Skip to content

Commit

Permalink
TriggerAuthentication/Vault: add support for vault namespace
Browse files Browse the repository at this point in the history
Signed-off-by: Nicolas Chapurlat <nc@coorganix.com>
  • Loading branch information
chapurlatn committed Sep 1, 2021
1 parent 5f94b80 commit 53419d3
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
- Add Bearer auth for Metrics API scaler ([#2028](https://github.com/kedacore/keda/pull/2028))
- Anonymize the host in case of HTTP failure (RabbitMQ Scaler) ([#2041](https://github.com/kedacore/keda/pull/2041))
- Escape `queueName` and `vhostName` in RabbitMQ Scaler before use them in query string (bug fix) ([#2055](https://github.com/kedacore/keda/pull/2055))
- TriggerAuthentication/Vault: add support for Vault namespace (Vault Enterprise) ([#2085](https://github.com/kedacore/keda/pull/2085))

### Breaking Changes

Expand Down
3 changes: 3 additions & 0 deletions api/v1alpha1/triggerauthentication_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,9 @@ type HashiCorpVault struct {
Authentication VaultAuthentication `json:"authentication"`
Secrets []VaultSecret `json:"secrets"`

// +optional
Namespace string `json:"namespace,omitempty"`

// +optional
Credential *Credential `json:"credential,omitempty"`

Expand Down
16 changes: 16 additions & 0 deletions pkg/scaling/resolver/hashicorpvault_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"errors"
"fmt"
"io/ioutil"
"os"

"github.com/go-logr/logr"
vaultApi "github.com/hashicorp/vault/api"
Expand All @@ -28,6 +29,16 @@ func NewHashicorpVaultHandler(v *kedav1alpha1.HashiCorpVault) *HashicorpVaultHan
// Initialize the Vault client
func (vh *HashicorpVaultHandler) Initialize(logger logr.Logger) error {
config := vaultApi.DefaultConfig()

// do not take into account vault namespace env variable
// It prevents any conflict with env during testing, just use HashiCorpVault inputs.
// Vault client creation use env var to override any conf (NewClient)
// We should probably also unset EnvVaultToken for the same purpose.
err := os.Unsetenv(vaultApi.EnvVaultNamespace)
if err != nil {
return err
}

client, err := vaultApi.NewClient(config)
if err != nil {
return err
Expand All @@ -38,6 +49,10 @@ func (vh *HashicorpVaultHandler) Initialize(logger logr.Logger) error {
return err
}

if len(vh.vault.Namespace) > 0 {
client.SetNamespace(vh.vault.Namespace)
}

token, err := vh.token(client)
if err != nil {
return err
Expand Down Expand Up @@ -98,6 +113,7 @@ func (vh *HashicorpVaultHandler) token(client *vaultApi.Client) (string, error)
}

data := map[string]interface{}{"jwt": string(jwt), "role": vh.vault.Role}

secret, err := client.Logical().Write(fmt.Sprintf("auth/%s/login", vh.vault.Mount), data)
if err != nil {
return token, err
Expand Down

0 comments on commit 53419d3

Please sign in to comment.