Fix pod identity ignored when scaled target is CRD (#5351)

* Fix CRD PodIdentity not considered Signed-off-by: Jan Wozniak <[email protected]> * Update CHANGELOG Signed-off-by: Jan Wozniak <[email protected]> * Add expectedPodIndity to ResolveAuthRef tests Signed-off-by: Jan Wozniak <[email protected]> --------- Signed-off-by: Jan Wozniak <[email protected]> Co-authored-by: Juldrixx <[email protected]> Co-authored-by: Sam Maxwell <[email protected]>
kedacore · Jan 5, 2024 · 3118fbc · 3118fbc
1 parent 35b96df
commit 3118fbc
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 19 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -84,6 +84,7 @@ Here is an overview of all new **experimental** features:
 - **General**: Admission webhook does not reject workloads with only resource limits provided ([#4802](https://github.com/kedacore/keda/issues/4802))
 - **General**: Fix CVE-2023-39325 in golang.org/x/net ([#5122](https://github.com/kedacore/keda/issues/5122))
 - **General**: Fix otelgrpc DoS vulnerability ([#5208](https://github.com/kedacore/keda/issues/5208))
+- **General**: Fix PodIdentity not considered when scaled target is a CRD ([#5021](https://github.com/kedacore/keda/issues/5021))
 - **General**: Prevented memory leak generated by not correctly cleaning http connections ([#5248](https://github.com/kedacore/keda/issues/5248))
 - **General**: Prevented stuck status due to timeouts during scalers generation ([#5083](https://github.com/kedacore/keda/issues/5083))
 - **General**: ScaledObject Validating Webhook should support dry-run=server requests ([#5306](https://github.com/kedacore/keda/issues/5306))

diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go
@@ -214,8 +214,7 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log
 		return authParams, podIdentity, nil
 	}
 
-	authParams, _, err := resolveAuthRef(ctx, client, logger, triggerAuthRef, nil, namespace, secretsLister)
-	return authParams, kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, err
+	return resolveAuthRef(ctx, client, logger, triggerAuthRef, nil, namespace, secretsLister)
 }
 
 // resolveAuthRef provides authentication parameters needed authenticate scaler with the environment.
@@ -224,7 +223,7 @@ func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logge
 	triggerAuthRef *kedav1alpha1.AuthenticationRef, podSpec *corev1.PodSpec,
 	namespace string, secretsLister corev1listers.SecretLister) (map[string]string, kedav1alpha1.AuthPodIdentity, error) {
 	result := make(map[string]string)
-	var podIdentity kedav1alpha1.AuthPodIdentity
+	podIdentity := kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}
 	var err error
 
 	if namespace != "" && triggerAuthRef != nil && triggerAuthRef.Name != "" {

diff --git a/pkg/scaling/resolver/scale_resolvers_test.go b/pkg/scaling/resolver/scale_resolvers_test.go
@@ -258,18 +258,21 @@ func TestResolveAuthRef(t *testing.T) {
 		comment             string
 	}{
 		{
-			name:     "foo",
-			expected: make(map[string]string),
+			name:                "foo",
+			expected:            make(map[string]string),
+			expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
 		},
 		{
-			name:     "no triggerauth exists",
-			soar:     &kedav1alpha1.AuthenticationRef{Name: "notthere"},
-			expected: make(map[string]string),
+			name:                "no triggerauth exists",
+			soar:                &kedav1alpha1.AuthenticationRef{Name: "notthere"},
+			expected:            make(map[string]string),
+			expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
 		},
 		{
-			name:     "no triggerauth exists",
-			soar:     &kedav1alpha1.AuthenticationRef{Name: "notthere"},
-			expected: make(map[string]string),
+			name:                "no triggerauth exists",
+			soar:                &kedav1alpha1.AuthenticationRef{Name: "notthere"},
+			expected:            make(map[string]string),
+			expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
 		},
 		{
 			name: "triggerauth exists, podidentity nil",
@@ -290,8 +293,9 @@ func TestResolveAuthRef(t *testing.T) {
 					},
 				},
 			},
-			soar:     &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName},
-			expected: map[string]string{"host": ""},
+			soar:                &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName},
+			expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
+			expected:            map[string]string{"host": ""},
 		},
 		{
 			name: "triggerauth exists and secret",
@@ -358,10 +362,11 @@ func TestResolveAuthRef(t *testing.T) {
 					},
 				},
 			},
-			isError:  true,
-			comment:  "\"my-vault-address-doesnt-exist/v1/auth/token/lookup-self\": unsupported protocol scheme \"\"",
-			soar:     &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName},
-			expected: map[string]string{},
+			isError:             true,
+			comment:             "\"my-vault-address-doesnt-exist/v1/auth/token/lookup-self\": unsupported protocol scheme \"\"",
+			soar:                &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName},
+			expected:            map[string]string{},
+			expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
 		},
 		{
 			name: "triggerauth exists and config map",
@@ -461,8 +466,9 @@ func TestResolveAuthRef(t *testing.T) {
 					},
 				},
 			},
-			soar:     &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName, Kind: "ClusterTriggerAuthentication"},
-			expected: map[string]string{"host": ""},
+			soar:                &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName, Kind: "ClusterTriggerAuthentication"},
+			expected:            map[string]string{"host": ""},
+			expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
 		},
 		{
 			name: "clustertriggerauth exists and secret",
@@ -565,6 +571,43 @@ func TestResolveAuthRef(t *testing.T) {
 			expected:            map[string]string{"host": ""},
 			expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
 		},
+		{
+			name: "clustertriggerauth exists and contains podIdentity configuration but no podSpec (target is a CRD)",
+			existing: []runtime.Object{
+				&kedav1alpha1.ClusterTriggerAuthentication{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: triggerAuthenticationName,
+					},
+					Spec: kedav1alpha1.TriggerAuthenticationSpec{
+						PodIdentity: &kedav1alpha1.AuthPodIdentity{
+							Provider: kedav1alpha1.PodIdentityProviderGCP,
+						},
+					},
+				},
+			},
+			soar:                &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName, Kind: "ClusterTriggerAuthentication"},
+			expected:            map[string]string{},
+			expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderGCP},
+		},
+		{
+			name: "clustertriggerauth exists and contains podIdentity configuration as well as dummy podSpec",
+			existing: []runtime.Object{
+				&kedav1alpha1.ClusterTriggerAuthentication{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: triggerAuthenticationName,
+					},
+					Spec: kedav1alpha1.TriggerAuthenticationSpec{
+						PodIdentity: &kedav1alpha1.AuthPodIdentity{
+							Provider: kedav1alpha1.PodIdentityProviderGCP,
+						},
+					},
+				},
+			},
+			soar:                &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName, Kind: "ClusterTriggerAuthentication"},
+			podSpec:             &corev1.PodSpec{},
+			expected:            map[string]string{},
+			expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderGCP},
+		},
 	}
 	var secretsLister corev1listers.SecretLister
 	for _, test := range tests {