Keda vault service account token request

CHANGELOG.md

@@ -61,6 +61,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio
 - **General**: Enable OpenSSF Scorecard to enhance security practices across the project ([#5913](https://github.com/kedacore/keda/issues/5913))
 - **General**: Introduce new NSQ scaler ([#3281](https://github.com/kedacore/keda/issues/3281))
 - **General**: Operator flag to control patching of webhook resources certificates ([#6184](https://github.com/kedacore/keda/issues/6184))
+- **General**: Vault authentication via cross-namespace service accounts ([#6153](https://github.com/kedacore/keda/issues/6153))
 
 #### Experimental
 

Makefile

@@ -182,7 +182,7 @@ pkg/mock/mock_scale/mock_interfaces.go: vendor/k8s.io/client-go/scale/interfaces
 	$(MOCKGEN) k8s.io/client-go/scale ScalesGetter,ScaleInterface > $@
 pkg/mock/mock_client/mock_interfaces.go: vendor/sigs.k8s.io/controller-runtime/pkg/client/interfaces.go
 	mkdir -p pkg/mock/mock_client
-	$(MOCKGEN) sigs.k8s.io/controller-runtime/pkg/client Patch,Reader,Writer,StatusClient,StatusWriter,Client,WithWatch,FieldIndexer > $@
+	$(MOCKGEN) sigs.k8s.io/controller-runtime/pkg/client Patch,Reader,Writer,StatusClient,StatusWriter,Client,WithWatch,FieldIndexer,SubResourceClient > $@
 pkg/scalers/liiklus/mocks/mock_liiklus.go:
 	$(MOCKGEN) -destination=$@ github.com/kedacore/keda/v2/pkg/scalers/liiklus LiiklusServiceClient
 

apis/keda/v1alpha1/triggerauthentication_types.go

@@ -236,6 +236,9 @@ type Credential struct {
 
 	// +optional
 	ServiceAccount string `json:"serviceAccount,omitempty"`
+
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 // VaultAuthentication contains the list of Hashicorp Vault authentication methods

config/crd/bases/keda.sh_clustertriggerauthentications.yaml

@@ -437,6 +437,8 @@ spec:
                     properties:
                       serviceAccount:
                         type: string
+                      serviceAccountName:
+                        type: string
                       token:
                         type: string
                     type: object

config/crd/bases/keda.sh_triggerauthentications.yaml

@@ -436,6 +436,8 @@ spec:
                     properties:
                       serviceAccount:
                         type: string
+                      serviceAccountName:
+                        type: string
                       token:
                         type: string
                     type: object

config/e2e/kustomization.yaml

@@ -9,9 +9,15 @@ resources:
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 patches:
-- path: patch_operator.yml
+- path: patch_operator.yaml
   target:
     group: apps
     kind: Deployment
     name: keda-operator
     version: v1
+- path: patch_rbac.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: keda-operator
+    version: v1

config/e2e/patch_rbac.yaml

@@ -0,0 +1,9 @@
+  - op: add
+    path: /rules/-
+    value:
+      apiGroups:
+        - ""
+      resources:
+        - serviceaccounts/token
+      verbs:
+        - create

pkg/scaling/resolver/hashicorpvault_handler.go

@@ -17,29 +17,38 @@ limitations under the License.
 package resolver
 
 import (
+	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"os"
 	"strings"
 
 	"github.com/go-logr/logr"
 	vaultapi "github.com/hashicorp/vault/api"
+	"github.com/pkg/errors"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1"
 )
 
 // HashicorpVaultHandler is specification of Hashi Corp Vault
 type HashicorpVaultHandler struct {
-	vault  *kedav1alpha1.HashiCorpVault
-	client *vaultapi.Client
-	stopCh chan struct{}
+	vault     *kedav1alpha1.HashiCorpVault
+	client    *vaultapi.Client
+	k8sClient client.Client
+	namespace string
+	stopCh    chan struct{}
 }
 
 // NewHashicorpVaultHandler creates a HashicorpVaultHandler object
-func NewHashicorpVaultHandler(v *kedav1alpha1.HashiCorpVault) *HashicorpVaultHandler {
+func NewHashicorpVaultHandler(v *kedav1alpha1.HashiCorpVault, client client.Client, namespace string) *HashicorpVaultHandler {
 	return &HashicorpVaultHandler{
-		vault: v,
+		vault:     v,
+		k8sClient: client,
+		namespace: namespace,
 	}
 }
 
@@ -88,6 +97,8 @@ func (vh *HashicorpVaultHandler) Initialize(logger logr.Logger) error {
 // token Extract a vault token from the Authentication method
 func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error) {
 	var token string
+	var jwt []byte
+	var err error
 
 	switch vh.vault.Authentication {
 	case kedav1alpha1.VaultAuthenticationToken:
@@ -116,23 +127,63 @@ func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error)
 			vh.vault.Credential = &defaultCred
 		}
 
-		if len(vh.vault.Credential.ServiceAccount) == 0 {
-			return token, errors.New("k8s SA file not in config")
+		if vh.vault.Credential.ServiceAccountName == "" && len(vh.vault.Credential.ServiceAccount) == 0 {
+			return token, errors.New("k8s SA file not in config or serviceAccountName not supplied")
 		}
 
-		// Get the JWT from POD
-		jwt, err := os.ReadFile(vh.vault.Credential.ServiceAccount)
-		if err != nil {
-			return token, err
+		if vh.vault.Credential.ServiceAccountName != "" {
+			// generate token from namespace
+			saName := types.NamespacedName{Name: vh.vault.Credential.ServiceAccountName, Namespace: vh.namespace}
+			sa := &corev1.ServiceAccount{}
+			secret := &corev1.Secret{}
+
+			if err = vh.k8sClient.Get(context.Background(), saName, sa); err != nil {
+				return token, errors.Wrap(err, fmt.Sprintf("Failed to retrieve service account name: %s namespace: %s", saName.Name, saName.Namespace))
+			}
+
+			if len(sa.Secrets) > 0 {
+				// using legacy service account secrets
+				secretName := types.NamespacedName{Name: sa.Secrets[0].Name, Namespace: vh.namespace}
+
+				if err = vh.k8sClient.Get(context.Background(), secretName, secret); err != nil {
+					return token, errors.Wrap(err, fmt.Sprintf("Failed to retrieve secret for service account name: %s namespace: %s", secretName.Name, secretName.Namespace))
+				}
+
+				jwt = secret.Data["token"]
+			}
+
+			if len(jwt) == 0 {
+				tokenTTL := int64(600) // min allowed duration is 10 mins
+				// this token is only used once for the initial authentication
+				// renewals happen independently on the vault token
+				tokenRequest := &authenticationv1.TokenRequest{
+					Spec: authenticationv1.TokenRequestSpec{
+						Audiences:         []string{"https://kubernetes.default.svc"},
+						ExpirationSeconds: &tokenTTL,
+					},
+				}
+
+				if err := vh.k8sClient.SubResource("token").Create(context.Background(), sa, tokenRequest); err != nil {
+					return token, errors.Wrap(err, fmt.Sprintf("Failed to create token for service account name: %s namespace: %s", saName.Name, saName.Namespace))
+				}
+
+				jwt = []byte(tokenRequest.Status.Token)
+			}
+		} else if len(vh.vault.Credential.ServiceAccount) != 0 {
+			// Get the JWT from POD
+			jwt, err = os.ReadFile(vh.vault.Credential.ServiceAccount)
+			if err != nil {
+				return token, err
+			}
 		}
 
 		data := map[string]interface{}{"jwt": string(jwt), "role": vh.vault.Role}
 		secret, err := client.Logical().Write(fmt.Sprintf("auth/%s/login", vh.vault.Mount), data)
 		if err != nil {
 			return token, err
 		}
-
 		token = secret.Auth.ClientToken
+
 	default:
 		return token, fmt.Errorf("vault auth method %s is not supported", vh.vault.Authentication)
 	}