deprecation ADAL init 2

config/manager/kustomization.yaml

@@ -8,3 +8,5 @@ images:
 - name: ghcr.io/kedacore/keda
   newName: ghcr.io/kedacore/keda
   newTag: main
+commonLabels:
+  azure.workload.identity/use: "true"

config/service_account/kustomization.yaml

@@ -3,3 +3,8 @@ resources:
 
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+commonLabels:
+  azure.workload.identity/use: "true"
+commonAnnotations:
+  azure.workload.identity/client-id: ""
+  azure.workload.identity/tenant-id: ""

go.mod

@@ -172,8 +172,6 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 // indirect
 	github.com/Azure/go-amqp v1.1.0 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect

go.sum

@@ -1340,8 +1340,6 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8=
 git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc=
-github.com/Azure/azure-amqp-common-go/v4 v4.2.0 h1:q/jLx1KJ8xeI8XGfkOWMN9XrXzAfVTkyvCxPvHCjd2I=
-github.com/Azure/azure-amqp-common-go/v4 v4.2.0/go.mod h1:GD3m/WPPma+621UaU6KNjKEo5Hl09z86viKwQjTpV0Q=
 github.com/Azure/azure-kusto-go v0.16.1 h1:vCBWcQghmC1qIErUUgVNWHxGhZVStu1U/hki6iBA14k=
 github.com/Azure/azure-kusto-go v0.16.1/go.mod h1:9F2zvXH8B6eWzgI1S4k1ZXAIufnBZ1bv1cW1kB1n3D0=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
@@ -1384,17 +1382,11 @@ github.com/Azure/go-amqp v1.1.0 h1:XUhx5f4lZFVf6LQc5kBUFECW0iJW9VLxKCYrBeGwl0U=
 github.com/Azure/go-amqp v1.1.0/go.mod h1:vZAogwdrkbyK3Mla8m/CxSc/aKdnTZ4IbPxl51Y5WZE=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA=
 github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw=
 github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs=
-github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
 github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk=
 github.com/Azure/go-autorest/autorest/adal v0.9.23 h1:Yepx8CvFxwNKpH6ja7RZ+sKX+DWYNldbLiALMC3BTz8=
 github.com/Azure/go-autorest/autorest/adal v0.9.23/go.mod h1:5pcMqFkdPhviJdlEy3kC/v1ZLnQl0MH6XA5YCcMhy4c=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 h1:Ov8avRZi2vmrE2JcXw+tu5K/yB41r7xK9GZDiBF7NdM=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.13/go.mod h1:5BAVfWLWXihP47vYrPuBKKf4cS0bXI+KM9Qx6ETDJYo=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0=
 github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
@@ -1604,8 +1596,6 @@ github.com/dennwc/varint v1.0.0 h1:kGNFFSSw8ToIy3obO/kKr8U9GZYUAxQEVuix4zfDWzE=
 github.com/dennwc/varint v1.0.0/go.mod h1:hnItb35rvZvJrbTALZtY/iQfDs48JKRG1RPpgziApxA=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
-github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=
-github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=

pkg/scalers/azure/azure_aad_workload_identity.go

@@ -19,16 +19,11 @@ package azure
 import (
 	"context"
 	"fmt"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
 	"os"
 	"strconv"
 	"strings"
-	"time"
-
-	amqpAuth "github.com/Azure/azure-amqp-common-go/v4/auth"
-	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
-	"github.com/Azure/go-autorest/autorest"
-	"github.com/Azure/go-autorest/autorest/azure/auth"
-	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
 )
 
 // Azure AD Workload Identity Webhook will inject the following environment variables.
@@ -128,24 +123,6 @@ func getScopedResource(resource string) string {
 	return resource
 }
 
-type ADWorkloadIdentityConfig struct {
-	ctx                   context.Context
-	IdentityID            string
-	IdentityTenantID      string
-	IdentityAuthorityHost string
-	Resource              string
-}
-
-func NewAzureADWorkloadIdentityConfig(ctx context.Context, identityID, identityTenantID, identityAuthorityHost, resource string) auth.AuthorizerConfig {
-	return ADWorkloadIdentityConfig{ctx: ctx, IdentityID: identityID, IdentityTenantID: identityTenantID, IdentityAuthorityHost: identityAuthorityHost, Resource: resource}
-}
-
-// Authorizer implements the auth.AuthorizerConfig interface
-func (aadWiConfig ADWorkloadIdentityConfig) Authorizer() (autorest.Authorizer, error) {
-	return autorest.NewBearerAuthorizer(NewAzureADWorkloadIdentityTokenProvider(
-		aadWiConfig.ctx, aadWiConfig.IdentityID, aadWiConfig.IdentityTenantID, aadWiConfig.IdentityAuthorityHost, aadWiConfig.Resource)), nil
-}
-
 func NewADWorkloadIdentityCredential(identityID, identityTenantID string) (*azidentity.WorkloadIdentityCredential, error) {
 	options := &azidentity.WorkloadIdentityCredentialOptions{}
 	if identityID != "" {
@@ -156,61 +133,3 @@ func NewADWorkloadIdentityCredential(identityID, identityTenantID string) (*azid
 	}
 	return azidentity.NewWorkloadIdentityCredential(options)
 }
-
-// ADWorkloadIdentityTokenProvider is a type that implements the adal.OAuthTokenProvider and adal.Refresher interfaces.
-// The OAuthTokenProvider interface is used by the BearerAuthorizer to get the token when preparing the HTTP Header.
-// The Refresher interface is used by the BearerAuthorizer to refresh the token.
-type ADWorkloadIdentityTokenProvider struct {
-	ctx                   context.Context
-	IdentityID            string
-	IdentityTenantID      string
-	IdentityAuthorityHost string
-	Resource              string
-	aadToken              AADToken
-}
-
-func NewAzureADWorkloadIdentityTokenProvider(ctx context.Context, identityID, identityTenantID, identityAuthorityHost, resource string) *ADWorkloadIdentityTokenProvider {
-	return &ADWorkloadIdentityTokenProvider{ctx: ctx, IdentityID: identityID, IdentityTenantID: identityTenantID, IdentityAuthorityHost: identityAuthorityHost, Resource: resource}
-}
-
-// OAuthToken is for implementing the adal.OAuthTokenProvider interface. It returns the current access token.
-func (wiTokenProvider *ADWorkloadIdentityTokenProvider) OAuthToken() string {
-	return wiTokenProvider.aadToken.AccessToken
-}
-
-// Refresh is for implementing the adal.Refresher interface
-func (wiTokenProvider *ADWorkloadIdentityTokenProvider) Refresh() error {
-	if time.Now().Before(wiTokenProvider.aadToken.ExpiresOnTimeObject) {
-		return nil
-	}
-
-	aadToken, err := GetAzureADWorkloadIdentityToken(wiTokenProvider.ctx, wiTokenProvider.IdentityID, wiTokenProvider.IdentityTenantID, wiTokenProvider.IdentityAuthorityHost, wiTokenProvider.Resource)
-	if err != nil {
-		return err
-	}
-
-	wiTokenProvider.aadToken = aadToken
-	return nil
-}
-
-// RefreshExchange is for implementing the adal.Refresher interface
-func (wiTokenProvider *ADWorkloadIdentityTokenProvider) RefreshExchange(resource string) error {
-	wiTokenProvider.Resource = resource
-	return wiTokenProvider.Refresh()
-}
-
-// EnsureFresh is for implementing the adal.Refresher interface
-func (wiTokenProvider *ADWorkloadIdentityTokenProvider) EnsureFresh() error {
-	return wiTokenProvider.Refresh()
-}
-
-// GetToken is for implementing the auth.TokenProvider interface
-func (wiTokenProvider *ADWorkloadIdentityTokenProvider) GetToken(_ string) (*amqpAuth.Token, error) {
-	err := wiTokenProvider.Refresh()
-	if err != nil {
-		return nil, err
-	}
-
-	return amqpAuth.NewToken(amqpAuth.CBSTokenTypeJWT, wiTokenProvider.aadToken.AccessToken,
-		wiTokenProvider.aadToken.ExpiresOn), nil
-}

pkg/scalers/azure/azure_app_insights.go

@@ -8,7 +8,6 @@ import (
 	"strings"
 
 	"github.com/Azure/go-autorest/autorest"
-	"github.com/Azure/go-autorest/autorest/azure/auth"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 
 	kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1"
@@ -59,18 +58,18 @@ func toISO8601(time string) (string, error) {
 	return fmt.Sprintf("PT%02dH%02dM", hours, minutes), nil
 }
 
-func getAuthConfig(ctx context.Context, info AppInsightsInfo, podIdentity kedav1alpha1.AuthPodIdentity) auth.AuthorizerConfig {
-	switch podIdentity.Provider {
-	case "", kedav1alpha1.PodIdentityProviderNone:
-		config := auth.NewClientCredentialsConfig(info.ClientID, info.ClientPassword, info.TenantID)
-		config.Resource = info.AppInsightsResourceURL
-		config.AADEndpoint = info.ActiveDirectoryEndpoint
-		return config
-	case kedav1alpha1.PodIdentityProviderAzureWorkload:
-		return NewAzureADWorkloadIdentityConfig(ctx, podIdentity.GetIdentityID(), podIdentity.GetIdentityTenantID(), podIdentity.GetIdentityAuthorityHost(), info.AppInsightsResourceURL)
-	}
-	return nil
-}
+//func getAuthConfig(ctx context.Context, info AppInsightsInfo, podIdentity kedav1alpha1.AuthPodIdentity) auth.AuthorizerConfig {
+//	switch podIdentity.Provider {
+//	case "", kedav1alpha1.PodIdentityProviderNone:
+//		config := auth.NewClientCredentialsConfig(info.ClientID, info.ClientPassword, info.TenantID)
+//		config.Resource = info.AppInsightsResourceURL
+//		config.AADEndpoint = info.ActiveDirectoryEndpoint
+//		return config
+//	case kedav1alpha1.PodIdentityProviderAzureWorkload:
+//		return NewAzureADWorkloadIdentityConfig(ctx, podIdentity.GetIdentityID(), podIdentity.GetIdentityTenantID(), podIdentity.GetIdentityAuthorityHost(), info.AppInsightsResourceURL)
+//	}
+//	return nil
+//}
 
 func extractAppInsightValue(info AppInsightsInfo, metric ApplicationInsightsMetric) (float64, error) {
 	if _, ok := metric.Value[info.MetricID]; !ok {
@@ -111,8 +110,11 @@ func queryParamsForAppInsightsRequest(info AppInsightsInfo) (map[string]interfac
 
 // GetAzureAppInsightsMetricValue returns the value of an Azure App Insights metric, rounded to the nearest int
 func GetAzureAppInsightsMetricValue(ctx context.Context, info AppInsightsInfo, podIdentity kedav1alpha1.AuthPodIdentity, ignoreNullValues bool) (float64, error) {
-	config := getAuthConfig(ctx, info, podIdentity)
-	authorizer, err := config.Authorizer()
+
+	//config := getAuthConfig(ctx, info, podIdentity)
+
+	token, err := GetAzureADWorkloadIdentityToken(ctx, info.ClientID, info.TenantID, "", info.AppInsightsResourceURL)
+	//MSAL get Token here instead of the config
 	if err != nil {
 		return -1, err
 	}
@@ -129,7 +131,8 @@ func GetAzureAppInsightsMetricValue(ctx context.Context, info AppInsightsInfo, p
 		autorest.WithPath("metrics"),
 		autorest.WithPath(info.MetricID),
 		autorest.WithQueryParameters(queryParams),
-		authorizer.WithAuthorization())
+		// MSAL here, use the autorest.WithBearerAuthorization(token)
+		autorest.WithBearerAuthorization(token.AccessToken))
 	if err != nil {
 		return -1, err
 	}

pkg/scalers/azure/azure_app_insights_test.go

@@ -4,8 +4,6 @@ import (
 	"context"
 	"testing"
 
-	"github.com/Azure/go-autorest/autorest/azure/auth"
-
 	kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1"
 )
 
@@ -88,23 +86,17 @@ var testAppInsightsAuthConfigData = []testAppInsightsAuthConfigTestData{
 	{"azure workload identity", workloadIdentityConfig, AppInsightsInfo{}, kedav1alpha1.PodIdentityProviderAzureWorkload},
 }
 
-func TestAzAppInfoGetAuthConfig(t *testing.T) {
+func TestAzAppInfoGetToken(t *testing.T) {
 	for _, testData := range testAppInsightsAuthConfigData {
-		authConfig := getAuthConfig(context.TODO(), testData.info, kedav1alpha1.AuthPodIdentity{Provider: testData.podIdentity})
-		switch testData.config {
-		case msiConfig:
-			if _, ok := authConfig.(auth.MSIConfig); !ok {
-				t.Errorf("Test %v; incorrect auth config. expected MSI config", testData.testName)
-			}
-		case clientCredentialsConfig:
-			if _, ok := authConfig.(auth.ClientCredentialsConfig); !ok {
-				t.Errorf("Test: %v; incorrect auth config. expected client credentials config", testData.testName)
-			}
-		case workloadIdentityConfig:
-			if _, ok := authConfig.(ADWorkloadIdentityConfig); !ok {
-				t.Errorf("Test: %v; incorrect auth config. expected ad workload identity config", testData.testName)
-			}
+		authToken, err := GetAzureADWorkloadIdentityToken(context.TODO(), testData.info.ClientID, testData.info.TenantID, "", testData.info.AppInsightsResourceURL)
+
+		if err != nil {
+			t.Errorf("Test %v; Expected success but got error: %v", testData.testName, err)
+		}
+		if authToken.AccessToken == "" {
+			t.Errorf("Test %v; Expected token but got empty token: %v", testData.testName, authToken)
 		}
+		t.Logf("Test %v; data: %v, token: %v", testData.testName, testData.info, authToken)
 	}
 }