Add ability to fetch auth token from k8s secret for HashiCorp Vault

[kmdrn7]

Proposal

Fetch vault token directly from kubernetes Secret object, like how AzureKeyVault does while fetching the clientSecret

Use-Case

In order to use custom credentials for autoscaling purpose, I need to supply custom vault token to the TriggerAuthentication without changing the target Deployment manifest (eg: including the token as env var).
Afaik, I'm only able to do it via plaintext in the manifest like this:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: webserver
spec:
  hashiCorpVault:
    address: http://vault.default:8200
    authentication: token
    credential:
      token: ====the-token====
    secrets:
    - key: value
      parameter: connection
      path: secret/webserver/pgconn

Can we add the feature to HC Vault resolver so it will be able to fetch the auth token from the kubernetes Secret directly?
updated manifest would be like this:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: webserver
spec:
  hashiCorpVault:
    address: http://vault.default:8200
    authentication: token
    credential:
      tokenSecret:
        valueFrom:
          secretKeyRef:
            key: token
            name: vault
    secrets:
    - key: value
      parameter: connection
      path: secret/webserver/pgconn

I'm not sure if introducing this new field would result in a breaking change. Therefore, for compatibility reasons, the new field is named tokenSecret instead of token

Is this a feature you are interested in implementing yourself?

Yes

Anything else?

No response

[tomkerkhove]

Fair ask!

Are you willing to contribute this?

[kmdrn7]

Yes, I would like to contribute on this feature

[tomkerkhove]

Wonderful, thank you!

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

[zroubalik]

Any update on this please?