Skip to content

KEDA Hashicorp vault service account token request #6446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wozniakjan merged 28 commits into from
Sep 15, 2025
Merged

KEDA Hashicorp vault service account token request #6446

wozniakjan merged 28 commits into from
Sep 15, 2025

Conversation

@BojanZelic
Copy link
Contributor

@BojanZelic BojanZelic commented Dec 24, 2024
edited
Loading

Allows users to authenticate to vault via a service account in the scaledObject's namespace;

ex:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: my-trigger-auth
  namespace: mynamespace
spec:
...
  hashiCorpVault:
    address: {hashicorp-vault-address}
    credential:
      serviceAccountName: default

apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: my-scaled-object
  namespace: mynamespace
spec:
  triggers:
  - authenticationRef:
      name: my-trigger-auth
      kind: TriggerAuthentication
    metadata:
...

would use the JWT token from the default service account in the mynamespace namespace

This allows users to set more fine-grained permissions in vault.

Checklist

Fixes # #6153

Relates to #

@BojanZelic BojanZelic requested a review from a team as a code owner December 24, 2024 17:21
semgrep-app[bot]
semgrep-app bot reviewed Dec 24, 2024
View reviewed changes
@SpiritZhou
Copy link
Contributor

SpiritZhou commented Dec 25, 2024

Could you also add some e2e tests?

SpiritZhou
SpiritZhou reviewed Dec 25, 2024
View reviewed changes
SpiritZhou
SpiritZhou reviewed Dec 25, 2024
View reviewed changes
@BojanZelic BojanZelic force-pushed the keda-vault-service-account-token-request branch from a8b484a to a5afafe Compare December 31, 2024 21:28
@BojanZelic
add e2e test
bfa2613 
Signed-off-by: Bojan Zelic <[email protected]>
@BojanZelic BojanZelic force-pushed the keda-vault-service-account-token-request branch from a5afafe to bfa2613 Compare December 31, 2024 21:53
@BojanZelic
Copy link
Contributor Author

BojanZelic commented Jan 10, 2025

@SpiritZhou I fixed the PR from your comments and updated the helmchart & documentation 🙏 please take a look whenever you get a chance.

@SpiritZhou
Copy link
Contributor

SpiritZhou commented Jan 21, 2025
edited by github-actions bot
Loading

/run-e2e hashicorp
Update: You can check the progress here

@zroubalik zroubalik changed the title Keda vault service account token request KEDA Hashicorp vault service account token request Feb 6, 2025
JorTurFer
JorTurFer approved these changes Feb 8, 2025
View reviewed changes
Copy link
Member

@JorTurFer JorTurFer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! The only point I have is the one related with the other PR adding support for the same API for other usage

@BojanZelic
Merge branch 'main' of github.com:kedacore/keda into keda-vault-servi…
c739b06 
…ce-account-token-request
@BojanZelic
Merge branch 'main' of github.com:kedacore/keda into keda-vault-servi…
0b987a1 
…ce-account-token-request
@BojanZelic
combine logic to retreive service account tokens
2fd6cdb 
Signed-off-by: Bojan Zelic <[email protected]>
@BojanZelic
Merge branch 'keda-vault-service-account-token-request' of bojan-gith…
3425928 
…ub.com:BojanZelic/keda into keda-vault-service-account-token-request
@BojanZelic
combine logic to retreive service account tokens
a4aedcb 
Signed-off-by: Bojan Zelic <[email protected]>
@BojanZelic
combine logic to retreive service account tokens
21fa360 
Signed-off-by: Bojan Zelic <[email protected]>
@BojanZelic
Merge branch 'main' into keda-vault-service-account-token-request
8d5b53f 
Signed-off-by: Bojan Zelic <[email protected]>
@BojanZelic
Update CHANGELOG.md
b7dda61 
Signed-off-by: Bojan Zelic <[email protected]>
wozniakjan
wozniakjan approved these changes Apr 15, 2025
View reviewed changes
Copy link
Member

@wozniakjan wozniakjan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thank you!

@wozniakjan
Copy link
Member

wozniakjan commented Apr 15, 2025
edited by github-actions bot
Loading

/run-e2e secret
Update: You can check the progress here

@BojanZelic @wozniakjan
Update pkg/scaling/resolver/hashicorpvault_handler.go
3cdfba3 
Co-authored-by: Jan Wozniak <[email protected]>
Signed-off-by: Bojan Zelic <[email protected]>
@BojanZelic
Copy link
Contributor Author

BojanZelic commented Apr 15, 2025

@wozniakjan I had a file rename as part of the PR that shouldn't have been there (fixed in f414b39 ) and the e2e tests were failing, I think they should be good now 🤞

@wozniakjan
Copy link
Member

wozniakjan commented Apr 16, 2025
edited by github-actions bot
Loading

/run-e2e hashicorp_vault
Update: You can check the progress here

@BojanZelic
Copy link
Contributor Author

BojanZelic commented May 2, 2025

@zroubalik any thoughts for getting this PR merged?

@stale
Copy link

stale bot commented Jul 1, 2025

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale All issues that are marked as stale due to inactivity label Jul 1, 2025
BojanZelic added 2 commits July 2, 2025 16:16
@BojanZelic
Merge branch 'main' of github.com:kedacore/keda into keda-vault-servi…
2b186b2 
…ce-account-token-request
@BojanZelic
Merge branch 'keda-vault-service-account-token-request' of bojan-gith…
96a10e9 
…ub.com:BojanZelic/keda into keda-vault-service-account-token-request
@stale stale bot removed the stale All issues that are marked as stale due to inactivity label Jul 2, 2025
@rickbrouwer
Copy link
Member

rickbrouwer commented Jul 22, 2025
edited by github-actions bot
Loading

/run-e2e hashicorp_vault
Update: You can check the progress here

@wozniakjan wozniakjan mentioned this pull request Jul 10, 2025
Closed
22 tasks
zroubalik
zroubalik approved these changes Aug 19, 2025
View reviewed changes
Copy link
Member

@zroubalik zroubalik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once docs PR is resolved, we can merge.

Thanks!

@rickbrouwer
Copy link
Member

rickbrouwer commented Aug 23, 2025
edited by github-actions bot
Loading

/run-e2e hashicorp_vault
Update: You can check the progress here

@rickbrouwer
Copy link
Member

rickbrouwer commented Sep 1, 2025

Hi @BojanZelic , i see there is a merge conflict

@BojanZelic BojanZelic requested a review from a team as a code owner September 2, 2025 19:43
@keda-automation keda-automation requested a review from a team September 2, 2025 19:44
@BojanZelic
Merge branch 'main' of github.com:kedacore/keda into keda-vault-servi…
b9c1e1c 
…ce-account-token-request

Signed-off-by: Bojan Zelic <[email protected]>
@BojanZelic
Merge branch 'keda-vault-service-account-token-request' of bojan-gith…
9104300 
…ub.com:BojanZelic/keda into keda-vault-service-account-token-request

Signed-off-by: Bojan Zelic <[email protected]>
@BojanZelic
Update CHANGELOG.md
c82ebb4 
Signed-off-by: Bojan Zelic <[email protected]>
@wozniakjan
Copy link
Member

wozniakjan commented Sep 12, 2025
edited by github-actions bot
Loading

/run-e2e hashicorp_vault
Update: You can check the progress here

@wozniakjan wozniakjan enabled auto-merge (squash) September 12, 2025 12:55
@wozniakjan wozniakjan merged commit e5397c8 into kedacore:main Sep 15, 2025
24 checks passed
jmickey pushed a commit to jmickey/keda that referenced this pull request Sep 30, 2025
@BojanZelic @wozniakjan
@zroubalik @jmickey
KEDA Hashicorp vault service account token request (kedacore#6446)
9377da7 
* General: Vault authentication via cross-namespace service accounts

Signed-off-by: Bojan Zelic <[email protected]>

* General: Vault authentication via cross-namespace service accounts

Signed-off-by: Bojan Zelic <[email protected]>

* General: Vault authentication via cross-namespace service accounts

Signed-off-by: Bojan Zelic <[email protected]>

* General: Vault authentication via cross-namespace service accounts

Signed-off-by: Bojan Zelic <[email protected]>

* add e2e test

Signed-off-by: Bojan Zelic <[email protected]>

* combine logic to retreive service account tokens

Signed-off-by: Bojan Zelic <[email protected]>

* combine logic to retreive service account tokens

Signed-off-by: Bojan Zelic <[email protected]>

* combine logic to retreive service account tokens

Signed-off-by: Bojan Zelic <[email protected]>

* Update CHANGELOG.md

Signed-off-by: Bojan Zelic <[email protected]>

* Update pkg/scaling/resolver/hashicorpvault_handler.go

Co-authored-by: Jan Wozniak <[email protected]>
Signed-off-by: Bojan Zelic <[email protected]>

* Rename patch_operator.yaml to patch_operator.yml

Signed-off-by: Bojan Zelic <[email protected]>

* fix order of changelog

Signed-off-by: Bojan Zelic <[email protected]>

* Update CHANGELOG.md

Signed-off-by: Bojan Zelic <[email protected]>

---------

Signed-off-by: Bojan Zelic <[email protected]>
Co-authored-by: Jan Wozniak <[email protected]>
Co-authored-by: Zbynek Roubalik <[email protected]>
alt-dima pushed a commit to alt-dima/keda that referenced this pull request Dec 13, 2025
@BojanZelic @wozniakjan
@zroubalik @alt-dima
KEDA Hashicorp vault service account token request (kedacore#6446)
fed5ec1 
* General: Vault authentication via cross-namespace service accounts

Signed-off-by: Bojan Zelic <[email protected]>

* General: Vault authentication via cross-namespace service accounts

Signed-off-by: Bojan Zelic <[email protected]>

* General: Vault authentication via cross-namespace service accounts

Signed-off-by: Bojan Zelic <[email protected]>

* General: Vault authentication via cross-namespace service accounts

Signed-off-by: Bojan Zelic <[email protected]>

* add e2e test

Signed-off-by: Bojan Zelic <[email protected]>

* combine logic to retreive service account tokens

Signed-off-by: Bojan Zelic <[email protected]>

* combine logic to retreive service account tokens

Signed-off-by: Bojan Zelic <[email protected]>

* combine logic to retreive service account tokens

Signed-off-by: Bojan Zelic <[email protected]>

* Update CHANGELOG.md

Signed-off-by: Bojan Zelic <[email protected]>

* Update pkg/scaling/resolver/hashicorpvault_handler.go

Co-authored-by: Jan Wozniak <[email protected]>
Signed-off-by: Bojan Zelic <[email protected]>

* Rename patch_operator.yaml to patch_operator.yml

Signed-off-by: Bojan Zelic <[email protected]>

* fix order of changelog

Signed-off-by: Bojan Zelic <[email protected]>

* Update CHANGELOG.md

Signed-off-by: Bojan Zelic <[email protected]>

---------

Signed-off-by: Bojan Zelic <[email protected]>
Co-authored-by: Jan Wozniak <[email protected]>
Co-authored-by: Zbynek Roubalik <[email protected]>
Signed-off-by: Dmitriy Altuhov <[email protected]>
tangobango5 pushed a commit to tangobango5/keda that referenced this pull request Dec 22, 2025
@BojanZelic @wozniakjan @zroubalik
KEDA Hashicorp vault service account token request (kedacore#6446)
8877774 
* General: Vault authentication via cross-namespace service accounts

Signed-off-by: Bojan Zelic <[email protected]>

* General: Vault authentication via cross-namespace service accounts

Signed-off-by: Bojan Zelic <[email protected]>

* General: Vault authentication via cross-namespace service accounts

Signed-off-by: Bojan Zelic <[email protected]>

* General: Vault authentication via cross-namespace service accounts

Signed-off-by: Bojan Zelic <[email protected]>

* add e2e test

Signed-off-by: Bojan Zelic <[email protected]>

* combine logic to retreive service account tokens

Signed-off-by: Bojan Zelic <[email protected]>

* combine logic to retreive service account tokens

Signed-off-by: Bojan Zelic <[email protected]>

* combine logic to retreive service account tokens

Signed-off-by: Bojan Zelic <[email protected]>

* Update CHANGELOG.md

Signed-off-by: Bojan Zelic <[email protected]>

* Update pkg/scaling/resolver/hashicorpvault_handler.go

Co-authored-by: Jan Wozniak <[email protected]>
Signed-off-by: Bojan Zelic <[email protected]>

* Rename patch_operator.yaml to patch_operator.yml

Signed-off-by: Bojan Zelic <[email protected]>

* fix order of changelog

Signed-off-by: Bojan Zelic <[email protected]>

* Update CHANGELOG.md

Signed-off-by: Bojan Zelic <[email protected]>

---------

Signed-off-by: Bojan Zelic <[email protected]>
Co-authored-by: Jan Wozniak <[email protected]>
Co-authored-by: Zbynek Roubalik <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JorTurFer JorTurFer JorTurFer approved these changes

@zroubalik zroubalik zroubalik approved these changes

@wozniakjan wozniakjan wozniakjan approved these changes

+2 more reviewers

@SpiritZhou SpiritZhou SpiritZhou left review comments

@semgrep-app semgrep-app[bot] semgrep-app[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@BojanZelic @SpiritZhou @wozniakjan @rickbrouwer @zroubalik @JorTurFer