Skip to content

Commit

Permalink
chore: Remove deprecated AAD-Pod-Identity and AWS-KIAM auths (#5782)
Browse files Browse the repository at this point in the history
* chore: Remove deprecated AAD-Pod-Identity and AWS-KIAM auths

Signed-off-by: Jorge Turrado <[email protected]>

* fix CI

Signed-off-by: Jorge Turrado <[email protected]>

* fix CI

Signed-off-by: Jorge Turrado <[email protected]>

---------

Signed-off-by: Jorge Turrado <[email protected]>
  • Loading branch information
JorTurFer authored May 7, 2024
1 parent c7e901f commit ed69b41
Show file tree
Hide file tree
Showing 75 changed files with 83 additions and 2,736 deletions.
1 change: 0 additions & 1 deletion .github/workflows/pr-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,6 @@ jobs:
id: test
env:
AWS_RUN_IDENTITY_TESTS: true
AZURE_RUN_AAD_POD_IDENTITY_TESTS: true
AZURE_RUN_WORKLOAD_IDENTITY_TESTS: true
GCP_RUN_IDENTITY_TESTS: true
ENABLE_OPENTELEMETRY : true
Expand Down
1 change: 0 additions & 1 deletion .github/workflows/template-main-e2e-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ jobs:
- name: Run end to end tests
env:
AWS_RUN_IDENTITY_TESTS: true
AZURE_RUN_AAD_POD_IDENTITY_TESTS: true
AZURE_RUN_WORKLOAD_IDENTITY_TESTS: true
GCP_RUN_IDENTITY_TESTS: true
ENABLE_OPENTELEMETRY : true
Expand Down
8 changes: 4 additions & 4 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,10 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio

## Unreleased

### Breaking Changes

- **Authentication:** AAD-Pod-Identity and AWS-KIAM auths have been removed ([#5035](https://github.com/kedacore/keda/issues/5035)|[#5085](https://github.com/kedacore/keda/issues/5085))

### New

- TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))
Expand All @@ -78,10 +82,6 @@ New deprecation(s):

- TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))

### Breaking Changes

- TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))

### Other

- TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))
Expand Down
9 changes: 2 additions & 7 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -268,17 +268,12 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
deploy: install ## Deploy controller to the K8s cluster specified in ~/.kube/config.
cd config/manager && \
$(KUSTOMIZE) edit set image ghcr.io/kedacore/keda=${IMAGE_CONTROLLER} && \
if [ "$(AZURE_RUN_AAD_POD_IDENTITY_TESTS)" = true ]; then \
$(KUSTOMIZE) edit add label --force aadpodidbinding:keda; \
fi && \
if [ "$(AZURE_RUN_WORKLOAD_IDENTITY_TESTS)" = true ]; then \
$(KUSTOMIZE) edit add label --force azure.workload.identity/use:true; \
fi
cd config/metrics-server && \
$(KUSTOMIZE) edit set image ghcr.io/kedacore/keda-metrics-apiserver=${IMAGE_ADAPTER} && \
if [ "$(AZURE_RUN_AAD_POD_IDENTITY_TESTS)" = true ]; then \
$(KUSTOMIZE) edit add label --force aadpodidbinding:keda; \
fi
$(KUSTOMIZE) edit set image ghcr.io/kedacore/keda-metrics-apiserver=${IMAGE_ADAPTER}

if [ "$(AZURE_RUN_WORKLOAD_IDENTITY_TESTS)" = true ]; then \
cd config/service_account && \
$(KUSTOMIZE) edit add label --force azure.workload.identity/use:true; \
Expand Down
8 changes: 2 additions & 6 deletions apis/keda/v1alpha1/triggerauthentication_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -121,25 +121,21 @@ type PodIdentityProvider string
// PodIdentityProvider<IDENTITY_PROVIDER> specifies other available Identity providers
const (
PodIdentityProviderNone PodIdentityProvider = "none"
PodIdentityProviderAzure PodIdentityProvider = "azure"
PodIdentityProviderAzureWorkload PodIdentityProvider = "azure-workload"
PodIdentityProviderGCP PodIdentityProvider = "gcp"
PodIdentityProviderAwsEKS PodIdentityProvider = "aws-eks"
PodIdentityProviderAwsKiam PodIdentityProvider = "aws-kiam"
PodIdentityProviderAws PodIdentityProvider = "aws"
)

// PodIdentityAnnotationEKS specifies aws role arn for aws-eks Identity Provider
// PodIdentityAnnotationKiam specifies aws role arn for aws-iam Identity Provider
const (
PodIdentityAnnotationEKS = "eks.amazonaws.com/role-arn"
PodIdentityAnnotationKiam = "iam.amazonaws.com/role"
PodIdentityAnnotationEKS = "eks.amazonaws.com/role-arn"
)

// AuthPodIdentity allows users to select the platform native identity
// mechanism
type AuthPodIdentity struct {
// +kubebuilder:validation:Enum=azure;azure-workload;gcp;aws;aws-eks;aws-kiam;none
// +kubebuilder:validation:Enum=azure-workload;gcp;aws;aws-eks;none
Provider PodIdentityProvider `json:"provider"`

// +optional
Expand Down
2 changes: 1 addition & 1 deletion apis/keda/v1alpha1/triggerauthentication_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ func isTriggerAuthenticationRemovingFinalizer(om metav1.ObjectMeta, oldOm metav1
func validateSpec(spec *TriggerAuthenticationSpec) (admission.Warnings, error) {
if spec.PodIdentity != nil {
switch spec.PodIdentity.Provider {
case PodIdentityProviderAzure, PodIdentityProviderAzureWorkload:
case PodIdentityProviderAzureWorkload:
if spec.PodIdentity.IdentityID != nil && *spec.PodIdentity.IdentityID == "" {
return nil, fmt.Errorf("identityId of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"")
}
Expand Down
82 changes: 0 additions & 82 deletions apis/keda/v1alpha1/triggerauthentication_webhook_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,47 +24,6 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

var _ = It("validate triggerauthentication when IdentityID is nil, roleArn is empty and identityOwner is nil", func() {
namespaceName := "nilidentityid"
namespace := createNamespace(namespaceName)
err := k8sClient.Create(context.Background(), namespace)
Expect(err).ToNot(HaveOccurred())

spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, nil, nil, nil, nil, nil)
ta := createTriggerAuthentication("nilidentityidta", namespaceName, "TriggerAuthentication", spec)
Eventually(func() error {
return k8sClient.Create(context.Background(), ta)
}).ShouldNot(HaveOccurred())
})

var _ = It("validate triggerauthentication when IdentityID is empty", func() {
namespaceName := "emptyidentityid"
namespace := createNamespace(namespaceName)
err := k8sClient.Create(context.Background(), namespace)
Expect(err).ToNot(HaveOccurred())

identityID := ""
spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, nil, &identityID, nil, nil, nil)
ta := createTriggerAuthentication("emptyidentityidta", namespaceName, "TriggerAuthentication", spec)
Eventually(func() error {
return k8sClient.Create(context.Background(), ta)
}).Should(HaveOccurred())
})

var _ = It("validate triggerauthentication when IdentityID is not empty", func() {
namespaceName := "identityid"
namespace := createNamespace(namespaceName)
err := k8sClient.Create(context.Background(), namespace)
Expect(err).ToNot(HaveOccurred())

identityID := "12345"
spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, nil, &identityID, nil, nil, nil)
ta := createTriggerAuthentication("identityidta", namespaceName, "TriggerAuthentication", spec)
Eventually(func() error {
return k8sClient.Create(context.Background(), ta)
}).ShouldNot(HaveOccurred())
})

var _ = It("validate triggerauthentication when IdentityTenantID is not nil and not empty", func() {
namespaceName := "identitytenantidta"
namespace := createNamespace(namespaceName)
Expand Down Expand Up @@ -214,47 +173,6 @@ var _ = It("validate triggerauthentication when RoleArn is not empty and Identit
}).ShouldNot(HaveOccurred())
})

var _ = It("validate clustertriggerauthentication when IdentityID is nil", func() {
namespaceName := "clusternilidentityid"
namespace := createNamespace(namespaceName)
err := k8sClient.Create(context.Background(), namespace)
Expect(err).ToNot(HaveOccurred())

spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, nil, nil, nil, nil, nil)
ta := createTriggerAuthentication("clusternilidentityidta", namespaceName, "ClusterTriggerAuthentication", spec)
Eventually(func() error {
return k8sClient.Create(context.Background(), ta)
}).ShouldNot(HaveOccurred())
})

var _ = It("validate clustertriggerauthentication when IdentityID is empty", func() {
namespaceName := "clusteremptyidentityid"
namespace := createNamespace(namespaceName)
err := k8sClient.Create(context.Background(), namespace)
Expect(err).ToNot(HaveOccurred())

identityID := ""
spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, nil, &identityID, nil, nil, nil)
ta := createTriggerAuthentication("clusteremptyidentityidta", namespaceName, "ClusterTriggerAuthentication", spec)
Eventually(func() error {
return k8sClient.Create(context.Background(), ta)
}).Should(HaveOccurred())
})

var _ = It("validate clustertriggerauthentication when IdentityID is not empty", func() {
namespaceName := "clusteridentityid"
namespace := createNamespace(namespaceName)
err := k8sClient.Create(context.Background(), namespace)
Expect(err).ToNot(HaveOccurred())

identityID := "12345"
spec := createTriggerAuthenticationSpecWithPodIdentity(PodIdentityProviderAzure, nil, &identityID, nil, nil, nil)
ta := createTriggerAuthentication("clusteridentityidta", namespaceName, "ClusterTriggerAuthentication", spec)
Eventually(func() error {
return k8sClient.Create(context.Background(), ta)
}).ShouldNot(HaveOccurred())
})

var _ = It("validate clustertriggerauthentication when RoleArn is not empty and IdentityOwner is nil", func() {
namespaceName := "clusterrolearn"
namespace := createNamespace(namespaceName)
Expand Down
8 changes: 0 additions & 8 deletions config/crd/bases/keda.sh_clustertriggerauthentications.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -161,12 +161,10 @@ spec:
provider:
description: PodIdentityProvider contains the list of providers
enum:
- azure
- azure-workload
- gcp
- aws
- aws-eks
- aws-kiam
- none
type: string
roleArn:
Expand Down Expand Up @@ -271,12 +269,10 @@ spec:
provider:
description: PodIdentityProvider contains the list of providers
enum:
- azure
- azure-workload
- gcp
- aws
- aws-eks
- aws-kiam
- none
type: string
roleArn:
Expand Down Expand Up @@ -395,12 +391,10 @@ spec:
provider:
description: PodIdentityProvider contains the list of providers
enum:
- azure
- azure-workload
- gcp
- aws
- aws-eks
- aws-kiam
- none
type: string
roleArn:
Expand Down Expand Up @@ -522,12 +516,10 @@ spec:
provider:
description: PodIdentityProvider contains the list of providers
enum:
- azure
- azure-workload
- gcp
- aws
- aws-eks
- aws-kiam
- none
type: string
roleArn:
Expand Down
8 changes: 0 additions & 8 deletions config/crd/bases/keda.sh_triggerauthentications.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -160,12 +160,10 @@ spec:
provider:
description: PodIdentityProvider contains the list of providers
enum:
- azure
- azure-workload
- gcp
- aws
- aws-eks
- aws-kiam
- none
type: string
roleArn:
Expand Down Expand Up @@ -270,12 +268,10 @@ spec:
provider:
description: PodIdentityProvider contains the list of providers
enum:
- azure
- azure-workload
- gcp
- aws
- aws-eks
- aws-kiam
- none
type: string
roleArn:
Expand Down Expand Up @@ -394,12 +390,10 @@ spec:
provider:
description: PodIdentityProvider contains the list of providers
enum:
- azure
- azure-workload
- gcp
- aws
- aws-eks
- aws-kiam
- none
type: string
roleArn:
Expand Down Expand Up @@ -521,12 +515,10 @@ spec:
provider:
description: PodIdentityProvider contains the list of providers
enum:
- azure
- azure-workload
- gcp
- aws
- aws-eks
- aws-kiam
- none
type: string
roleArn:
Expand Down
2 changes: 1 addition & 1 deletion pkg/eventemitter/azure_event_grid_topic_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ func NewAzureEventGridTopicHandler(context context.Context, clusterName string,
break
}
client, err = publisher.NewClientWithSharedKeyCredential(spec.Endpoint, azcore.NewKeyCredential(authParams["accessKey"]), nil)
case kedav1alpha1.PodIdentityProviderAzure, kedav1alpha1.PodIdentityProviderAzureWorkload:
case kedav1alpha1.PodIdentityProviderAzureWorkload:
creds, chainedErr := azure.NewChainedCredential(logger, podIdentity.GetIdentityID(), podIdentity.GetIdentityTenantID(), podIdentity.Provider)
if chainedErr != nil {
err = chainedErr
Expand Down
8 changes: 0 additions & 8 deletions pkg/eventemitter/eventemitter.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ import (
logf "sigs.k8s.io/controller-runtime/pkg/log"

eventingv1alpha1 "github.com/kedacore/keda/v2/apis/eventing/v1alpha1"
kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1"
"github.com/kedacore/keda/v2/pkg/eventemitter/eventdata"
"github.com/kedacore/keda/v2/pkg/metricscollector"
"github.com/kedacore/keda/v2/pkg/scaling/resolver"
Expand Down Expand Up @@ -188,13 +187,6 @@ func (e *EventEmitter) createEventHandlers(ctx context.Context, cloudEventSource

// Resolve auth related
authParams, podIdentity, err := resolver.ResolveAuthRefAndPodIdentity(ctx, e.client, e.log, cloudEventSource.Spec.AuthenticationRef, nil, cloudEventSource.Namespace, e.secretsLister)
switch podIdentity.Provider {
case kedav1alpha1.PodIdentityProviderAzure:
// FIXME: Delete this for v2.15
e.log.Info("WARNING: Azure AD Pod Identity has been archived (https://github.com/Azure/aad-pod-identity#-announcement) and will be removed from KEDA on v2.15")
default:
}

if err != nil {
e.log.Error(err, "error resolving auth params", "cloudEventSource", cloudEventSource)
return
Expand Down
6 changes: 3 additions & 3 deletions pkg/scalers/aws/aws_common.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ func GetAwsConfig(ctx context.Context, awsRegion string, awsAuthorization Author
return awsSharedCredentialsCache.GetCredentials(ctx, metadata.awsRegion, metadata.awsAuthorization)
}

// TODO, remove when aws-kiam and aws-eks are removed
// TODO, remove when aws-eks are removed
configOptions := make([]func(*config.LoadOptions) error, 0)
configOptions = append(configOptions, config.WithRegion(metadata.awsRegion))
cfg, err := config.LoadDefaultConfig(ctx, configOptions...)
Expand All @@ -79,7 +79,7 @@ func GetAwsConfig(ctx context.Context, awsRegion string, awsAuthorization Author
cfg.Credentials = aws.NewCredentialsCache(stsCredentialProvider)
}
return &cfg, err
// END remove when aws-kiam and aws-eks are removed
// END remove when aws-eks are removed
}

// GetAwsAuthorization returns an AuthorizationMetadata based on trigger information
Expand All @@ -97,7 +97,7 @@ func GetAwsAuthorization(uniqueKey string, podIdentity kedav1alpha1.AuthPodIdent
}
// TODO, remove all the logic below and just keep the logic for
// parsing awsAccessKeyID, awsSecretAccessKey and awsSessionToken
// when aws-kiam and aws-eks are removed
// when aws-eks are removed
if triggerMetadata["identityOwner"] == "operator" {
meta.PodIdentityOwner = false
} else if triggerMetadata["identityOwner"] == "" || triggerMetadata["identityOwner"] == "pod" {
Expand Down
Loading

0 comments on commit ed69b41

Please sign in to comment.