Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keda vault service account token request #6446

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Keda vault service account token request #6446

wants to merge 7 commits into from

Conversation

BojanZelic
Copy link
Contributor

@BojanZelic BojanZelic commented Dec 24, 2024
edited
Loading

TODO;

Still have to add documentation & helm chart

Allows users to authenticate to vault via a service account in the scaledObject's namespace;

ex:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: my-trigger-auth
  namespace: mynamespace
spec:
...
  hashiCorpVault:
    address: {hashicorp-vault-address}
    credential:
      serviceAccountName: default

apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: my-scaled-object
  namespace: mynamespace
spec:
  triggers:
  - authenticationRef:
      name: my-trigger-auth
      kind: TriggerAuthentication
    metadata:
...

would use the JWT token from the default service account in the mynamespace namespace

This allows users to set more fine-grained permissions in vault.

Checklist

Fixes # #6153

Relates to #

@BojanZelic BojanZelic requested a review from a team as a code owner December 24, 2024 17:21
semgrep-app[bot]
semgrep-app bot reviewed Dec 24, 2024
View reviewed changes
pkg/scaling/resolver/hashicorpvault_handler.go Outdated
},
}

if err := vh.k8sClient.SubResource("token").Create(context.TODO(), sa, tokenRequest); err != nil {
Copy link

@semgrep-app semgrep-app bot Dec 24, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider to use well-defined context

Ignore this finding from context-todo.

@SpiritZhou
Copy link
Contributor

Could you also add some e2e tests?

SpiritZhou
SpiritZhou reviewed Dec 25, 2024
View reviewed changes
pkg/scaling/resolver/hashicorpvault_handler.go Outdated
if err = vh.k8sClient.Get(context.Background(), saName, sa); err != nil {
if apierrors.IsNotFound(err) {
return token, errors.New(fmt.Sprintf("Failed to retreive service account name: %s namespace: %s", saName.Name, saName.Namespace))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here should return other errs as well.

SpiritZhou
SpiritZhou reviewed Dec 25, 2024
View reviewed changes
pkg/scaling/resolver/hashicorpvault_handler.go Outdated
if err = vh.k8sClient.Get(context.Background(), secretName, secret); err != nil {
if apierrors.IsNotFound(err) {
return token, errors.New(fmt.Sprintf("Failed to retreive secret for service account name: %s namespace: %s", secretName.Name, secretName.Namespace))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here should return other errs as well.

@BojanZelic BojanZelic force-pushed the keda-vault-service-account-token-request branch from a8b484a to a5afafe Compare December 31, 2024 21:28
@BojanZelic
add e2e test
bfa2613 
Signed-off-by: Bojan Zelic <[email protected]>
@BojanZelic BojanZelic force-pushed the keda-vault-service-account-token-request branch from a5afafe to bfa2613 Compare December 31, 2024 21:53
@BojanZelic
Copy link
Contributor Author

@SpiritZhou I fixed the PR from your comments and updated the helmchart & documentation 🙏 please take a look whenever you get a chance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@semgrep-app semgrep-app[bot] semgrep-app[bot] left review comments

@SpiritZhou SpiritZhou SpiritZhou left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@BojanZelic @SpiritZhou