Add new AWS podIdentity #5061
Add new AWS podIdentity #5061
Conversation
|
Thank you for your contribution! 🙏 We will review your PR as soon as possible. While you are waiting, make sure to:
Learn more about: |
|
To add further confusion, AWS has just released a new alternative to IRSA called Pod Identity 😄 I'm not sure of the relevance it will have, if any, on this PR but would be worth to have a look to see the potential impact of this feature. |
|
/run-e2e aws |
|
/run-e2e aws |
JorTurFer
force-pushed
the
add-aws
branch
2 times, most recently
from
66de066
to
02a2bf1
Compare
|
/run-e2e aws |
![semgrep-app[bot]](https://avatars.githubusercontent.com/in/60555?s=60&v=4){kind=small}
Co-authored-by: Sami S <[email protected]> Signed-off-by: Jorge Turrado <[email protected]>
|
/run-e2e |
|
/run-e2e aws |
Signed-off-by: Jorge Turrado <[email protected]>
|
/run-e2e aws |
|
PTAL @zroubalik , @tomkerkhove @blakepettersson @ThaSami |
Signed-off-by: Jorge Turrado <[email protected]>
|
/run-e2e aws |
There was a problem hiding this comment.
Great job, I have a few comments in general about documentation.
Will do another review once kedacore/keda-docs#1251 (comment) is resolved
…ueKey Signed-off-by: Jorge Turrado <[email protected]>
Signed-off-by: Jorge Turrado <[email protected]>
Signed-off-by: Jorge Turrado <[email protected]>
Signed-off-by: Jorge Turrado <[email protected]>
Signed-off-by: Jorge Turrado <[email protected]>
Signed-off-by: Jorge Turrado Ferrero <[email protected]>
Signed-off-by: Jorge Turrado <[email protected]>
Signed-off-by: Jorge Turrado <[email protected]>
Signed-off-by: Jorge Turrado <[email protected]>
|
/run-e2e aws |
Signed-off-by: Jorge Turrado <[email protected]>
|
/run-e2e aws |
Signed-off-by: Jorge Turrado <[email protected]>
Signed-off-by: Jorge Turrado Ferrero <[email protected]>
|
/run-e2e aws |
There was a problem hiding this comment.
LGTM, great work everybody, @blakepettersson @ThaSami @JorTurFer !
* Add new AWS podIdentity Co-authored-by: Sami S <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> * use new resources Signed-off-by: Jorge Turrado <[email protected]> * fix logs Signed-off-by: Jorge Turrado <[email protected]> * rename scalerIndex to triggerIndex and ScalerUniqueKey to TriggerUniqueKey Signed-off-by: Jorge Turrado <[email protected]> * add missing headers Signed-off-by: Jorge Turrado <[email protected]> * propagate ctx Signed-off-by: Jorge Turrado <[email protected]> * Add documentation commments Signed-off-by: Jorge Turrado <[email protected]> * Add explanation to new files Signed-off-by: Jorge Turrado <[email protected]> * Add semgrep exclusion Signed-off-by: Jorge Turrado <[email protected]> * go mod updates Signed-off-by: Jorge Turrado <[email protected]> * update comment Signed-off-by: Jorge Turrado <[email protected]> * update clientset Signed-off-by: Jorge Turrado <[email protected]> * apply feedback Signed-off-by: Jorge Turrado <[email protected]> --------- Signed-off-by: Jorge Turrado <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> Signed-off-by: Jorge Turrado Ferrero <[email protected]> Co-authored-by: Sami S <[email protected]>
Special KUDOS to @ThaSami, who has developed almost all the WebIdentity and caching code
This PR Introduced a new authentication option for AWS, relying 100% on TriggerAuthentication CRD for getting all the required information instead of mixing TriggerAuthentication and trigger.metadata section. For this, 2 new fields have been added:
roleArn: Similar to already existing clientId, this new field is used for manually providing the AWS roleArn that KEDA has to use.identityOwner: This field is used for specifying if you want to use KEDA's roleArn or the workload roleArn (recovered from the workload service account annotations). This field is an enum with 3 valid values: unset,keda,workload(unset is treaded askeda)These fields are mutually exclusive and there is a validation in admission webhooks to check this.
This new authentication allows 3 different working ways:
identityOwner: keda): In this scenario, KEDA's role has the required permission for accessing to the resources.identityOwner: workloadorroleArn: VALUE): In this scenario, KEDA will use its own role to assume workloads role via AssumeRole API. This requires that KEDA's role can assume other role inside AWS AIM. (and it's the assume role who has the access instead of KEDA's role)identityOwner: workloadorroleArn: VALUE): In this scenario, KEDA will request the role via WebIdentityRole API. This requires an OIDC federation between KEDA's service account and the role that KEDA has to assume.(and it's the assume role who has the access instead of KEDA's role)Additionally, this PR adds a cache for storing the aws credentials across all the usages instead of creating a credential instance per scaler. This means that if we are using the same role on several scalers, KEDA will use the same instance/token for all the scalers instead of requesting (and refreshing) a token for each scaler. To know if the aws config is in use in other scalers, we will use a new unique key introduced as scaler.Config level which is based on resourceType,namespace,resourceName,triggerIndex to be unique accross all the resources.
This new caching system has been included only as part of this new authenticaiton and also using
AWS_ACCESS_KEYandAWS_ACCESS_SECRET.Checklist
Fixes #4134
Fixes #5178
Fixes #5297
Relates to: