Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow using secretRef for hashicorpVault auth #6143

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Allow using secretRef for hashicorpVault auth #6143

wants to merge 5 commits into from

Conversation

dttung2905
Copy link
Contributor

@dttung2905 dttung2905 commented Sep 7, 2024
edited
Loading

Allow referring to a k8s secret that contain hashicorp Vault token. Similar to AzureKeyVault and AWSSecretManager https://keda.sh/docs/2.15/concepts/authentication/#re-use-credentials-and-delegate-auth-with-triggerauthentication

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: {trigger-authentication-name}
  namespace: default # must be same namespace as the ScaledObject
spec:
  podIdentity:
      provider: none | azure-workload | aws | aws-eks | gcp  # Optional. Default: none
      identityId: <identity-id>                                           # Optional. Only used by azure & azure-workload providers.
      roleArn: <role-arn>                                                 # Optional. Only used by aws provider.
      identityOwner: keda|workload                                        # Optional. Only used by aws provider.
  secretTargetRef:                                                        # Optional.
  - parameter: {scaledObject-parameter-name}                              # Required.
    name: {secret-name}                                                   # Required.
    key: {secret-key-name}                                                # Required.
  env:                                                                    # Optional.
  - parameter: {scaledObject-parameter-name}                              # Required.
    name: {env-name}                                                      # Required.
    containerName: {container-name}                                       # Optional. Default: scaleTargetRef.envSourceContainerName of ScaledObject
  hashiCorpVault:                                                         # Optional.
    address: {hashicorp-vault-address}                                    # Required.
    namespace: {hashicorp-vault-namespace}                                # Optional. Default is root namespace. Useful for Vault Enterprise
    authentication: token | kubernetes                                    # Required.
    role: {hashicorp-vault-role}                                          # Optional.
    mount: {hashicorp-vault-mount}                                        # Optional.
    credential:                                                           # Optional.
      token: {hashicorp-vault-token}                                      # Optional.
      serviceAccount: {path-to-service-account-file}                      # Optional.
+     tokenSecret:                                                        # Optional.
+       valueFrom:                                                        # Required.
+         secretKeyRef:                                                   # Required.
+           name: {my-secret}                                             # Required.
+           key: {my-key}                                                 # Required.
    secrets:                                                              # Required.
    - parameter: {scaledObject-parameter-name}                            # Required.
      key: {hashicorp-vault-secret-key-name}                               # Required.
      path: {hashicorp-vault-secret-path}

TODO

  • Create new test
  • Add Changelog
  • Add PR to doc

Checklist

Fixes #6026

@dttung2905 dttung2905 requested a review from a team as a code owner September 7, 2024 22:11
@semgrep-app semgrep-app
Copy link

semgrep-app bot commented Sep 7, 2024

Semgrep found 8 context-todo findings:

Consider to use well-defined context

Ignore this finding from context-todo.

@dttung2905 dttung2905 force-pushed the hashicorp-vault-auth-from-secretref branch 2 times, most recently from 0d3435c to bbae0b0 Compare October 28, 2024 22:53
@dttung2905 dttung2905 force-pushed the hashicorp-vault-auth-from-secretref branch from 59d5df0 to dce9397 Compare November 11, 2024 21:37
semgrep-app[bot]
semgrep-app bot reviewed Nov 18, 2024
View reviewed changes
pkg/scaling/resolver/hashicorpvault_handler_test.go
},
}
vaultHandler := NewHashicorpVaultHandler(&vault)
err := vaultHandler.Initialize(context.TODO(), nil, logf.Log.WithName("test"), "", nil)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider to use well-defined context

Ignore this finding from context-todo.

@dttung2905
DCO signing
667d301 
Signed-off-by: dttung2905 <[email protected]>
@dttung2905
Add generated crd yaml def
80b6dde 
Signed-off-by: dttung2905 <[email protected]>
@dttung2905
Add CHANGELOG.md
30be545 
Signed-off-by: dttung2905 <[email protected]>
@dttung2905
Add basic initialization test
c506a57 
Signed-off-by: dttung2905 <[email protected]>
@dttung2905
Add e2e test
7d4775c 
Signed-off-by: dttung2905 <[email protected]>
@dttung2905 dttung2905 force-pushed the hashicorp-vault-auth-from-secretref branch from 0003f49 to 7d4775c Compare January 14, 2025 23:04
@JorTurFer
Copy link
Member

I see that you have pushed changes this week, are you still working or I can review it?

@dttung2905
Copy link
Contributor Author

@JorTurFer I think I'm done. Could you help to review it? So sorry I had a busy Christmas so I'm trying to work on the E2E test as you mentioned in the previous stand up

@dttung2905 dttung2905 changed the title WIP: Allow using secretRef for hashicorpVault auth Allow using secretRef for hashicorpVault auth Jan 21, 2025
@stale Stale
Copy link

stale bot commented Mar 23, 2025

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale All issues that are marked as stale due to inactivity label Mar 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@semgrep-app semgrep-app[bot] semgrep-app[bot] left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
stale All issues that are marked as stale due to inactivity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Hashicorp vault auth allow tokens directly set in TriggerAuthentication
2 participants
@dttung2905 @JorTurFer