ADD support for PodIdentityProvider config in azure pipeline trigger

[toniiiik]

Support of PodIdentityProvider for azure pipelines scaler.

Checklist

(https://github.com/kedacore/governance/blob/main/SCALERS.md)

• I have verified that my change is according to the deprecations & breaking changes policy
• Tests have been added
• Changelog has been updated and is aligned with our changelog requirements
• A PR is opened to update the documentation on (repo) (if applicable)
• Commits are signed with Developer Certificate of Origin (DCO - learn more)

Fixes #

• (#5013)
• Managed Identity based authentication for the azure-pipelines scaler #4072

Relates to #

• doc #1206

[github-actions]

Thank you for your contribution! 🙏 We will review your PR as soon as possible.

🏖️ Over the summer, the response time will be longer than usual due to maintainers taking time off so please bear with us.

While you are waiting, make sure to:

• Add an entry in our changelog in alphabetical order and link related issue
• Update the documentation, if needed
• Add unit & e2e tests for your changes
• GitHub checks are passing
• Is the DCO check failing? Here is how you can fix DCO issues

Learn more about:

• Our contribution guide

[JorTurFer]

Hi @toniiiik,
Thanks for this awesome feature! ❤️
We are adding all the required stuff in background for the e2e tests because our DevOps organization is currently attached to other tenant different from the infrastructure tenant. I hope to fix this soon but I wanted to share it with you

[toniiiik]

Hi @toniiiik,
Thanks for this awesome feature! ❤️
We are adding all the required stuff in background for the e2e tests because our DevOps organization is currently attached to other tenant different from the infrastructure tenant. I hope to fix this soon but I wanted to share it with you

Hi @JorTurFer thank you sharing this info. Do you have some estimation when it will be ready?

[JorTurFer]

I plan to prepare all the pending stuff this week, sorry for the terrible huge delay, we have had faced with some blockers in the process but I think that we are ready to it

[luck2bhanu]

Hi
Just to be sure this feature enables us to workload identity or pod identity because pod identity is not supported anymore

[toniiiik]

Hi Just to be sure this feature enables us to workload identity or pod identity because pod identity is not supported anymore

hi @luck2bhanu, yes azure-workload is only one supprted pod identity provider. Please see linked doc PR.

[JonasCordsen]

This is a very nice feature, is there any ETA?

[JorTurFer]

Kindly reminder @tomkerkhove : Have you linked the AAD with AzDO?

[tomkerkhove]

No, would you mind dropping me an email please?

[norbinto]

It would be an awesome feature for the next release

[JorTurFer]

No, would you mind dropping me an email please?

I'll send you an email

[zroubalik]

@tomkerkhove @JorTurFer do you have any update here please?

[ezYakaEagle442]

@tomkerkhove Hi !
Could you please share an ETA for this PR ?

[tomkerkhove]

We're working on it, had to set up new ADO org and project which is in place now and @JorTurFer is actively working on the rest of it

[JorTurFer]

I'm facing some issues adding the identity to the AzDO directly, I'll try using an AAD group tomorrow

[JorTurFer]

/run-e2e azure_pipelines_aad_wi
Update: You can check the progress here

[JorTurFer]

It seems that the token isn't working properly:

2024-01-03T00:07:40Z	ERROR	scale_handler	error resolving auth params	{"type": "ScaledObject", "namespace": "azure-pipelines-test-ns", "name": "azure-pipelines-test-so", "scalerIndex": 0, "error": "error parsing azure Pipelines metadata: agent pool with id `11` not found: the Azure DevOps REST API returned error. urlString: https://dev.azure.com/kedaoss/_apis/distributedtask/pools?poolID=11 status: 401 response: {\"$id\":\"1\",\"innerException\":null,\"message\":\"TF401444: Please sign-in at least once as e0372f7f-a362-47fb-9631-74a5c4ba8bbf\\\\e0372f7f-a362-47fb-9631-74a5c4ba8bbf\\\\48a9fa1b-211e-436f-ae08-0c9651555054 in a web browser to enable access to the service.\",\"typeName\":\"Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server\",\"typeKey\":\"UnauthorizedRequestException\",\"errorCode\":0,\"eventId\":3000}"}
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandler).buildScalers
	/workspace/pkg/scaling/scalers_builder.go:83
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandler).performGetScalersCache
	/workspace/pkg/scaling/scale_handler.go:355
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandler).GetScalersCache
	/workspace/pkg/scaling/scale_handler.go:280
github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).getScaledObjectMetricSpecs
	/workspace/controllers/keda/hpa.go:211
github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).newHPAForScaledObject
	/workspace/controllers/keda/hpa.go:77
github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).createAndDeployNewHPA
	/workspace/controllers/keda/hpa.go:50
github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).ensureHPAForScaledObjectExists
	/workspace/controllers/keda/scaledobject_controller.go:442
github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).reconcileScaledObject
	/workspace/controllers/keda/scaledobject_controller.go:271
github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).Reconcile
	/workspace/controllers/keda/scaledobject_controller.go:182
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
	/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:119
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:316
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:266
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:227

[JorTurFer]

In theory, the managed identity is admin of the project (it's memeber of Project Collection Administrators)

[JorTurFer]

Accept the suggestions please, they update the info to use new resources

[JorTurFer]

/run-e2e azure_pipelines_aad_wi
Update: You can check the progress here

[toniiiik]

/run-e2e azure_pipelines_aad_wi Update: You can check the progress here

it looks like tests are failing.

I faced same issue when managed identity had no permission to the pool on organisation scope. In fact that requests to obtain ID from name is

 https://dev.azure.com/{organization}/_apis/distributedtask/pools?poolName={poolName}

and there is no project name included in url. When I compared agent pool permissions on organisation level and project level the permissions were different. After configuring permissions for managed identity on organisation level e2e tests worked without error.
I am not sure if this is same case. If there is something I should update in tests let me know..... I still need to fix DCO

[JorTurFer]

I've explicitly set the group where the MSI is as pool admin, lets see if it works 🤞

[JorTurFer]

/run-e2e azure_pipelines_aad_wi

Update: You can check the progress here

[JorTurFer]

/run-e2e azure_pipelines_aad_wi
Update: You can check the progress here

[JorTurFer]

What permissions does the msi need? Could you guide me to assign it?

[toniiiik]

What permissions does the msi need? Could you guide me to assign it?

hmm it looks good I've assign same admin permission for agentpool. I've send you invitation to my ADO org you can check config here https://dev.azure.com/wedocloudsolutions/_settings/agentpools?poolId=12&view=security. There is also tf for AKS deployment https://dev.azure.com/wedocloudsolutions/_git/Keda

[JorTurFer]

I'v not received any invitation :(
nvm, we can talk about this by Slack (probably it'll be faster). I'm available Kubernetes and CNCF Slack as Jorge Turrado, are you there?

[JorTurFer]

/run-e2e azure_pipelines_aad_wi
Update: You can check the progress here

[JorTurFer]

It has passed! 🥳
Could you fix DCO?

[zroubalik]

/run-e2e azure_pipelines_aad_wi
Update: You can check the progress here

[JorTurFer]

/run-e2e azure_pipelines_aad_wi
Update: You can check the progress here

[JorTurFer]

Have we lost the token refreshing process? Checking the PR it seems that we don't cache the token anymore and it was a nice feature because otherwise we will request 4-6 tokens per minute

[toniiiik]

Have we lost the token refreshing process? Checking the PR it seems that we don't cache the token anymore and it was a nice feature because otherwise we will request 4-6 tokens per minute

token cache added. Last time I implemented cache for credentials but not for token (at this moment we lost "token refreshing"). Now both credentials and token are reused.

[JorTurFer]

LGTM!

[JorTurFer]

/run-e2e azure_pipelines_aad_wi
Update: You can check the progress here