fix: AWS EKS doesn't fail if missing annotation (#5389)

Signed-off-by: Jorge Turrado <[email protected]>
kedacore · Jan 16, 2024 · 4fd3ed5 · 4fd3ed5
1 parent 8f3e0d6
commit 4fd3ed5
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/pkg/scaling/resolver/aws_secretmanager_handler.go b/pkg/scaling/resolver/aws_secretmanager_handler.go
@@ -87,7 +87,7 @@ func (ash *AwsSecretManagerHandler) Initialize(ctx context.Context, client clien
 		}
 	case kedav1alpha1.PodIdentityProviderAws:
 		if ash.secretManager.PodIdentity.IsWorkloadIdentityOwner() {
-			awsRoleArn, err := resolveServiceAccountAnnotation(ctx, client, podSpec.ServiceAccountName, triggerNamespace, kedav1alpha1.PodIdentityAnnotationEKS)
+			awsRoleArn, err := resolveServiceAccountAnnotation(ctx, client, podSpec.ServiceAccountName, triggerNamespace, kedav1alpha1.PodIdentityAnnotationEKS, true)
 			if err != nil {
 				return fmt.Errorf("error resolving role arn for aws: %w", err)
 			}

diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go
@@ -195,15 +195,15 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log
 				authParams["awsRoleArn"] = podIdentity.RoleArn
 			}
 			if podIdentity.IsWorkloadIdentityOwner() {
-				value, err := resolveServiceAccountAnnotation(ctx, client, podTemplateSpec.Spec.ServiceAccountName, namespace, kedav1alpha1.PodIdentityAnnotationEKS)
+				value, err := resolveServiceAccountAnnotation(ctx, client, podTemplateSpec.Spec.ServiceAccountName, namespace, kedav1alpha1.PodIdentityAnnotationEKS, true)
 				if err != nil {
 					return nil, kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
 						fmt.Errorf("error getting service account: '%s', error: %w", podTemplateSpec.Spec.ServiceAccountName, err)
 				}
 				authParams["awsRoleArn"] = value
 			}
 		case kedav1alpha1.PodIdentityProviderAwsEKS:
-			value, err := resolveServiceAccountAnnotation(ctx, client, podTemplateSpec.Spec.ServiceAccountName, namespace, kedav1alpha1.PodIdentityAnnotationEKS)
+			value, err := resolveServiceAccountAnnotation(ctx, client, podTemplateSpec.Spec.ServiceAccountName, namespace, kedav1alpha1.PodIdentityAnnotationEKS, false)
 			if err != nil {
 				return nil, kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
 					fmt.Errorf("error getting service account: '%s', error: %w", podTemplateSpec.Spec.ServiceAccountName, err)
@@ -607,7 +607,7 @@ func resolveAuthSecret(ctx context.Context, client client.Client, logger logr.Lo
 
 // resolveServiceAccountAnnotation retrieves the value of a specific annotation
 // from the annotations of a given Kubernetes ServiceAccount.
-func resolveServiceAccountAnnotation(ctx context.Context, client client.Client, name, namespace, annotation string) (string, error) {
+func resolveServiceAccountAnnotation(ctx context.Context, client client.Client, name, namespace, annotation string, required bool) (string, error) {
 	serviceAccountName := defaultServiceAccount
 	if name != "" {
 		serviceAccountName = name
@@ -618,7 +618,7 @@ func resolveServiceAccountAnnotation(ctx context.Context, client client.Client,
 		return "", fmt.Errorf("error getting service account: '%s', error: %w", serviceAccountName, err)
 	}
 	value, ok := serviceAccount.Annotations[annotation]
-	if !ok {
+	if !ok && required {
 		return "", fmt.Errorf("annotation '%s' not found", annotation)
 	}
 	return value, nil