From 3118fbc88c66d3a8897f88f3f07c08575061888f Mon Sep 17 00:00:00 2001 From: Jan Wozniak Date: Fri, 5 Jan 2024 19:31:27 +0100 Subject: [PATCH] Fix pod identity ignored when scaled target is CRD (#5351) * Fix CRD PodIdentity not considered Signed-off-by: Jan Wozniak * Update CHANGELOG Signed-off-by: Jan Wozniak * Add expectedPodIndity to ResolveAuthRef tests Signed-off-by: Jan Wozniak --------- Signed-off-by: Jan Wozniak Co-authored-by: Juldrixx Co-authored-by: Sam Maxwell --- CHANGELOG.md | 1 + pkg/scaling/resolver/scale_resolvers.go | 5 +- pkg/scaling/resolver/scale_resolvers_test.go | 75 +++++++++++++++----- 3 files changed, 62 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c8b72c9492..80ab13ab073 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -84,6 +84,7 @@ Here is an overview of all new **experimental** features: - **General**: Admission webhook does not reject workloads with only resource limits provided ([#4802](https://github.com/kedacore/keda/issues/4802)) - **General**: Fix CVE-2023-39325 in golang.org/x/net ([#5122](https://github.com/kedacore/keda/issues/5122)) - **General**: Fix otelgrpc DoS vulnerability ([#5208](https://github.com/kedacore/keda/issues/5208)) +- **General**: Fix PodIdentity not considered when scaled target is a CRD ([#5021](https://github.com/kedacore/keda/issues/5021)) - **General**: Prevented memory leak generated by not correctly cleaning http connections ([#5248](https://github.com/kedacore/keda/issues/5248)) - **General**: Prevented stuck status due to timeouts during scalers generation ([#5083](https://github.com/kedacore/keda/issues/5083)) - **General**: ScaledObject Validating Webhook should support dry-run=server requests ([#5306](https://github.com/kedacore/keda/issues/5306)) diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go index 221e0ccd8c4..b7c305f5702 100644 --- a/pkg/scaling/resolver/scale_resolvers.go +++ b/pkg/scaling/resolver/scale_resolvers.go @@ -214,8 +214,7 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log return authParams, podIdentity, nil } - authParams, _, err := resolveAuthRef(ctx, client, logger, triggerAuthRef, nil, namespace, secretsLister) - return authParams, kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, err + return resolveAuthRef(ctx, client, logger, triggerAuthRef, nil, namespace, secretsLister) } // resolveAuthRef provides authentication parameters needed authenticate scaler with the environment. @@ -224,7 +223,7 @@ func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logge triggerAuthRef *kedav1alpha1.AuthenticationRef, podSpec *corev1.PodSpec, namespace string, secretsLister corev1listers.SecretLister) (map[string]string, kedav1alpha1.AuthPodIdentity, error) { result := make(map[string]string) - var podIdentity kedav1alpha1.AuthPodIdentity + podIdentity := kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone} var err error if namespace != "" && triggerAuthRef != nil && triggerAuthRef.Name != "" { diff --git a/pkg/scaling/resolver/scale_resolvers_test.go b/pkg/scaling/resolver/scale_resolvers_test.go index de925409603..3361823adfb 100644 --- a/pkg/scaling/resolver/scale_resolvers_test.go +++ b/pkg/scaling/resolver/scale_resolvers_test.go @@ -258,18 +258,21 @@ func TestResolveAuthRef(t *testing.T) { comment string }{ { - name: "foo", - expected: make(map[string]string), + name: "foo", + expected: make(map[string]string), + expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, }, { - name: "no triggerauth exists", - soar: &kedav1alpha1.AuthenticationRef{Name: "notthere"}, - expected: make(map[string]string), + name: "no triggerauth exists", + soar: &kedav1alpha1.AuthenticationRef{Name: "notthere"}, + expected: make(map[string]string), + expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, }, { - name: "no triggerauth exists", - soar: &kedav1alpha1.AuthenticationRef{Name: "notthere"}, - expected: make(map[string]string), + name: "no triggerauth exists", + soar: &kedav1alpha1.AuthenticationRef{Name: "notthere"}, + expected: make(map[string]string), + expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, }, { name: "triggerauth exists, podidentity nil", @@ -290,8 +293,9 @@ func TestResolveAuthRef(t *testing.T) { }, }, }, - soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName}, - expected: map[string]string{"host": ""}, + soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName}, + expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, + expected: map[string]string{"host": ""}, }, { name: "triggerauth exists and secret", @@ -358,10 +362,11 @@ func TestResolveAuthRef(t *testing.T) { }, }, }, - isError: true, - comment: "\"my-vault-address-doesnt-exist/v1/auth/token/lookup-self\": unsupported protocol scheme \"\"", - soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName}, - expected: map[string]string{}, + isError: true, + comment: "\"my-vault-address-doesnt-exist/v1/auth/token/lookup-self\": unsupported protocol scheme \"\"", + soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName}, + expected: map[string]string{}, + expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, }, { name: "triggerauth exists and config map", @@ -461,8 +466,9 @@ func TestResolveAuthRef(t *testing.T) { }, }, }, - soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName, Kind: "ClusterTriggerAuthentication"}, - expected: map[string]string{"host": ""}, + soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName, Kind: "ClusterTriggerAuthentication"}, + expected: map[string]string{"host": ""}, + expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, }, { name: "clustertriggerauth exists and secret", @@ -565,6 +571,43 @@ func TestResolveAuthRef(t *testing.T) { expected: map[string]string{"host": ""}, expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, }, + { + name: "clustertriggerauth exists and contains podIdentity configuration but no podSpec (target is a CRD)", + existing: []runtime.Object{ + &kedav1alpha1.ClusterTriggerAuthentication{ + ObjectMeta: metav1.ObjectMeta{ + Name: triggerAuthenticationName, + }, + Spec: kedav1alpha1.TriggerAuthenticationSpec{ + PodIdentity: &kedav1alpha1.AuthPodIdentity{ + Provider: kedav1alpha1.PodIdentityProviderGCP, + }, + }, + }, + }, + soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName, Kind: "ClusterTriggerAuthentication"}, + expected: map[string]string{}, + expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderGCP}, + }, + { + name: "clustertriggerauth exists and contains podIdentity configuration as well as dummy podSpec", + existing: []runtime.Object{ + &kedav1alpha1.ClusterTriggerAuthentication{ + ObjectMeta: metav1.ObjectMeta{ + Name: triggerAuthenticationName, + }, + Spec: kedav1alpha1.TriggerAuthenticationSpec{ + PodIdentity: &kedav1alpha1.AuthPodIdentity{ + Provider: kedav1alpha1.PodIdentityProviderGCP, + }, + }, + }, + }, + soar: &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName, Kind: "ClusterTriggerAuthentication"}, + podSpec: &corev1.PodSpec{}, + expected: map[string]string{}, + expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderGCP}, + }, } var secretsLister corev1listers.SecretLister for _, test := range tests {