Provide support for Azure Key Vault in TriggerAuthentication.

[v-shenoy]

Authentication via Azure Key Vault is now supported.
Sample for the new TriggerAuthenticationSpec -

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: triggerAuthName
  namespace: default
spec:
  azureKeyVault:
    vaultUri: <vault-address>
    credentials:  
      clientId: <azureAD-clientID>
      clientSecret:
        valueFrom:
          secretKeyRef:
            name: <secret-name>
            key: <key-within-secret>
      tenantId: <azureAD-tenantID>
    secrets: 
    - parameter: <param-name-for-authenticating>
      name: <secret-name-in-key-vault>
      version: <secret-version> # Optional

Edit 1 - Updated spec and checklist.
Edit 2- Raised documentation PR.
Edit 3 - Update checklist with tests added.

Checklist

• Commits are signed with Developer Certificate of Origin (DCO - learn more)
• Tests have been added
• A PR is opened to update our Helm chart (repo) (if applicable, ie. when deployment manifests are modified)
• A PR is opened to update the documentation on (repo) (if applicable)
• Changelog has been updated and is aligned with our changelog requirements

Fixes #900

[tomkerkhove]

Can we also support managed identity or not?

[tomkerkhove]

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: triggerAuthName
  namespace: default
spec:
  azureKeyVault:
    vaultUri: <vault-address>
    credentials:  
      clientId: <azureAD-clientID>
      clientSecret:
        kubeSecret: <kubernetes-secret-containing-azureAD-secret>
        key: <key-within-the-kubernetes-secret>
      tenantId: <azureAD-tenantID>
    secrets: 
    - parameter: <param-name-for-authenticating>
      name: <secret-name-in-key-vault>
      version: <secret-version> # Optional

Some quick feedback on azureKeyVault.credentials.clientSecret. Can we align with the existing secret ref approach in Kubernetes?

[v-shenoy]

Can we also support managed identity or not?

I am not really sure how to go about this. Need some guidance.

[v-shenoy]

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: triggerAuthName
  namespace: default
spec:
  azureKeyVault:
    vaultUri: <vault-address>
    credentials:  
      clientId: <azureAD-clientID>
      clientSecret:
        kubeSecret: <kubernetes-secret-containing-azureAD-secret>
        key: <key-within-the-kubernetes-secret>
      tenantId: <azureAD-tenantID>
    secrets: 
    - parameter: <param-name-for-authenticating>
      name: <secret-name-in-key-vault>
      version: <secret-version> # Optional

Some quick feedback on azureKeyVault.credentials.clientSecret. Can we align with the existing secret ref approach in Kubernetes?

Which secret ref approach are you referring to?

[tomkerkhove]

The native Kubernetes approach - https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables:

valueFrom:
  secretKeyRef:
    name: mysecret
    key: username

[v-shenoy]

The native Kubernetes approach - https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables:

valueFrom:
  secretKeyRef:
    name: mysecret
    key: username

So, when you say align with it, you mean just renaming the object to use valueFrom, secretKeyRef instead of clientSecret? Because (and this might be a gap in my knowledge), I am not aware of a way where you can directly just reference secrets from a CRD.

[tomkerkhove]

I would go with this:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: triggerAuthName
  namespace: default
spec:
  azureKeyVault:
    vaultUri: <vault-address>
    credentials:  
      clientId: <azureAD-clientID>
      clientSecret:
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      tenantId: <azureAD-tenantID>
    secrets: 
    - parameter: <param-name-for-authenticating>
      name: <secret-name-in-key-vault>
      version: <secret-version> # Optional

[v-shenoy]

I would go with this:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: triggerAuthName
  namespace: default
spec:
  azureKeyVault:
    vaultUri: <vault-address>
    credentials:  
      clientId: <azureAD-clientID>
      clientSecret:
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      tenantId: <azureAD-tenantID>
    secrets: 
    - parameter: <param-name-for-authenticating>
      name: <secret-name-in-key-vault>
      version: <secret-version> # Optional

I'll make the changes.

[v-shenoy]

Also, could you point me to where all do I need to make changes for the helm charts (besides the YAMLs for the CRDs)? I am not too familiar with those.

[tomkerkhove]

Since this is our data plane I don't think we need any

[v-shenoy]

What about these, 02-crd-clustertriggerauthentications.yaml, 05-crd-triggerauthentications.keda.sh.yaml?

[tomkerkhove]

CRDs is a different story but I'll need @zroubalik for this.

[tomkerkhove]

Also, would you mind opening a documentation PR for this nice addition please?

[v-shenoy]

Also, would you mind opening a documentation PR for this nice addition please?

Yeah, I am in the middle of doing it.

[v-shenoy]

As the helm charts need to be updated due to the CRD changes, what version, appVersion do I use here?

[tomkerkhove]

As the helm charts need to be updated due to the CRD changes, what version, appVersion do I use here?

It's very kind but you don't have to do anything, CRD updates are part of our release process: https://github.com/kedacore/keda/blob/main/RELEASE-PROCESS.MD#6-prepare-our-helm-chart

[v-shenoy]

Raised a PR for the documentation - kedacore/keda-docs#704

[JorTurFer]

I'm not an expert in Azure Key Vault, but the code looks good.
Could you add an e2e test that uses the Key Vault?
Can we provide it @tomkerkhove?

[tomkerkhove]

Certainly, we can store a Service Bus connection string in the vault to ensure it can authenticate to it. That way, we can re-use existing SB tests - What do you think?

[JorTurFer]

I'd do another test only for checking this. AFAIR, if the connection string fails, KEDA doesn't create the HPA, we could store one connection string on KeyVault and try to use it. Or maybe doing the query manually just for checking that response is not an error.

But I'd go with another test

[tomkerkhove]

Let's do this:

• add unit tests in this PR
• add e2e tests for key vault in this PR
• add e2e test using key vault with Azure storage scaler
• I will open issue for service bus e2e tests as follow-up by somebody having time

[v-shenoy]

I don't think it makes sense to have unit test considering the AzureKeyVaultHandler is only initialized and just fetches secrets. Have added the e2e test using queue trigger. Please take a look. @tomkerkhove @JorTurFer @zroubalik

[tomkerkhove]

I don't think it makes sense to have unit test considering the AzureKeyVaultHandler is only initialized and just fetches secrets.

I don't think this can hurt, no?

[v-shenoy]

The struct exposes only two methods, Initialize, Read. Not really sure how to test those without providing actual uri, creds and try to fetch a secret. But that would not be a unit test.

[tomkerkhove]

Fine by me if it's fine for the others

[zroubalik]

Looking good, just some minor nits

[zroubalik]

/run-e2e azure-keyvault-queue.test.ts
Update: You can check the progres here

[zroubalik]

LGTM

[SebastianSchuetze]

Last question for me. Does this support also managed identity as requested or does this come later?

[v-shenoy]

Last question for me. Does this support also managed identity as requested or does this come later?

@SebastianSchuetze It doesn't currently, it will have to be taken up later.

[mingue]

Looking into using this once released, but will this also be supported for ClusterTriggerAuthentication? The updated documentation doesn't make any exception to exclude this feature. If so where will it get the credentials for the clientSecret:

clientSecret:
  valueFrom:
    secretKeyRef: # Where is this secret coming from in a ClusterTriggerAuthentication?
      name: <secret-name>
      key: <key-within-secret>

[tomkerkhove]

That's something we should improve in our docs indeed, @v-shenoy I presume this would be from a secret in the same namespace as the ClusterTriggerAuthentication itself, right?

[v-shenoy]

Yes, it would be. Do we add this to the documentation, or should we have cluster trigger authentication be able to fetch secrets from other namespaces as well by specifying a namespace key in the object? (Only for Cluster, not normal trigger auth)

[tomkerkhove]

No, I think the current approach is perfect but let's improve the docs a bit.

[v-shenoy]

Last question for me. Does this support also managed identity as requested or does this come later?

While this thread is active, @SebastianSchuetze Pod Identity support is being added to key vault, along with workload identity.

[v-shenoy]

Added clarification - kedacore/keda-docs#753

[tomkerkhove]

Merged, thanks!