Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support AAD Pod Identity #49

Open
joclegg opened this issue Oct 12, 2022 · 2 comments · May be fixed by #68
Open

Support AAD Pod Identity #49

joclegg opened this issue Oct 12, 2022 · 2 comments · May be fixed by #68

Comments

@joclegg
Copy link

joclegg commented Oct 12, 2022

Add support for using pod identity binding to access the cosmos db via account endpoint only.

Use-Case

Our cosmos dbs are set up to only use AD for access. We would like to create a role with the access that this scaler will need and use that and the account endpoint for access. We would then not need to have connection strings in configuration.
@karpikpl
Copy link

Hey,
is there any update on this issue?
the comment about TriggerAuthentication is 3 years old.
The external scaler example now references secrets? https://keda.sh/docs/2.14/scalers/external/#authentication-parameters

@karpikpl karpikpl linked a pull request Jun 11, 2024 that will close this issue
Open
2 tasks
@karpikpl
Copy link

karpikpl commented Jun 11, 2024
edited
Loading

I've been trying to understand if I can deploy the scaler with TriggerAuthentication since I cannot find anything in KEDA docs that would say it's not supported for external scalers.

# Create KEDA scaled object to scale order processor application.
apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: azure-cosmosdb-auth
spec:
  podIdentity:
    provider: azure-workload
---    
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: cosmosdb-order-processor-scaledobject
  namespace: cosmosdb-order-processor
spec:
  pollingInterval: 20
  scaleTargetRef:
    name: cosmosdb-order-processor
  triggers:
    - type: external
      authenticationRef:
        name: azure-cosmosdb-auth # authenticationRef would need either podIdentity or define a connection parameter
      metadata:
        scalerAddress: external-scaler-azure-cosmos-db.cosmosdb-order-processor:4050
        endpoint: https://{Cosmos DB Account Name}.documents.azure.com:443/ # update as per your environment
        databaseId: StoreDatabase
        containerId: OrderContainer
        LeaseEndpoint: https://{Cosmos DB Account Name}.documents.azure.com:443/ # update as per your environment
        leaseDatabaseId: StoreDatabase
        leaseContainerId: OrderProcessorLeases
        processorName: OrderProcessor

It looks like Azure Workload Identity is supported in KEDA. The only thing missing is the actual support in code that I tried adding in #68.

State of the code is little confusing though:

  1. There's a new sample that has support for Identity, developed 1 year ago: https://github.com/Azure-Samples/cosmos-aks-keda which looks like a fork of this repo, but it was never merged into this one.
  2. Even though this repo gets updates, keda chart hasn't been updated in a while: https://github.com/kedacore/charts/blob/43b0f516e0d101c18830d06126700916c029712b/external-scaler-azure-cosmos-db/values.yaml#L10
  3. Container image is built in this repo but latest tag is not moved and there are no new releases ("experimental" tag is used instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support for Azure Default Credentials in the Scaler karpikpl/external-scaler-azure-cosmos-db
2 participants
@karpikpl @joclegg