Skip to content

Commit

Permalink
Support PodIdentity Provider config in azure pipeline trigger
Browse files Browse the repository at this point in the history 
Signed-off-by: anton.lysina <alysina@gmail.com>
  • Loading branch information
@toniiiik
toniiiik committed Aug 8, 2023
1 parent ee81112 commit 65b9215
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 10 deletions.
9 changes: 7 additions & 2 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,14 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio

## Unreleased

- Azure Devops pipeline workload identity/SPN support

- TODO: tests
- TODO: documentation

### New

- TODO ([#XXX](https://github.com/kedacore/keda/issue/XXX))
- TODO ([#4853](https://github.com/kedacore/keda/issues/4853))

### Improvements

Expand All @@ -58,7 +63,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio

### Fixes

- TODO ([#XXX](https://github.com/kedacore/keda/issue/XXX))
- TODO ([#4853](https://github.com/kedacore/keda/issues/4853))

### Deprecations

Expand Down
43 changes: 35 additions & 8 deletions pkg/scalers/azure_pipelines_scaler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import (
v2 "k8s.io/api/autoscaling/v2"
"k8s.io/metrics/pkg/apis/external_metrics"

kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1"
"github.com/kedacore/keda/v2/pkg/scalers/azure"
kedautil "github.com/kedacore/keda/v2/pkg/util"
)

Expand Down Expand Up @@ -128,6 +130,7 @@ type azurePipelinesMetadata struct {
organizationURL string
organizationName string
personalAccessToken string
podIdentityProvider kedav1alpha1.PodIdentityProvider
parent string
demands string
poolID int
Expand Down Expand Up @@ -160,6 +163,22 @@ func NewAzurePipelinesScaler(ctx context.Context, config *ScalerConfig) (Scaler,
}, nil
}

func parseAzureDevOpsAuthMethod(config *ScalerConfig, metadata *azurePipelinesMetadata) error {
if val, ok := config.AuthParams["personalAccessToken"]; ok && val != "" {
// Found the personalAccessToken in a parameter from TriggerAuthentication
metadata.personalAccessToken = config.AuthParams["personalAccessToken"]
} else if val, ok := config.TriggerMetadata["personalAccessTokenFromEnv"]; ok && val != "" {
metadata.personalAccessToken = config.ResolvedEnv[config.TriggerMetadata["personalAccessTokenFromEnv"]]
} else if config.PodIdentity.Provider == kedav1alpha1.PodIdentityProviderAzureWorkload {
//use workload identity
metadata.podIdentityProvider = config.PodIdentity.Provider
} else {
return fmt.Errorf("no personalAccessToken given or PodIdentity provider configured")
}

return nil
}

func parseAzurePipelinesMetadata(ctx context.Context, config *ScalerConfig, httpClient *http.Client) (*azurePipelinesMetadata, error) {
meta := azurePipelinesMetadata{}
meta.targetPipelinesQueueLength = defaultTargetPipelinesQueueLength
Expand Down Expand Up @@ -198,13 +217,9 @@ func parseAzurePipelinesMetadata(ctx context.Context, config *ScalerConfig, http
return nil, fmt.Errorf("failed to extract organization name from organizationURL")
}

if val, ok := config.AuthParams["personalAccessToken"]; ok && val != "" {
// Found the personalAccessToken in a parameter from TriggerAuthentication
meta.personalAccessToken = config.AuthParams["personalAccessToken"]
} else if val, ok := config.TriggerMetadata["personalAccessTokenFromEnv"]; ok && val != "" {
meta.personalAccessToken = config.ResolvedEnv[config.TriggerMetadata["personalAccessTokenFromEnv"]]
} else {
return nil, fmt.Errorf("no personalAccessToken given")
err := parseAzureDevOpsAuthMethod(config, &meta)
if err != nil {
return nil, err
}

if val, ok := config.TriggerMetadata["parent"]; ok && val != "" {
Expand Down Expand Up @@ -311,7 +326,19 @@ func getAzurePipelineRequest(ctx context.Context, url string, metadata *azurePip
return []byte{}, err
}

req.SetBasicAuth("", metadata.personalAccessToken)
switch metadata.podIdentityProvider {
case "", kedav1alpha1.PodIdentityProviderNone:
//PAT
req.SetBasicAuth("", metadata.personalAccessToken)
case kedav1alpha1.PodIdentityProviderAzureWorkload:
//ADO Resource token
resource := "499b84ac-1321-427f-aa17-267ca6975798"
aadToken, err := azure.GetAzureADWorkloadIdentityToken(ctx, "", resource)
if err != nil {
return []byte{}, fmt.Errorf("cannot create workload identity credentials: %s", err.Error())
}
req.Header.Set("Authentication", "Bearer "+aadToken.AccessToken)
}

r, err := httpClient.Do(req)
if err != nil {
Expand Down

0 comments on commit 65b9215

Please sign in to comment.