Skip to content

Add ability to fetch auth token from k8s secret for HashiCorp Vault #5194

Open
@kmdrn7

Description

@kmdrn7

Proposal

Fetch vault token directly from kubernetes Secret object, like how AzureKeyVault does while fetching the clientSecret

Use-Case

In order to use custom credentials for autoscaling purpose, I need to supply custom vault token to the TriggerAuthentication without changing the target Deployment manifest (eg: including the token as env var).
Afaik, I'm only able to do it via plaintext in the manifest like this:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: webserver
spec:
  hashiCorpVault:
    address: http://vault.default:8200
    authentication: token
    credential:
      token: ====the-token====
    secrets:
    - key: value
      parameter: connection
      path: secret/webserver/pgconn

Can we add the feature to HC Vault resolver so it will be able to fetch the auth token from the kubernetes Secret directly?
updated manifest would be like this:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: webserver
spec:
  hashiCorpVault:
    address: http://vault.default:8200
    authentication: token
    credential:
      tokenSecret:
        valueFrom:
          secretKeyRef:
            key: token
            name: vault
    secrets:
    - key: value
      parameter: connection
      path: secret/webserver/pgconn

I'm not sure if introducing this new field would result in a breaking change. Therefore, for compatibility reasons, the new field is named tokenSecret instead of token

Is this a feature you are interested in implementing yourself?

Yes

Anything else?

No response

Metadata

Metadata

Assignees

Labels

featureAll issues for new features that have been committed toneeds-discussion

Type

No type

Projects

  • Status

    To Do

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions