improve: hashicorp token management

[raviand]

feat(hashicorp-vault): Support token from a secret

What's Changed
Added a new field, tokenSecretRef, to the HashiCorp Vault credentials configuration.

This new field allows users to specify a Kubernetes secret containing the Vault token.

The existing token string field will be used as a fallback if tokenSecretRef is not provided.

Why This Is Important
Previously, the HashiCorp Vault token had to be provided directly as a string in the KEDA configuration. This is not a recommended security practice for production environments, as it can expose sensitive information.

This change introduces a more secure way to manage the token by leveraging Kubernetes secrets. This aligns with best practices for handling credentials within a Kubernetes cluster.

How to Use It
Users can now configure their trigger with either the existing token field or the new tokenSecret field. For example:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: {trigger-authentication-mame}
  namespace: default
spec:
  hashiCorpVault:
    address: {hashicorp-vault-address}
    authentication: token
    credential:
      tokenSecretRef: 
        name: {secret-name}
        key: {secret-key}
        parameter: "key"
    secrets:
      - key: "ca_chain"
        parameter: "ca"
        path: {hashicorp-vault-secret-path}
        type: pki
        pki_data:
          common_name: {hashicorp-vault-secret-pkidata-commonName}

In the example above, secret-name and secret-key point to the secret containing the token.

Checklist

• When introducing a new scaler, I agree with the scaling governance policy
• I have verified that my change is according to the deprecations & breaking changes policy
• Tests have been added
• Changelog has been updated and is aligned with our changelog requirements
• A PR is opened to update our Helm chart (repo) (if applicable, ie. when deployment manifests are modified)
• A PR is opened to update the documentation on (repo) (if applicable)
• Commits are signed with Developer Certificate of Origin (DCO - learn more)

Issue 6026: Hashicorp vault auth allow tokens directly set in TriggerAuthentication

Fixes #

Helm chart PR change: kedacore/charts#774
Relates to #

[github-actions]

Thank you for your contribution! 🙏

Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected.

While you are waiting, make sure to:

• Add an entry in our changelog in alphabetical order and link related issue
• Update the documentation, if needed
• Add unit & e2e tests for your changes
• GitHub checks are passing
• Is the DCO check failing? Here is how you can fix DCO issues

Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient.

Learn more about our contribution guide.

[semgrep-app]

Semgrep found 8 context-todo findings:

• pkg/scaling/resolver/hashicorpvault_handler_test.go
  • L104 - Triage
  • L193 - Triage
  • L334 - Triage
  • L371 - Triage
  • L409 - Triage
  • L428 - Triage
  • L497 - Triage
  • L701 - Triage

Consider to use well-defined context

[JorTurFer]

nice fix! Could we cover the new token source in the e2e test?

[raviand]

nice fix! Could we cover the new token source in the e2e test?

Im trying to add the e2e test case, but maybe I'm pointing to the wrong direction. I'm having this error after creating a test case where I thought was the right place
pipeline failed
This is the change made

if Im not in the right place, pls gide me a bit here,

[raviand]

/run-e2e

[SpiritZhou]

/run-e2e hashicorp_vault
Update: You can check the progress here

[raviand]

/run-e2e hashicorp_vault

[JorTurFer]

/run-e2e hashicorp_vault
Update: You can check the progress here

[JorTurFer]

/run-e2e hashicorp_vault

Only KEDA colleagues can trigger e2e tests :P

[zroubalik]

/run-e2e hashicorp_vault
Update: You can check the progress here

[zroubalik]

There's a conflict and also the e2e test fails