Managed Identity Support for CosmosDB External Scaler (#86)

* Update scaler metadata

Signed-off-by: Vighnesh Shenoy <[email protected]>

* Update cosmos client to use credentials

Signed-off-by: Vighnesh Shenoy <[email protected]>

* Update docs

Signed-off-by: Vighnesh Shenoy <[email protected]>

* Fix serialization and update tests

Signed-off-by: Vighnesh Shenoy <[email protected]>

* fix MI client

Signed-off-by: Nitisha Bhandari <[email protected]>

* Update deployment file

Signed-off-by: Nitisha Bhandari <[email protected]>

* Update demo project to use MSI

Signed-off-by: Nitisha Bhandari <[email protected]>

* Add back constring

Signed-off-by: Nitisha Bhandari <[email protected]>

* minor changes

Signed-off-by: Nitisha Bhandari <[email protected]>

* Update demo project

Signed-off-by: Nitisha Bhandari <[email protected]>

* Update readme

Signed-off-by: Nitisha Bhandari <[email protected]>

* Address review comments

Signed-off-by: Nitisha Bhandari <[email protected]>

* pr feedback

Signed-off-by: Nitisha Bhandari <[email protected]>

* documentation updates

Signed-off-by: Nitisha Bhandari <[email protected]>

* chore(deps): update nuget packages (#79)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Nitisha Bhandari <[email protected]>

* fix merge

Signed-off-by: Nitisha Bhandari <[email protected]>

* refactor getcosmosclientwithmetadata

Signed-off-by: Nitisha Bhandari <[email protected]>

* add connection string validation

Signed-off-by: Nitisha Bhandari <[email protected]>

* fix exception

Signed-off-by: Nitisha Bhandari <[email protected]>

* fix appsettings

Signed-off-by: Nitisha Bhandari <[email protected]>

* fix appsettings

Signed-off-by: Nitisha Bhandari <[email protected]>

* minor readme changes

Signed-off-by: Nitisha Bhandari <[email protected]>

* Revert OrderGenerator to use connstrings

Signed-off-by: Nitisha Bhandari <[email protected]>

* minor update

Signed-off-by: Nitisha Bhandari <[email protected]>

* remove generator sample aks file

Signed-off-by: Nitisha Bhandari <[email protected]>

* Add instructions to scaler deploy manifest

Signed-off-by: Nitisha Bhandari <[email protected]>

* add tests for clientid

Signed-off-by: Nitisha Bhandari <[email protected]>

* update readme comment

Signed-off-by: Nitisha Bhandari <[email protected]>

* PR feedback

Signed-off-by: Nitisha Bhandari <[email protected]>

* update app name

Signed-off-by: Nitisha Bhandari <[email protected]>

* add azure identity package

Signed-off-by: Nitisha Bhandari <[email protected]>

---------

Signed-off-by: Vighnesh Shenoy <[email protected]>
Signed-off-by: Nitisha Bhandari <[email protected]>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: ni-bhandari <[email protected]>
Co-authored-by: Vighnesh Shenoy <[email protected]>
Co-authored-by: Vishal Gupta <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: 4 people

README.md

@@ -55,7 +55,7 @@ The external scaler calls Cosmos DB APIs to estimate the amount of changes pendi
 
 Create `ScaledObject` resource that contains the information about your application (the scale target), the external scaler service, Cosmos DB containers, and other scaling configuration values. Check [`ScaledObject` specification](https://keda.sh/docs/concepts/scaling-deployments/) and [`External` trigger specification](https://keda.sh/docs/scalers/external/) for information on different properties supported for `ScaledObject` and their allowed values.
 
-You can use file `deploy/deploy-scaledobject.yaml` as a template for creating the `ScaledObject`. The trigger metadata properties required to use the external scaler for Cosmos DB are described in [Trigger Specification](#trigger-specification) section below.
+You can use the files in the `deploy` folder as templates for creating `ScaledObject`s. The trigger metadata properties required to use the external scaler for Cosmos DB are described in [Trigger Specification](#trigger-specification) section below.
 
 > **Note:** If you are having trouble setting up the external scaler or the listener application, the step-by-step instructions for [deploying the sample application](./src/Scaler.Demo/README.md) might help.
 
@@ -68,31 +68,40 @@ The specification below describes the `trigger` metadata in `ScaledObject` resou
     - type: external
       metadata:
         scalerAddress: external-scaler-azure-cosmos-db.keda:4050    # Mandatory. Address of the external scaler service.
-        connectionFromEnv: <env-variable-for-connection>            # Mandatory. Environment variable for the connection string of Cosmos DB account with monitored container.
+
+        # Database & Container properties
         databaseId: <database-id>                                   # Mandatory. ID of Cosmos DB database containing monitored container.
         containerId: <container-id>                                 # Mandatory. ID of monitored container.
-        leaseConnectionFromEnv: <env-variable-for-lease-connection> # Mandatory. Environment variable for the connection string of Cosmos DB account with lease container.
         leaseDatabaseId: <lease-database-id>                        # Mandatory. ID of Cosmos DB database containing lease container.
         leaseContainerId: <lease-container-id>                      # Mandatory. ID of lease container.
+
+        # Connection String properties.
+        connectionFromEnv: <env-variable-for-connection>            # Optional. Environment variable for the connection string of Cosmos DB account with monitored container.
+        leaseConnectionFromEnv: <env-variable-for-lease-connection> # Optional. Environment variable for the connection string of Cosmos DB account with lease container.
+
+        # Managed Identity properties.
+        endpoint: <endpoint>                                        # Optional. Account endpoint of the CosmosDB account containing the monitored container.
+        leaseEndpoint: <lease-endpoint>                             # Optional. Account endpoint of the CosmosDB account containing the lease container.
+        clientId: <client-Id>                                       # Optional. Client ID of the identity to be used. If this is not provided, the azure.workload.identity is used.
+
         processorName: <processor-name>                             # Mandatory. Name of change-feed processor used by listener application.
 ```
 
 ### Parameter List
 
 - **`scalerAddress`** - Address of the external scaler service. This would be in format `<scaler-name>.<scaler-namespace>:<port>`. If you installed Azure Cosmos DB external scaler Helm chart in `keda` namespace and did not specify custom values, the metadata value would be `external-scaler-azure-cosmos-db.keda:4050`.
-
-- **`connectionFromEnv`** - Name of the environment variable on the scale target to read the connection string of the Cosmos DB account that contains the monitored container.
-
-- **`databaseId`** - ID of Cosmos DB database that contains the monitored container.
-
-- **`containerId`** - ID of the monitored container.
-
-- **`leaseConnectionFromEnv`** - Name of the environment variable on the scale target to read the connection string of the Cosmos DB account that contains the lease container. This can be same or different from the value of `connection` metadata.
-
-- **`leaseDatabaseId`** - ID of Cosmos DB database that contains the lease container. This can be same or different from the value of `databaseId` metadata.
-
-- **`leaseContainerId`** - ID of the lease container containing the change feeds.
-
+- **Database & Container Properties:**
+  - **`databaseId`** - ID of Cosmos DB database that contains the monitored container.
+  - **`containerId`** - ID of the monitored container.
+  - **`leaseDatabaseId`** - ID of Cosmos DB database that contains the lease container. This can be same or different from the value of `databaseId` metadata.
+  - **`leaseContainerId`** - ID of the lease container containing the change feeds.
+- **Connection String Properties:**
+  - **`connectionFromEnv`** - Name of the environment variable on the scale target to read the connection string of the Cosmos DB account that contains the monitored container. You can also opt for an identity-based connection instead, refer to the `endpoint` property.
+  - **`leaseConnectionFromEnv`** - Name of the environment variable on the scale target to read the connection string of the Cosmos DB account that contains the lease container. This can be same or different from the value of `connection` metadata. You can also opt for an identity-based connection instead, refer to the `leaseEndpoint` property. If left null, `connection` value of the monitored container is used.
+- **Managed Identity Properties:**
+  - **`endpoint`** - Account endpoint of the CosmosDB account containing the monitored container.
+  - **`leaseEndpoint`** - Account endpoint of the CosmosDB account containing the lease container. This can be same or different from the value of `endpoint` metadata. If left null, `endpoint` value of the monitored container is used.
+  - **`clientId`** - ClientId of the identity to be used. If this is not provided, the azure.workload.identity is used.
 - **`processorName`** - Name of change-feed processor used by listener application. For more information on this, you can refer to [Implementing the change feed processor](https://docs.microsoft.com/azure/cosmos-db/sql/change-feed-processor#implementing-the-change-feed-processor) section.
 
-> **Note** Ideally, we would have created `TriggerAuthentication` resource that would have prevented us from adding the connection strings in plain text in the `ScaledObject` trigger metadata. However, this is not possible since at the moment, the triggers of `external` type do not support referencing a `TriggerAuthentication` resource ([link](https://keda.sh/docs/scalers/external/#authentication-parameters)).
+> **Note** Ideally, we would have created `TriggerAuthentication` resource that would have prevented us from adding the connection strings in plain text in the `ScaledObject` trigger metadata. However, this is not possible since at the moment, the triggers of `external` type do not support referencing a `TriggerAuthentication` resource ([link](https://keda.sh/docs/scalers/external/#authentication-parameters)).

deploy/deploy-scaledobject.yaml renamed to deploy/deploy-scaledobject-cs.yaml

@@ -1,4 +1,4 @@
-# Template scaled-object for using KEDA external scaler for Azure Cosmos DB.
+# Template scaled-object for using KEDA external scaler for Azure Cosmos DB, using connection strings.
 
 apiVersion: keda.sh/v1alpha1
 kind: ScaledObject
@@ -13,10 +13,10 @@ spec:
     - type: external
       metadata:
         scalerAddress: external-scaler-azure-cosmos-db.keda:4050
-        connectionFromEnv: <env-variable-for-connection-string-of-monitored-container-account>
         databaseId: <database-id>
         containerId: <container-id>
-        leaseConnectionFromEnv: <env-variable-for-connection-string-of-lease-container-account>
         leaseDatabaseId: <lease-database-id>
         leaseContainerId: <lease-container-id>
+        connectionFromEnv: <env-variable-for-connection-string-of-monitored-container-account>
+        leaseConnectionFromEnv: <env-variable-for-connection-string-of-lease-container-account>
         processorName: <processor-name>

deploy/deploy-scaledobject-mi.yaml

@@ -0,0 +1,23 @@
+# Template scaled-object for using KEDA external scaler for Azure Cosmos DB, using managed identity.
+
+apiVersion: keda.sh/v1alpha1
+kind: ScaledObject
+metadata:
+  name: <scaledobject-name>
+  namespace: default
+spec:
+  pollingInterval: 20
+  scaleTargetRef:
+    name: <application-deployment-name>
+  triggers:
+    - type: external
+      metadata:
+        scalerAddress: external-scaler-azure-cosmos-db.keda:4050
+        databaseId: <database-id>
+        containerId: <container-id>
+        leaseDatabaseId: <lease-database-id>
+        leaseContainerId: <lease-container-id>
+        endpoint: <endpoint>
+        leaseEndpoint: <lease-endpoint>
+        clientId: <client-id>
+        processorName: <processor-name>

deploy/service-account-mi.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: <service-account-name>  
+  annotations:
+    azure.workload.identity/client-id: <client-id>
+    azure.workload.identity/tenant-id: <tenant-id>

src/Scaler.Demo/OrderGenerator/Program.cs

@@ -157,4 +157,4 @@ private static async Task TeardownAsync()
             Console.WriteLine("Done!");
         }
     }
-}
+}

src/Scaler.Demo/OrderGenerator/appsettings.json

@@ -1,8 +1,8 @@
 {
   "CosmosDbConfig": {
-    "Connection": "<connection-string-of-monitored-container-account>",
+    "Connection": "<connection-string-or-endpoint-of-monitored-container-account>",
     "DatabaseId": "StoreDatabase",
     "ContainerId": "OrderContainer",
-    "ContainerThroughput": 11000
+    "ContainerThroughput": 400
   }
 }

src/Scaler.Demo/OrderProcessor/Worker.cs

@@ -17,6 +17,8 @@ internal sealed class Worker : BackgroundService
 
         private ChangeFeedProcessor _processor;
 
+        public static string _applicationName = "cosmosdb-order-processor";
+
         public Worker(CosmosDbConfig cosmosDbConfig, ILogger<Worker> logger)
         {
             _cosmosDbConfig = cosmosDbConfig ?? throw new ArgumentNullException(nameof(cosmosDbConfig));
@@ -25,19 +27,24 @@ public Worker(CosmosDbConfig cosmosDbConfig, ILogger<Worker> logger)
 
         public override async Task StartAsync(CancellationToken cancellationToken)
         {
-            Database leaseDatabase = await new CosmosClient(_cosmosDbConfig.LeaseConnection)
+            Database leaseDatabase = await DemoHelper.CreateCosmosClient(
+                    _cosmosDbConfig.Connection,
+                    !string.IsNullOrWhiteSpace(_cosmosDbConfig.MsiClientId),
+                    _cosmosDbConfig.MsiClientId, _applicationName)
                 .CreateDatabaseIfNotExistsAsync(_cosmosDbConfig.LeaseDatabaseId, cancellationToken: cancellationToken);
 
             Container leaseContainer = await leaseDatabase
                 .CreateContainerIfNotExistsAsync(
                     new ContainerProperties(_cosmosDbConfig.LeaseContainerId, partitionKeyPath: "/id"),
-                    throughput: 400,
                     cancellationToken: cancellationToken);
 
             // Change feed processor instance name should be unique for each container application.
             string instanceName = $"Instance-{Dns.GetHostName()}";
 
-            _processor = new CosmosClient(_cosmosDbConfig.Connection)
+            _processor = DemoHelper.CreateCosmosClient(
+                    _cosmosDbConfig.Connection,
+                    !string.IsNullOrWhiteSpace(_cosmosDbConfig.MsiClientId),
+                    _cosmosDbConfig.MsiClientId, _applicationName)
                 .GetContainer(_cosmosDbConfig.DatabaseId, _cosmosDbConfig.ContainerId)
                 .GetChangeFeedProcessorBuilder<Order>(_cosmosDbConfig.ProcessorName, ProcessOrdersAsync)
                 .WithInstanceName(instanceName)

src/Scaler.Demo/OrderProcessor/appsettings.json

@@ -7,10 +7,10 @@
     }
   },
   "CosmosDbConfig": {
-    "Connection": "<connection-string-of-monitored-container-account>",
+    "Connection": "<connection-string-or-endpoint-of-monitored-container-account>",
     "DatabaseId": "StoreDatabase",
     "ContainerId": "OrderContainer",
-    "LeaseConnection": "<connection-string-of-lease-container-account>",
+    "LeaseConnection": "<connection-string-or-endpoint-of-lease-container-account>",
     "LeaseDatabaseId": "StoreDatabase",
     "LeaseContainerId": "OrderProcessorLeases",
     "ProcessorName": "OrderProcessor"

src/Scaler.Demo/OrderProcessor/deploy-scaledobject.yaml

@@ -22,3 +22,6 @@ spec:
         leaseDatabaseId: StoreDatabase
         leaseContainerId: OrderProcessorLeases
         processorName: OrderProcessor
+        endpoint: "<cosmosdb-endpoint>"
+        leaseEndpoint: "<cosmosdb-endpoint>"
+        clientId: "<client-id>"

src/Scaler.Demo/OrderProcessor/deploy.yaml

@@ -14,13 +14,27 @@ spec:
     metadata:
       labels:
         app: cosmosdb-order-processor
+        azure.workload.identity/use: "true"
     spec:
+      serviceAccountName: <service-account-name>
       containers:
         - name: cosmosdb-order-processor
           image: <docker-id>/cosmosdb-order-processor:latest
           imagePullPolicy: Always
           env:
-            - name: CosmosDbConfig__Connection
-              value: <connection-string-of-monitored-container>
-            - name: CosmosDbConfig__LeaseConnection
-              value: <connection-string-of-lease-container>
+            - name: CosmosDbConfig__Connection                  # if using MSI, use account endpoint
+              value: <connection-string-or-endpoint-of-monitored-container>
+            - name: CosmosDbConfig__LeaseConnection             # if using MSI, use lease account endpoint
+              value: <connection-string-or-endpoint-of-lease-container>
+            - name: CosmosDbConfig__MsiClientId
+              value: "<client-id-if-using-mi>"
+            - name: CosmosDbConfig__DatabaseId
+              value: "StoreDatabase"
+            - name: CosmosDbConfig__ContainerId
+              value: "OrderContainer"
+            - name: CosmosDbConfig__LeaseDatabaseId
+              value: "StoreDatabase"
+            - name: CosmosDbConfig__LeaseContainerId
+              value: "OrderProcessorLeases"
+            - name: CosmosDbConfig__ProcessorName
+              value: "OrderProcessor"