Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio

### New

- TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))
- **General**: Introduce AWS Systems Manager Parameter Store authentication provider ([#6311](https://github.com/kedacore/keda/issues/6311))

#### Experimental

Expand Down
37 changes: 37 additions & 0 deletions apis/keda/v1alpha1/triggerauthentication_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,9 @@ type TriggerAuthenticationSpec struct {
// +optional
AwsSecretManager *AwsSecretManager `json:"awsSecretManager,omitempty"`

// +optional
AwsParameterStore *AwsParameterStore `json:"awsParameterStore,omitempty"`

// +optional
BoundServiceAccountToken []BoundServiceAccountToken `json:"boundServiceAccountToken,omitempty"`
}
Expand Down Expand Up @@ -398,6 +401,40 @@ type AwsSecretManagerSecret struct {
SecretKey string `json:"secretKey,omitempty"`
}

// AwsParameterStore is used to authenticate using AWS Systems Manager Parameter Store
type AwsParameterStore struct {
// +kubebuilder:validation:MinItems=1
Parameters []AwsParameterStoreParameter `json:"parameters"`
// +optional
Credentials *AwsParameterStoreCredentials `json:"credentials"`

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should omitempty appear here too?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe omitempty isn't needed for pointers, same pattern is used for here

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you include the line number in the reference, so I can check exactly which one you mean?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

// +optional
PodIdentity *AuthPodIdentity `json:"podIdentity"`

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should omitempty appear here too?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe omitempty isn't needed for pointers, same pattern is used for here

// +optional
Region string `json:"region,omitempty"`
}

type AwsParameterStoreCredentials struct {
AccessKey *AwsParameterStoreValue `json:"accessKey"`
AccessSecretKey *AwsParameterStoreValue `json:"accessSecretKey"`
// +optional
AccessToken *AwsParameterStoreValue `json:"accessToken,omitempty"`
}

type AwsParameterStoreValue struct {
ValueFrom ValueFromSecret `json:"valueFrom"`
}

// WithDecryption defaults to true if not specified.
// For SecureString parameters, this must be true to retrieve the plaintext value.
// Set to false for SecureString parameters to retrieve the encrypted value.
// For String parameters, this setting has no effect.
type AwsParameterStoreParameter struct {
Parameter string `json:"parameter"`
Name string `json:"name"`
// +optional
WithDecryption *bool `json:"withDecryption,omitempty"`

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add here a comment to clarify what omitting WithDecryption (leaving it nil) means? Users likely need to set this to true to get the plaintext, right?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's updated

}

type BoundServiceAccountToken struct {
Parameter string `json:"parameter"`
ServiceAccountName string `json:"serviceAccountName"`
Expand Down
136 changes: 136 additions & 0 deletions config/crd/bases/keda.sh_clustertriggerauthentications.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,142 @@ spec:
spec:
description: TriggerAuthenticationSpec defines the various ways to authenticate
properties:
awsParameterStore:
description: AwsParameterStore is used to authenticate using AWS Systems
Manager Parameter Store
properties:
credentials:
properties:
accessKey:
properties:
valueFrom:
properties:
secretKeyRef:
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
required:
- secretKeyRef
type: object
required:
- valueFrom
type: object
accessSecretKey:
properties:
valueFrom:
properties:
secretKeyRef:
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
required:
- secretKeyRef
type: object
required:
- valueFrom
type: object
accessToken:
properties:
valueFrom:
properties:
secretKeyRef:
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
required:
- secretKeyRef
type: object
required:
- valueFrom
type: object
required:
- accessKey
- accessSecretKey
type: object
parameters:
items:
description: |-
WithDecryption defaults to true if not specified.
For SecureString parameters, this must be true to retrieve the plaintext value.
Set to false for SecureString parameters to retrieve the encrypted value.
For String parameters, this setting has no effect.
properties:
name:
type: string
parameter:
type: string
withDecryption:
type: boolean
required:
- name
- parameter
type: object
minItems: 1
type: array
podIdentity:
description: |-
AuthPodIdentity allows users to select the platform native identity
mechanism
properties:
identityAuthorityHost:
description: Set identityAuthorityHost to override the default
Azure authority host. If this is set, then the IdentityTenantID
must also be set
type: string
identityId:
type: string
identityOwner:
description: IdentityOwner configures which identity has to
be used during auto discovery, keda or the scaled workload.
Mutually exclusive with roleArn
enum:
- keda
- workload
type: string
identityTenantId:
description: Set identityTenantId to override the default
Azure tenant id. If this is set, then the IdentityID must
also be set
type: string
provider:
description: PodIdentityProvider contains the list of providers
enum:
- azure-workload
- gcp
- aws
- aws-eks
- none
type: string
roleArn:
description: RoleArn sets the AWS RoleArn to be used. Mutually
exclusive with IdentityOwner
type: string
required:
- provider
type: object
region:
type: string
required:
- parameters
type: object
awsSecretManager:
description: AwsSecretManager is used to authenticate using AwsSecretManager
properties:
Expand Down
136 changes: 136 additions & 0 deletions config/crd/bases/keda.sh_triggerauthentications.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,142 @@ spec:
spec:
description: TriggerAuthenticationSpec defines the various ways to authenticate
properties:
awsParameterStore:
description: AwsParameterStore is used to authenticate using AWS Systems
Manager Parameter Store
properties:
credentials:
properties:
accessKey:
properties:
valueFrom:
properties:
secretKeyRef:
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
required:
- secretKeyRef
type: object
required:
- valueFrom
type: object
accessSecretKey:
properties:
valueFrom:
properties:
secretKeyRef:
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
required:
- secretKeyRef
type: object
required:
- valueFrom
type: object
accessToken:
properties:
valueFrom:
properties:
secretKeyRef:
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
required:
- secretKeyRef
type: object
required:
- valueFrom
type: object
required:
- accessKey
- accessSecretKey
type: object
parameters:
items:
description: |-
WithDecryption defaults to true if not specified.
For SecureString parameters, this must be true to retrieve the plaintext value.
Set to false for SecureString parameters to retrieve the encrypted value.
For String parameters, this setting has no effect.
properties:
name:
type: string
parameter:
type: string
withDecryption:
type: boolean
required:
- name
- parameter
type: object
minItems: 1
type: array
podIdentity:
description: |-
AuthPodIdentity allows users to select the platform native identity
mechanism
properties:
identityAuthorityHost:
description: Set identityAuthorityHost to override the default
Azure authority host. If this is set, then the IdentityTenantID
must also be set
type: string
identityId:
type: string
identityOwner:
description: IdentityOwner configures which identity has to
be used during auto discovery, keda or the scaled workload.
Mutually exclusive with roleArn
enum:
- keda
- workload
type: string
identityTenantId:
description: Set identityTenantId to override the default
Azure tenant id. If this is set, then the IdentityID must
also be set
type: string
provider:
description: PodIdentityProvider contains the list of providers
enum:
- azure-workload
- gcp
- aws
- aws-eks
- none
type: string
roleArn:
description: RoleArn sets the AWS RoleArn to be used. Mutually
exclusive with IdentityOwner
type: string
required:
- provider
type: object
region:
type: string
required:
- parameters
type: object
awsSecretManager:
description: AwsSecretManager is used to authenticate using AwsSecretManager
properties:
Expand Down
3 changes: 3 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ require (
github.com/aws/aws-sdk-go-v2/service/kinesis v1.43.5
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5
github.com/aws/aws-sdk-go-v2/service/sqs v1.42.25
github.com/aws/aws-sdk-go-v2/service/ssm v1.68.3
github.com/aws/aws-sdk-go-v2/service/sts v1.41.10
github.com/beanstalkd/go-beanstalk v0.2.0
github.com/bradleyfalzon/ghinstallation/v2 v2.18.0
Expand Down Expand Up @@ -147,6 +148,8 @@ require (
sigs.k8s.io/kustomize/kustomize/v5 v5.8.1
)

require github.com/aws/aws-sdk-go-v2/service/ssm v1.68.3

require (
cel.dev/expr v0.25.1 // indirect
cloud.google.com/go v0.123.0 // indirect
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,8 @@ github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 h1:QKZH0S178gCmFEgst8hN0mCX1K
github.com/aws/aws-sdk-go-v2/service/signin v1.0.9/go.mod h1:7yuQJoT+OoH8aqIxw9vwF+8KpvLZ8AWmvmUWHsGQZvI=
github.com/aws/aws-sdk-go-v2/service/sqs v1.42.25 h1:8Bv3TQ1Cob6HLlpUbAnWxeHhAkYScJO9RIHh2WPXaxw=
github.com/aws/aws-sdk-go-v2/service/sqs v1.42.25/go.mod h1:eDstEbM0OEnBUnNQxIA7j74Jy61cCU1S4EMlCtdMwzs=
github.com/aws/aws-sdk-go-v2/service/ssm v1.68.3 h1:bBoWhx8lsFLTXintRX64ZBXcmFZbGqUmaPUrjXECqIc=
github.com/aws/aws-sdk-go-v2/service/ssm v1.68.3/go.mod h1:rcRkKbUJ2437WuXdq9fbj+MjTudYWzY9Ct8kiBbN8a8=
github.com/aws/aws-sdk-go-v2/service/sso v1.11.18/go.mod h1:ytmEi5+qwcSNcV2pVA8PIb1DnKT/0Bu/K4nfJHwoM6c=
github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 h1:lFd1+ZSEYJZYvv9d6kXzhkZu07si3f+GQ1AaYwa2LUM=
github.com/aws/aws-sdk-go-v2/service/sso v1.30.15/go.mod h1:WSvS1NLr7JaPunCXqpJnWk1Bjo7IxzZXrZi1QQCkuqM=
Expand Down
Loading
Loading