Azure AD Pod Identity & Workload Identity Support - Azure Key Vault.

Signed-off-by: Vighnesh Shenoy <[email protected]>
kedacore · Apr 22, 2022 · 82e9434 · 82e9434
1 parent 8a8c4ee
commit 82e9434
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 25 deletions.
diff --git a/apis/keda/v1alpha1/triggerauthentication_types.go b/apis/keda/v1alpha1/triggerauthentication_types.go
@@ -181,9 +181,10 @@ type VaultSecret struct {
 
 // AzureKeyVault is used to authenticate using Azure Key Vault
 type AzureKeyVault struct {
-	VaultURI    string                    `json:"vaultUri"`
+	VaultURI string                `json:"vaultUri"`
+	Secrets  []AzureKeyVaultSecret `json:"secrets"`
+	// +optional
 	Credentials *AzureKeyVaultCredentials `json:"credentials"`
-	Secrets     []AzureKeyVaultSecret     `json:"secrets"`
 	// +optional
 	Cloud *AzureKeyVaultCloudInfo `json:"cloud"`
 }

diff --git a/apis/keda/v1alpha1/zz_generated.deepcopy.go b/apis/keda/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/keda.sh_clustertriggerauthentications.yaml b/config/crd/bases/keda.sh_clustertriggerauthentications.yaml
@@ -116,7 +116,6 @@ spec:
                   vaultUri:
                     type: string
                 required:
-                - credentials
                 - secrets
                 - vaultUri
                 type: object

diff --git a/config/crd/bases/keda.sh_triggerauthentications.yaml b/config/crd/bases/keda.sh_triggerauthentications.yaml
@@ -115,7 +115,6 @@ spec:
                   vaultUri:
                     type: string
                 required:
-                - credentials
                 - secrets
                 - vaultUri
                 type: object

diff --git a/pkg/scaling/resolver/azure_keyvault_handler.go b/pkg/scaling/resolver/azure_keyvault_handler.go
@@ -34,32 +34,28 @@ import (
 type AzureKeyVaultHandler struct {
 	vault          *kedav1alpha1.AzureKeyVault
 	keyvaultClient *keyvault.BaseClient
+	podIdentity    kedav1alpha1.PodIdentityProvider
 }
 
-func NewAzureKeyVaultHandler(v *kedav1alpha1.AzureKeyVault) *AzureKeyVaultHandler {
+func NewAzureKeyVaultHandler(v *kedav1alpha1.AzureKeyVault, podIdentity kedav1alpha1.PodIdentityProvider) *AzureKeyVaultHandler {
 	return &AzureKeyVaultHandler{
-		vault: v,
+		vault:       v,
+		podIdentity: podIdentity,
 	}
 }
 
 func (vh *AzureKeyVaultHandler) Initialize(ctx context.Context, client client.Client, logger logr.Logger, triggerNamespace string) error {
-	clientID := vh.vault.Credentials.ClientID
-	tenantID := vh.vault.Credentials.TenantID
-
-	clientSecretName := vh.vault.Credentials.ClientSecret.ValueFrom.SecretKeyRef.Name
-	clientSecretKey := vh.vault.Credentials.ClientSecret.ValueFrom.SecretKeyRef.Key
-	clientSecret := resolveAuthSecret(ctx, client, logger, clientSecretName, triggerNamespace, clientSecretKey)
-
-	clientCredentialsConfig := auth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
-
 	keyvaultResourceURL, activeDirectoryEndpoint, err := vh.getPropertiesForCloud()
 	if err != nil {
 		return err
 	}
-	clientCredentialsConfig.Resource = keyvaultResourceURL
-	clientCredentialsConfig.AADEndpoint = activeDirectoryEndpoint
 
-	authorizer, err := clientCredentialsConfig.Authorizer()
+	authConfig := vh.getAuthConfig(ctx, client, logger, triggerNamespace, keyvaultResourceURL, activeDirectoryEndpoint)
+	if err != nil {
+		return err
+	}
+
+	authorizer, err := authConfig.Authorizer()
 	if err != nil {
 		return err
 	}
@@ -105,3 +101,31 @@ func (vh *AzureKeyVaultHandler) getPropertiesForCloud() (string, string, error)
 
 	return env.ResourceIdentifiers.KeyVault, env.ActiveDirectoryEndpoint, nil
 }
+
+func (vh *AzureKeyVaultHandler) getAuthConfig(ctx context.Context, client client.Client, logger logr.Logger,
+	triggerNamespace, keyVaultResourceURL, activeDirectoryEndpoint string) auth.AuthorizerConfig {
+	switch vh.podIdentity {
+	case "", kedav1alpha1.PodIdentityProviderNone:
+		clientID := vh.vault.Credentials.ClientID
+		tenantID := vh.vault.Credentials.TenantID
+
+		clientSecretName := vh.vault.Credentials.ClientSecret.ValueFrom.SecretKeyRef.Name
+		clientSecretKey := vh.vault.Credentials.ClientSecret.ValueFrom.SecretKeyRef.Key
+		clientSecret := resolveAuthSecret(ctx, client, logger, clientSecretName, triggerNamespace, clientSecretKey)
+
+		config := auth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
+		config.Resource = keyVaultResourceURL
+		config.AADEndpoint = activeDirectoryEndpoint
+
+		return config
+	case kedav1alpha1.PodIdentityProviderAzure:
+		config := auth.NewMSIConfig()
+		config.Resource = keyVaultResourceURL
+
+		return config
+	case kedav1alpha1.PodIdentityProviderAzureWorkload:
+		return azure.NewAzureADWorkloadIdentityConfig(ctx, keyVaultResourceURL)
+	}
+
+	return nil
+}
diff --git a/pkg/scaling/resolver/azure_keyvault_handler_test.go b/pkg/scaling/resolver/azure_keyvault_handler_test.go
@@ -110,7 +110,7 @@ var testDataset = []testData{
 
 func TestGetPropertiesForCloud(t *testing.T) {
 	for _, testData := range testDataset {
-		vh := NewAzureKeyVaultHandler(&testData.vault)
+		vh := NewAzureKeyVaultHandler(&testData.vault, kedav1alpha1.PodIdentityProviderNone)
 
 		kvResourceURL, adEndpoint, err := vh.getPropertiesForCloud()
 

diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go
@@ -211,7 +211,7 @@ func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logge
 				}
 			}
 			if triggerAuthSpec.AzureKeyVault != nil && len(triggerAuthSpec.AzureKeyVault.Secrets) > 0 {
-				vaultHandler := NewAzureKeyVaultHandler(triggerAuthSpec.AzureKeyVault)
+				vaultHandler := NewAzureKeyVaultHandler(triggerAuthSpec.AzureKeyVault, podIdentity)
 				err := vaultHandler.Initialize(ctx, client, logger, triggerNamespace)
 				if err != nil {
 					logger.Error(err, "Error authenticating to Azure Key Vault", "triggerAuthRef.Name", triggerAuthRef.Name)