Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keda vault service account token request #6446

Open
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

BojanZelic
Copy link
Contributor

@BojanZelic BojanZelic commented Dec 24, 2024

Allows users to authenticate to vault via a service account in the scaledObject's namespace;

ex:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: my-trigger-auth
  namespace: mynamespace
spec:
...
  hashiCorpVault:
    address: {hashicorp-vault-address}
    credential:
      serviceAccountName: default
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: my-scaled-object
  namespace: mynamespace
spec:
  triggers:
  - authenticationRef:
      name: my-trigger-auth
      kind: TriggerAuthentication
    metadata:
...

would use the JWT token from the default service account in the mynamespace namespace

This allows users to set more fine-grained permissions in vault.

Checklist

Fixes # #6153

Relates to #

@BojanZelic BojanZelic requested a review from a team as a code owner December 24, 2024 17:21
},
}

if err := vh.k8sClient.SubResource("token").Create(context.TODO(), sa, tokenRequest); err != nil {
Copy link

@semgrep-app semgrep-app bot Dec 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider to use well-defined context

Ignore this finding from context-todo.

@SpiritZhou
Copy link
Contributor

Could you also add some e2e tests?

if err = vh.k8sClient.Get(context.Background(), saName, sa); err != nil {
if apierrors.IsNotFound(err) {
return token, errors.New(fmt.Sprintf("Failed to retreive service account name: %s namespace: %s", saName.Name, saName.Namespace))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here should return other errs as well.

if err = vh.k8sClient.Get(context.Background(), secretName, secret); err != nil {
if apierrors.IsNotFound(err) {
return token, errors.New(fmt.Sprintf("Failed to retreive secret for service account name: %s namespace: %s", secretName.Name, secretName.Namespace))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here should return other errs as well.

@BojanZelic BojanZelic force-pushed the keda-vault-service-account-token-request branch from a8b484a to a5afafe Compare December 31, 2024 21:28
Signed-off-by: Bojan Zelic <[email protected]>
@BojanZelic BojanZelic force-pushed the keda-vault-service-account-token-request branch from a5afafe to bfa2613 Compare December 31, 2024 21:53
@BojanZelic
Copy link
Contributor Author

@SpiritZhou I fixed the PR from your comments and updated the helmchart & documentation 🙏 please take a look whenever you get a chance.

@SpiritZhou
Copy link
Contributor

SpiritZhou commented Jan 21, 2025

/run-e2e hashicorp
Update: You can check the progress here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants