenticationName,
},
Spec: kedav1alpha1.TriggerAuthenticationSpec{
PodIdentity: &kedav1alpha1.AuthPodIdentity{
Provider: kedav1alpha1.PodIdentityProviderGCP,
},
},
},
},
soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName, Kind: "ClusterTriggerAuthentication"},
expected: map[string]string{},
expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderGCP},
},
{
name: "clustertriggerauth exists and contains podIdentity configuration as well as dummy podSpec",
existing: []runtime.Object{
&kedav1alpha1.ClusterTriggerAuthentication{
ObjectMeta: metav1.ObjectMeta{
Name: triggerAuthenticationName,
},
Spec: kedav1alpha1.TriggerAuthenticationSpec{
PodIdentity: &kedav1alpha1.AuthPodIdentity{
Provider: kedav1alpha1.PodIdentityProviderGCP,
},
},
},
},
soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName, Kind: "ClusterTriggerAuthentication"},
podSpec: &corev1.PodSpec{},
expected: map[string]string{},
expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderGCP},
},
}
var secretsLister corev1listers.SecretLister
for _, test := range tests {
Expand Down

0 comments on commit 3118fbc

Please sign in to comment.