Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KEDA Hashicorp vault service account token request #6446

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

KEDA Hashicorp vault service account token request #6446

wants to merge 8 commits into from

Conversation

BojanZelic
Copy link
Contributor

@BojanZelic BojanZelic commented Dec 24, 2024
edited
Loading

Allows users to authenticate to vault via a service account in the scaledObject's namespace;

ex:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: my-trigger-auth
  namespace: mynamespace
spec:
...
  hashiCorpVault:
    address: {hashicorp-vault-address}
    credential:
      serviceAccountName: default

apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: my-scaled-object
  namespace: mynamespace
spec:
  triggers:
  - authenticationRef:
      name: my-trigger-auth
      kind: TriggerAuthentication
    metadata:
...

would use the JWT token from the default service account in the mynamespace namespace

This allows users to set more fine-grained permissions in vault.

Checklist

Fixes # #6153

Relates to #

@BojanZelic BojanZelic requested a review from a team as a code owner December 24, 2024 17:21
semgrep-app[bot]
semgrep-app bot reviewed Dec 24, 2024
View reviewed changes
pkg/scaling/resolver/hashicorpvault_handler.go Outdated
},
}

if err := vh.k8sClient.SubResource("token").Create(context.TODO(), sa, tokenRequest); err != nil {
Copy link

@semgrep-app semgrep-app bot Dec 24, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider to use well-defined context

Ignore this finding from context-todo.

@SpiritZhou
Copy link
Contributor

Could you also add some e2e tests?

SpiritZhou
SpiritZhou reviewed Dec 25, 2024
View reviewed changes
pkg/scaling/resolver/hashicorpvault_handler.go Outdated
if err = vh.k8sClient.Get(context.Background(), saName, sa); err != nil {
if apierrors.IsNotFound(err) {
return token, errors.New(fmt.Sprintf("Failed to retreive service account name: %s namespace: %s", saName.Name, saName.Namespace))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here should return other errs as well.

SpiritZhou
SpiritZhou reviewed Dec 25, 2024
View reviewed changes
pkg/scaling/resolver/hashicorpvault_handler.go Outdated
if err = vh.k8sClient.Get(context.Background(), secretName, secret); err != nil {
if apierrors.IsNotFound(err) {
return token, errors.New(fmt.Sprintf("Failed to retreive secret for service account name: %s namespace: %s", secretName.Name, secretName.Namespace))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here should return other errs as well.

@BojanZelic BojanZelic force-pushed the keda-vault-service-account-token-request branch from a8b484a to a5afafe Compare December 31, 2024 21:28
@BojanZelic
add e2e test
bfa2613 
Signed-off-by: Bojan Zelic <[email protected]>
@BojanZelic BojanZelic force-pushed the keda-vault-service-account-token-request branch from a5afafe to bfa2613 Compare December 31, 2024 21:53
@BojanZelic
Copy link
Contributor Author

@SpiritZhou I fixed the PR from your comments and updated the helmchart & documentation 🙏 please take a look whenever you get a chance.

@SpiritZhou
Copy link
Contributor

SpiritZhou commented Jan 21, 2025
edited by github-actions bot
Loading

/run-e2e hashicorp
Update: You can check the progress here

@zroubalik zroubalik changed the title Keda vault service account token request KEDA Hashicorp vault service account token request Feb 6, 2025
JorTurFer
JorTurFer approved these changes Feb 8, 2025
View reviewed changes
Copy link
Member

@JorTurFer JorTurFer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! The only point I have is the one related with the other PR adding support for the same API for other usage

pkg/scaling/resolver/hashicorpvault_handler.go
if err != nil {
return token, err
if vh.vault.Credential.ServiceAccountName != "" {
// generate token from namespace
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that this code is quite related with this other PR adding the same support in other part. Maybe we should merge one of them and rebase the other, unifying the code. @wozniakjan @zroubalik ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm assuming this is the PR you guys are talking about? #6272 - it's somewhat different usage from what I see; This PR exposes service account JWT to scalers, vs my PR exposes service account JWT to hashicorp vault.

Is the ask here to make it compatible with that API? Just thinking what would be a good way to expose this to users.

ex... instead of:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
spec:
  hashiCorpVault:
    address: {hashicorp-vault-address}
    credential:
      serviceAccountName: default

do something like:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
spec:
  boundServiceAccountToken:
  - serviceAccountName: default 
    parameter: null
  credential:
    useBoundServiceAccountToken: true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zroubalik zroubalik zroubalik left review comments

@SpiritZhou SpiritZhou SpiritZhou left review comments

@semgrep-app semgrep-app[bot] semgrep-app[bot] left review comments

@JorTurFer JorTurFer JorTurFer approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@BojanZelic @SpiritZhou @zroubalik @JorTurFer