keda icon indicating copy to clipboard operation
keda copied to clipboard

Published 20 hours ago verified publisher icon kedacore

Add needed resources in the clusters for e2e test with AAD-Pod-identity

Open JorTurFer opened this issue 2 years ago • 13 comments

Proposal

Right now, KEDA supports authentication by Azure MSI in Azure scalers. There are some e2e tests that are ready to test the scaler with this integration, but for that the AAD-Pod-Identity has to be deployed, and the MSI properly configured (and available its ID as secret). For instance, right now App Insights e2e test is ready (with that test disabled), and Data Explorer also supports this test.

I'd like to have available in both clusters (e2e and pr-e2e) AAD-Pod-Identity deployed and at least 1 MSI with enough permissions in all resources at Azure side for testing all current scalers (even scalers like Azure Queue doesn't have that MSI specific test at this moment)

Use-Case

Improve the trust in the e2e test because they cover more scenarios

Anything else?

No response

JorTurFer avatar Apr 09 '22 11:04 JorTurFer

Asked @ahmelsayed as I lack the permissions to add AAD Pod Identity.

tomkerkhove avatar Apr 25 '22 13:04 tomkerkhove

AAD Pod Identity added to cluster thanks to @ahmelsayed

tomkerkhove avatar Apr 28 '22 05:04 tomkerkhove

Do we have pending actions on this @v-shenoy @JorTurFer ?

tomkerkhove avatar May 11 '22 09:05 tomkerkhove

I think that all AAD-Pod-Identity resources are needed. We have added the needed resources/e2e-tests for AAD-Workload-Identity (but I'm totally missed on AAD side, @v-shenoy ?)

JorTurFer avatar May 11 '22 09:05 JorTurFer

I am sorry, I did not get you @JorTurFer

v-shenoy avatar May 11 '22 09:05 v-shenoy

AAD-Pod-Identity and AAD-Workload-Identity are 2 different identity pods. Right now we have integration/e2e test for the second one, but for AAD-Pod-Identity we only have the integration, we don't have e2e test because AAD-Pod-Identity it's not ready/configured, right?

JorTurFer avatar May 11 '22 10:05 JorTurFer

Yes. Those are independent and require different configurations. I will have to check and see what all needs to be done for pod identity.

v-shenoy avatar May 11 '22 10:05 v-shenoy

any update here?

JorTurFer avatar Sep 11 '22 17:09 JorTurFer

I'll try to see if I can get this done soon.

v-shenoy avatar Sep 11 '22 17:09 v-shenoy

I have followed this doc to spawn add-pod-identity on my own cluster and it's quite easy.

JorTurFer avatar Sep 11 '22 20:09 JorTurFer

What do you need?

tomkerkhove avatar Sep 12 '22 07:09 tomkerkhove

We need to spawn aad-pod-identity in the cluster (e.g using the addon) and we need also a managed identity attached to the nodepool with access to the resources. We will need also the client-id as a secret to use it in KEDA deployments. This is the guide with all the things needed https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity

JorTurFer avatar Sep 12 '22 13:09 JorTurFer

I'll set this up later this week

tomkerkhove avatar Sep 12 '22 13:09 tomkerkhove

as AAD-Pod-Identity is already deprecated in favour of Workload Identity, I guess we can close this to not invest effort here

JorTurFer avatar Dec 09 '22 16:12 JorTurFer