Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GCP PubSub Trigger with Workload Identity not working #5011

Closed
Tracked by #5275
juldrixx opened this issue Sep 27, 2023 · 4 comments · Fixed by #5351
Closed
Tracked by #5275

GCP PubSub Trigger with Workload Identity not working #5011

juldrixx opened this issue Sep 27, 2023 · 4 comments · Fixed by #5351
Labels
bug Something isn't working

Comments

@juldrixx
Copy link
Contributor

Report

I followed the example to scale on PubSub metrics using Workload Identity as authentication method following theses pages:

I have this 2 resources:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: keda
  namespace: instances
spec:
  podIdentity:
    provider: gcp
---
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: nifikop
  namespace: instances
spec:
  scaleTargetRef:
    apiVersion: nifi.konpyutaika.com/v1alpha1
    kind: NifiNodeGroupAutoscale
    name: nifinodegroupautoscaler-sample
    envSourceContainerName: nifi
  pollingInterval: 30
  cooldownPeriod: 300
  minReplicaCount: 1
  maxReplicaCount: 2
  triggers:toMonitor",counter_name=~"squidflow-mapping-enrichment2\\.streaming\\.input\\.flowfiles.items"})
    - type: gcp-pubsub
      authenticationRef:
        name: keda
      metadata:
        subscriptionName: "keda"
        mode: "SubscriptionSize"
        value: "5"

And the Service Account, keda-operator, has the annotation: iam.gke.io/gcp-service-account.
I tested that the Workload Identity was working on the Service Account.

Expected Behavior

The ScaledObject should be active.

Actual Behavior

The ScaledObject is inactive and logging: error parsing PubSub metadata: google application credentials not found.

Steps to Reproduce the Problem

Follow the example: https://keda.sh/docs/2.11/scalers/gcp-pub-sub/#example-using-triggerauthentication-with-gcp-identity

Logs from KEDA operator

"level":"error","ts":"2023-09-27T16:16:23+02:00","msg":"failed to ensure HPA is correctly created for ScaledObject","controller":"scaledobject","controllerGroup":"keda.sh","controllerKind":"ScaledObject","ScaledObject":{"name":"nifikop","namespace":"instances"},"namespace":"instances","name":"nifikop","reconcileID":"ee8134bf-092f-4548-acf5-6e1ddfa4e484","error":"error parsing PubSub metadata: google application credentials not found","stacktrace":"github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).Reconcile\n\t/home/juguitton/Documents/sandbox/k8s_resources/keda/controllers/keda/scaledobject_controller.go:179\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/juguitton/Documents/sandbox/k8s_resources/keda/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:118\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/juguitton/Documents/sandbox/k8s_resources/keda/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:314\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/juguitton/Documents/sandbox/k8s_resources/keda/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/juguitton/Documents/sandbox/k8s_resources/keda/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:226"}
{"level":"error","ts":"2023-09-27T16:16:23+02:00","msg":"Reconciler error","controller":"scaledobject","controllerGroup":"keda.sh","controllerKind":"ScaledObject","ScaledObject":{"name":"nifikop","namespace":"instances"},"namespace":"instances","name":"nifikop","reconcileID":"ee8134bf-092f-4548-acf5-6e1ddfa4e484","error":"error parsing PubSub metadata: google application credentials not found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/juguitton/Documents/sandbox/k8s_resources/keda/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/juguitton/Documents/sandbox/k8s_resources/keda/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/juguitton/Documents/sandbox/k8s_resources/keda/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:226"}

KEDA Version

2.11.2

Kubernetes Version

1.27

Platform

Google Cloud

Scaler Details

GCP PubSub

Anything else?

For me the issue is here .
Because it should retrieve the providerIdentity but it's not returned (and the authParams is empty).

Therefore the config.PodIdentity here is set to none.
And then when we get the credentials, we get nothing here and we make the scaler erroring here.

Either the documentation is wrong, or there's something missing in the code (or I'm missing something).
@juldrixx juldrixx added the bug Something isn't working label Sep 27, 2023
@juldrixx juldrixx changed the title GCP Trigger with Workload Identity not working GCP PubSub Trigger with Workload Identity not working Sep 27, 2023
@juldrixx
Copy link
Contributor Author

juldrixx commented Sep 27, 2023
edited
Loading

For me these lines should be changed from

	authParams, _ := resolveAuthRef(ctx, client, logger, triggerAuthRef, nil, namespace, secretsLister)
	return authParams, kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, nil
}

...
func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logger,
...
	result := make(map[string]string)
	var podIdentity kedav1alpha1.AuthPodIdentity

to

	authParams, podIdentity  := resolveAuthRef(ctx, client, logger, triggerAuthRef, nil, namespace, secretsLister)
	return authParams, podIdentity, nil
}

...
func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logger,
...
	result := make(map[string]string)
	var podIdentity kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}

@JorTurFer
Copy link
Member

JorTurFer commented Sep 28, 2023
edited
Loading

Hello,
I'm reviewing the code and I think that you are right. On cases where the workload is a CRD (where podSpec isn't available), Pod identity is ignored and that's not correct. Are you willing to open a PR with the fix? (and maybe adding any test to prevent this in the future as current e2e test isn't covering that scenario)

@juldrixx juldrixx mentioned this issue Sep 28, 2023
Closed
7 tasks
@juldrixx
Copy link
Contributor Author

I made the PR, but I did not touch the unit test because I'm not too sure on how to do it.

@eahrend
Copy link

eahrend commented Nov 20, 2023

FWIW, we're having the same issue here. Same setup on 2.12.0

@sammaxwellxyz sammaxwellxyz mentioned this issue Dec 5, 2023
Closed
@JorTurFer JorTurFer mentioned this issue Dec 11, 2023
Closed
25 tasks
@wozniakjan wozniakjan mentioned this issue Jan 5, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Roadmap - KEDA Core
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix pod identity ignored when scaled target is CRD wozniakjan/keda
3 participants
@eahrend @juldrixx @JorTurFer