keda: Workload Identity on Azure stopped working on 2.9.2

Report

Took 2.9.2 for a quick ride . configuration is :

  • workload identity enabled : true
  • Pod Identity enabled : false

Expected Behavior

identity should work as it did for Version 2.8.1

Actual Behavior

there is a regression in the code where Azure workload Identity does not work any more without Pod Identity.

Steps to Reproduce the Problem

  1. install Keda 2.9.2 with Workload identity enabled but without Pod Identity :

podIdentity: activeDirectory: identity: “” azureWorkload: enabled: true clientId: “some_client_id” tenantId: "some_tenant_id

you will see the error below , keda cannot authenticate.

  1. Go Back to Keda 2.8.1 , all works fine

Logs from KEDA operator

2023-01-16T20:18:09Z	ERROR	scalers_cache	error getting scale decision	{"scaledobject.Name": "app-scaler", "scaledObject.Namespace": "app", "scaleTarget.Name": "app-deploy", "error": "GET https://workload.servicebus.windows.net/app-queue\n--------------------------------------------------------------------------------\nRESPONSE 401: 401 Unauthorized\nERROR CODE: 401\n--------------------------------------------------------------------------------\n<Error><Code>401</Code><Detail>Manage,EntityRead claims required for this operation. TrackingId:e7629186-6733-4ff9-b463-840bda671846_G31, SystemTracker:workload.servicebus.windows.net:app-queue, Timestamp:2023-01-16T20:18:09</Detail></Error>\n--------------------------------------------------------------------------------\n"}
github.com/kedacore/keda/v2/pkg/scaling/cache.(*ScalersCache).GetScaledObjectState
	/workspace/pkg/scaling/cache/scalers_cache.go:155
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandler).checkScalers
	/workspace/pkg/scaling/scale_handler.go:360
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandler).startScaleLoop
	/workspace/pkg/scaling/scale_handler.go:162

KEDA Version

2.9.2

Kubernetes Version

1.24

Platform

Microsoft Azure

Scaler Details

Azure Service Bus

Anything else?

I know there was a bug fix to merge some Pod Identity + Workload Identity , make sure the tests covers cases where :

  • WIF is on , Pod Identity is Off,
  • Pod Identity is on , WIF is Off.
  • Both Are on.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 21 (13 by maintainers)

Most upvoted comments

@tomkerkhove @JorTurFer : I can confirm now after several days with this version that its stable and working on all modes:

  • workload identity turned on
  • pod Identity Turned On
  • having mixed mode : keda has workload identity+pod identity and the trigger authenticatiuon uses PodIdentity.

all combinations worked with no issues.

+2
tshaiman on Jan 27, 2023

@JorTurFer : gladly , I’m on it now , will let you know soon

+2
tshaiman on Jan 24, 2023

False Alarm ! sorry for this misleading information - cluster was configured incorrectly. experiment begins now for next 24H and it looks good !

stay tuned

+1
tshaiman on Jan 25, 2023
Read more comments on GitHub
← keda: Using Hashicorp Vault secrets with TriggerAuthentication results in unable to convert Vault Data value error
kedro: 0.19.1 `kedro new` failes to create new project. Raises KedroCliError: Failed to generate project when running cookiecutter →