DCO signing

Signed-off-by: dttung2905 <[email protected]>

apis/keda/v1alpha1/triggerauthentication_types.go

@@ -235,7 +235,12 @@ type Credential struct {
 	Token string `json:"token,omitempty"`
 
 	// +optional
-	ServiceAccount string `json:"serviceAccount,omitempty"`
+	ServiceAccount string                     `json:"serviceAccount,omitempty"`
+	TokenSecret    *HashicorpVaultTokenSecret `json:"tokenSecret,omitempty"`
+}
+
+type HashicorpVaultTokenSecret struct {
+	ValueFrom ValueFromSecret `json:"valueFrom"`
 }
 
 // VaultAuthentication contains the list of Hashicorp Vault authentication methods

config/rbac/role.yaml

@@ -2,6 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  creationTimestamp: null
   name: keda-operator
 rules:
 - apiGroups:
@@ -148,6 +149,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  creationTimestamp: null
   name: keda-operator
   namespace: keda
 rules:

pkg/scaling/resolver/hashicorpvault_handler.go

@@ -17,6 +17,7 @@ limitations under the License.
 package resolver
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -25,6 +26,8 @@ import (
 
 	"github.com/go-logr/logr"
 	vaultapi "github.com/hashicorp/vault/api"
+	corev1listers "k8s.io/client-go/listers/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1"
 )
@@ -44,32 +47,32 @@ func NewHashicorpVaultHandler(v *kedav1alpha1.HashiCorpVault) *HashicorpVaultHan
 }
 
 // Initialize the Vault client
-func (vh *HashicorpVaultHandler) Initialize(logger logr.Logger) error {
+func (vh *HashicorpVaultHandler) Initialize(ctx context.Context, client client.Client, logger logr.Logger, triggerNamespace string, secretLister corev1listers.SecretLister) error {
 	config := vaultapi.DefaultConfig()
-	client, err := vaultapi.NewClient(config)
+	vaultClient, err := vaultapi.NewClient(config)
 	if err != nil {
 		return err
 	}
 
-	err = client.SetAddress(vh.vault.Address)
+	err = vaultClient.SetAddress(vh.vault.Address)
 	if err != nil {
 		return err
 	}
 
 	if len(vh.vault.Namespace) > 0 {
-		client.SetNamespace(vh.vault.Namespace)
+		vaultClient.SetNamespace(vh.vault.Namespace)
 	}
 
-	token, err := vh.token(client)
+	token, err := vh.token(ctx, client, vaultClient, logger, triggerNamespace, secretLister)
 	if err != nil {
 		return err
 	}
 
 	if len(token) > 0 {
-		client.SetToken(token)
+		vaultClient.SetToken(token)
 	}
 
-	lookup, err := client.Auth().Token().LookupSelf()
+	lookup, err := vaultClient.Auth().Token().LookupSelf()
 	// If token is not valid so get out of here early
 	if err != nil {
 		return err
@@ -80,21 +83,25 @@ func (vh *HashicorpVaultHandler) Initialize(logger logr.Logger) error {
 		go vh.renewToken(logger)
 	}
 
-	vh.client = client
+	vh.client = vaultClient
 
 	return nil
 }
 
 // token Extract a vault token from the Authentication method
-func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error) {
+func (vh *HashicorpVaultHandler) token(ctx context.Context, client client.Client, vaultClient *vaultapi.Client, logger logr.Logger, triggerNamespace string, secretLister corev1listers.SecretLister) (string, error) {
 	var token string
 
 	switch vh.vault.Authentication {
 	case kedav1alpha1.VaultAuthenticationToken:
 		// Got token from VAULT_TOKEN env variable
 		switch {
-		case len(client.Token()) > 0:
+		case len(vaultClient.Token()) > 0:
 			break
+		case vh.vault.Credential.TokenSecret != nil:
+			tokenSecretName := vh.vault.Credential.TokenSecret.ValueFrom.SecretKeyRef.Name
+			tokenSecretKey := vh.vault.Credential.TokenSecret.ValueFrom.SecretKeyRef.Key
+			token = resolveAuthSecret(ctx, client, logger, tokenSecretName, triggerNamespace, tokenSecretKey, secretLister)
 		case len(vh.vault.Credential.Token) > 0:
 			token = vh.vault.Credential.Token
 		default:
@@ -127,7 +134,7 @@ func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error)
 		}
 
 		data := map[string]interface{}{"jwt": string(jwt), "role": vh.vault.Role}
-		secret, err := client.Logical().Write(fmt.Sprintf("auth/%s/login", vh.vault.Mount), data)
+		secret, err := vaultClient.Logical().Write(fmt.Sprintf("auth/%s/login", vh.vault.Mount), data)
 		if err != nil {
 			return token, err
 		}

pkg/scaling/resolver/hashicorpvault_handler_test.go

@@ -17,6 +17,7 @@ limitations under the License.
 package resolver
 
 import (
+	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -182,7 +183,7 @@ func TestHashicorpVaultHandler_getSecretValue_specify_secret_type(t *testing.T)
 		},
 	}
 	vaultHandler := NewHashicorpVaultHandler(&vault)
-	err := vaultHandler.Initialize(logf.Log.WithName("test"))
+	err := vaultHandler.Initialize(context.TODO(), nil, logf.Log.WithName("test"), "", nil)
 	defer vaultHandler.Stop()
 	assert.Nil(t, err)
 	secrets := []kedav1alpha1.VaultSecret{{
@@ -322,7 +323,7 @@ func TestHashicorpVaultHandler_ResolveSecret(t *testing.T) {
 		},
 	}
 	vaultHandler := NewHashicorpVaultHandler(&vault)
-	err := vaultHandler.Initialize(logf.Log.WithName("test"))
+	err := vaultHandler.Initialize(context.TODO(), nil, logf.Log.WithName("test"), "", nil)
 	defer vaultHandler.Stop()
 	assert.Nil(t, err)
 
@@ -358,7 +359,7 @@ func TestHashicorpVaultHandler_ResolveSecret_UsingRootToken(t *testing.T) {
 		},
 	}
 	vaultHandler := NewHashicorpVaultHandler(&vault)
-	err := vaultHandler.Initialize(logf.Log.WithName("test"))
+	err := vaultHandler.Initialize(context.TODO(), nil, logf.Log.WithName("test"), "", nil)
 	defer vaultHandler.Stop()
 	assert.Nil(t, err)
 
@@ -395,7 +396,7 @@ func TestHashicorpVaultHandler_DefaultKubernetesVaultRole(t *testing.T) {
 	}
 
 	vaultHandler := NewHashicorpVaultHandler(&vault)
-	err := vaultHandler.Initialize(logf.Log.WithName("test"))
+	err := vaultHandler.Initialize(context.TODO(), nil, logf.Log.WithName("test"), "", nil)
 	defer vaultHandler.Stop()
 	assert.Errorf(t, err, "open %s : no such file or directory", defaultServiceAccountPath)
 	assert.Equal(t, vaultHandler.vault.Credential.ServiceAccount, defaultServiceAccountPath)
@@ -413,7 +414,7 @@ func TestHashicorpVaultHandler_ResolveSecrets_SameCertAndKey(t *testing.T) {
 		},
 	}
 	vaultHandler := NewHashicorpVaultHandler(&vault)
-	err := vaultHandler.Initialize(logf.Log.WithName("test"))
+	err := vaultHandler.Initialize(context.TODO(), nil, logf.Log.WithName("test"), "", nil)
 	defer vaultHandler.Stop()
 	assert.Nil(t, err)
 	secrets := []kedav1alpha1.VaultSecret{{
@@ -481,7 +482,7 @@ func TestHashicorpVaultHandler_fetchSecret(t *testing.T) {
 		},
 	}
 	vaultHandler := NewHashicorpVaultHandler(&vault)
-	err := vaultHandler.Initialize(logf.Log.WithName("test"))
+	err := vaultHandler.Initialize(context.TODO(), nil, logf.Log.WithName("test"), "", nil)
 	defer vaultHandler.Stop()
 	assert.Nil(t, err)
 
@@ -537,7 +538,7 @@ func TestHashicorpVaultHandler_Initialize(t *testing.T) {
 				Namespace: testData.namespace,
 			}
 			vaultHandler := NewHashicorpVaultHandler(&vault)
-			err := vaultHandler.Initialize(logf.Log.WithName("test"))
+			err := vaultHandler.Initialize(context.TODO(), nil, logf.Log.WithName("test"), "", nil)
 			defer vaultHandler.Stop()
 			assert.Nil(t, err)
 
@@ -616,7 +617,7 @@ func TestHashicorpVaultHandler_Token_VaultTokenAuth(t *testing.T) {
 			config := vaultapi.DefaultConfig()
 			client, err := vaultapi.NewClient(config)
 			assert.Nil(t, err)
-			token, err := vaultHandler.token(client)
+			token, err := vaultHandler.token(context.TODO(), nil, client, logf.Log.WithName("test"), "", nil)
 			if testData.isError {
 				assert.Equalf(t, vaultHandler.vault.Credential.ServiceAccount, testData.credential.ServiceAccount, "test %s: expected %s but found %s", testData.name, "random/path", vaultHandler.vault.Credential.ServiceAccount)
 				assert.NotNilf(t, err, "test %s: expected error but got success, testData - %+v", testData.name, testData)

pkg/scaling/resolver/scale_resolvers.go

@@ -266,7 +266,7 @@ func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logge
 			}
 			if triggerAuthSpec.HashiCorpVault != nil && len(triggerAuthSpec.HashiCorpVault.Secrets) > 0 {
 				vault := NewHashicorpVaultHandler(triggerAuthSpec.HashiCorpVault)
-				err := vault.Initialize(logger)
+				err := vault.Initialize(ctx, client, logger, triggerNamespace, secretsLister)
 				defer vault.Stop()
 				if err != nil {
 					logger.Error(err, "error authenticating to Vault", "triggerAuthRef.Name", triggerAuthRef.Name)