Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keda vault service account token request #6446

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio
- **General**: Enable OpenSSF Scorecard to enhance security practices across the project ([#5913](https://github.com/kedacore/keda/issues/5913))
- **General**: Introduce new NSQ scaler ([#3281](https://github.com/kedacore/keda/issues/3281))
- **General**: Operator flag to control patching of webhook resources certificates ([#6184](https://github.com/kedacore/keda/issues/6184))
- **General**: Vault authentication via cross-namespace service accounts ([#6153](https://github.com/kedacore/keda/issues/6153))

#### Experimental

Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ pkg/mock/mock_scale/mock_interfaces.go: vendor/k8s.io/client-go/scale/interfaces
$(MOCKGEN) k8s.io/client-go/scale ScalesGetter,ScaleInterface > $@
pkg/mock/mock_client/mock_interfaces.go: vendor/sigs.k8s.io/controller-runtime/pkg/client/interfaces.go
mkdir -p pkg/mock/mock_client
$(MOCKGEN) sigs.k8s.io/controller-runtime/pkg/client Patch,Reader,Writer,StatusClient,StatusWriter,Client,WithWatch,FieldIndexer > $@
$(MOCKGEN) sigs.k8s.io/controller-runtime/pkg/client Patch,Reader,Writer,StatusClient,StatusWriter,Client,WithWatch,FieldIndexer,SubResourceClient > $@
pkg/scalers/liiklus/mocks/mock_liiklus.go:
$(MOCKGEN) -destination=$@ github.com/kedacore/keda/v2/pkg/scalers/liiklus LiiklusServiceClient

Expand Down
3 changes: 3 additions & 0 deletions apis/keda/v1alpha1/triggerauthentication_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,9 @@ type Credential struct {

// +optional
ServiceAccount string `json:"serviceAccount,omitempty"`

// +optional
ServiceAccountName string `json:"serviceAccountName,omitempty"`
}

// VaultAuthentication contains the list of Hashicorp Vault authentication methods
Expand Down
2 changes: 2 additions & 0 deletions config/crd/bases/keda.sh_clustertriggerauthentications.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,8 @@ spec:
properties:
serviceAccount:
type: string
serviceAccountName:
type: string
token:
type: string
type: object
Expand Down
2 changes: 2 additions & 0 deletions config/crd/bases/keda.sh_triggerauthentications.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -436,6 +436,8 @@ spec:
properties:
serviceAccount:
type: string
serviceAccountName:
type: string
token:
type: string
type: object
Expand Down
107 changes: 102 additions & 5 deletions pkg/mock/mock_client/mock_interfaces.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

83 changes: 71 additions & 12 deletions pkg/scaling/resolver/hashicorpvault_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,29 +17,41 @@ limitations under the License.
package resolver

import (
"context"
"encoding/json"
"errors"
"fmt"
"os"
"strings"

apierrors "k8s.io/apimachinery/pkg/api/errors"

"github.com/go-logr/logr"
vaultapi "github.com/hashicorp/vault/api"
"k8s.io/apimachinery/pkg/types"

kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1"
authenticationv1 "k8s.io/api/authentication/v1"

corev1 "k8s.io/api/core/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
)

// HashicorpVaultHandler is specification of Hashi Corp Vault
type HashicorpVaultHandler struct {
vault *kedav1alpha1.HashiCorpVault
client *vaultapi.Client
stopCh chan struct{}
vault *kedav1alpha1.HashiCorpVault
client *vaultapi.Client
k8sClient client.Client
namespace string
stopCh chan struct{}
}

// NewHashicorpVaultHandler creates a HashicorpVaultHandler object
func NewHashicorpVaultHandler(v *kedav1alpha1.HashiCorpVault) *HashicorpVaultHandler {
func NewHashicorpVaultHandler(v *kedav1alpha1.HashiCorpVault, client client.Client, namespace string) *HashicorpVaultHandler {
return &HashicorpVaultHandler{
vault: v,
vault: v,
k8sClient: client,
namespace: namespace,
}
}

Expand Down Expand Up @@ -88,6 +100,8 @@ func (vh *HashicorpVaultHandler) Initialize(logger logr.Logger) error {
// token Extract a vault token from the Authentication method
func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error) {
var token string
var jwt []byte
var err error

switch vh.vault.Authentication {
case kedav1alpha1.VaultAuthenticationToken:
Expand Down Expand Up @@ -116,23 +130,68 @@ func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error)
vh.vault.Credential = &defaultCred
}

if len(vh.vault.Credential.ServiceAccount) == 0 {
return token, errors.New("k8s SA file not in config")
if vh.vault.Credential.ServiceAccountName == "" && len(vh.vault.Credential.ServiceAccount) == 0 {
return token, errors.New("k8s SA file not in config or serviceAccountName not supplied")
}

// Get the JWT from POD
jwt, err := os.ReadFile(vh.vault.Credential.ServiceAccount)
if err != nil {
return token, err
if vh.vault.Credential.ServiceAccountName != "" {
// generate token from namespace
saName := types.NamespacedName{Name: vh.vault.Credential.ServiceAccountName, Namespace: vh.namespace}
sa := &corev1.ServiceAccount{}
secret := &corev1.Secret{}

if err = vh.k8sClient.Get(context.Background(), saName, sa); err != nil {
if apierrors.IsNotFound(err) {
return token, errors.New(fmt.Sprintf("Failed to retreive service account name: %s namespace: %s", saName.Name, saName.Namespace))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here should return other errs as well.

}

if len(sa.Secrets) > 0 {
//using legacy service account secrets
secretName := types.NamespacedName{Name: sa.Secrets[0].Name, Namespace: vh.namespace}

if err = vh.k8sClient.Get(context.Background(), secretName, secret); err != nil {
if apierrors.IsNotFound(err) {
return token, errors.New(fmt.Sprintf("Failed to retreive secret for service account name: %s namespace: %s", secretName.Name, secretName.Namespace))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here should return other errs as well.

}

jwt = secret.Data["token"]
}

if len(jwt) == 0 {
tokenTTL := int64(600) // min allowed duration is 10 mins
// this token is only used once for the initial authentication
// renewals happen independently on the vault token
tokenRequest := &authenticationv1.TokenRequest{
Spec: authenticationv1.TokenRequestSpec{
Audiences: []string{"https://kubernetes.default.svc"},
ExpirationSeconds: &tokenTTL,
},
}

if err := vh.k8sClient.SubResource("token").Create(context.TODO(), sa, tokenRequest); err != nil {
Copy link

@semgrep-app semgrep-app bot Dec 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider to use well-defined context

Ignore this finding from context-todo.

return token, errors.New(fmt.Sprintf("Failed to create token for service account name: %s namespace: %s", saName.Name, saName.Namespace))
}

jwt = []byte(tokenRequest.Status.Token)
}

} else if len(vh.vault.Credential.ServiceAccount) != 0 {
// Get the JWT from POD
jwt, err = os.ReadFile(vh.vault.Credential.ServiceAccount)
if err != nil {
return token, err
}
}

data := map[string]interface{}{"jwt": string(jwt), "role": vh.vault.Role}
secret, err := client.Logical().Write(fmt.Sprintf("auth/%s/login", vh.vault.Mount), data)
if err != nil {
return token, err
}

token = secret.Auth.ClientToken

default:
return token, fmt.Errorf("vault auth method %s is not supported", vh.vault.Authentication)
}
Expand Down
Loading
Loading