From d06840bf0ae3bc83640b421e55ebb0c5c5ea3d47 Mon Sep 17 00:00:00 2001
From: Max Cao <macao@redhat.com>
Date: Tue, 5 Nov 2024 16:32:20 -0800
Subject: [PATCH 1/2] Update CRDs for BoundServiceAccountToken triggerAuth
 source

Signed-off-by: Max Cao <macao@redhat.com>
---
 .../crds/crd-clustertriggerauthentications.yaml   | 12 ++++++++++++
 .../crds/crd-triggerauthentications.yaml          | 15 +++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/keda/templates/crds/crd-clustertriggerauthentications.yaml b/keda/templates/crds/crd-clustertriggerauthentications.yaml
index 823e5140..75a968fc 100644
--- a/keda/templates/crds/crd-clustertriggerauthentications.yaml
+++ b/keda/templates/crds/crd-clustertriggerauthentications.yaml
@@ -308,6 +308,18 @@ spec:
                 - secrets
                 - vaultUri
                 type: object
+              boundServiceAccountToken:
+                items:
+                  properties:
+                    parameter:
+                      type: string
+                    serviceAccountName:
+                      type: string
+                  required:
+                  - parameter
+                  - serviceAccountName
+                  type: object
+                type: array
               configMapTargetRef:
                 items:
                   description: AuthConfigMapTargetRef is used to authenticate using
diff --git a/keda/templates/crds/crd-triggerauthentications.yaml b/keda/templates/crds/crd-triggerauthentications.yaml
index 5bfec720..735f9d2e 100644
--- a/keda/templates/crds/crd-triggerauthentications.yaml
+++ b/keda/templates/crds/crd-triggerauthentications.yaml
@@ -307,6 +307,21 @@ spec:
                 - secrets
                 - vaultUri
                 type: object
+              boundServiceAccountToken:
+                items:
+                  properties:
+                    expiry:
+                      type: string
+                    parameter:
+                      type: string
+                    serviceAccountName:
+                      type: string
+                  required:
+                  - expiry
+                  - parameter
+                  - serviceAccountName
+                  type: object
+                type: array
               configMapTargetRef:
                 items:
                   description: AuthConfigMapTargetRef is used to authenticate using

From 3fe5b3c10fc98f2c4a620d1d9133bf0d6a37ad36 Mon Sep 17 00:00:00 2001
From: Max Cao <macao@redhat.com>
Date: Mon, 3 Feb 2025 19:33:51 -0800
Subject: [PATCH 2/2] Allow keda to request SA tokens

Signed-off-by: Max Cao <macao@redhat.com>
---
 keda/README.md                          | 1 +
 keda/templates/manager/clusterrole.yaml | 8 ++++++++
 keda/values.yaml                        | 2 ++
 3 files changed, 11 insertions(+)

diff --git a/keda/README.md b/keda/README.md
index 6b922710..aa408247 100644
--- a/keda/README.md
+++ b/keda/README.md
@@ -140,6 +140,7 @@ their default values.
 | `operator.replicaCount` | int | `1` | Capability to configure the number of replicas for KEDA operator. While you can run more replicas of our operator, only one operator instance will be the leader and serving traffic. You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). |
 | `operator.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) |
 | `permissions.operator.restrict.namesAllowList` | list | `[]` | Array of strings denoting what secrets the KEDA operator will be able to read, this takes into account also the configured `watchNamespace`. the default is an empty array -> no restriction on the secret name |
+| `permissions.operator.restrict.saTokens` | bool | `true` | Restrict Service Account Token Creation Access for KEDA operator |
 | `permissions.operator.restrict.secret` | bool | `false` | Restrict Secret Access for KEDA operator if true, KEDA operator will be able to read only secrets in {{ .Release.Namespace }} namespace |
 | `podAnnotations.keda` | object | `{}` | Pod annotations for KEDA operator |
 | `podDisruptionBudget.operator` | object | `{}` | Capability to configure [Pod Disruption Budget] |
diff --git a/keda/templates/manager/clusterrole.yaml b/keda/templates/manager/clusterrole.yaml
index 990423b9..9d26e4e6 100644
--- a/keda/templates/manager/clusterrole.yaml
+++ b/keda/templates/manager/clusterrole.yaml
@@ -24,6 +24,14 @@ rules:
   - get
   - list
   - watch
+{{- if eq .Values.permissions.operator.restrict.saTokens false }}
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+{{- end }}
 - apiGroups:
   - ""
   resources:
diff --git a/keda/values.yaml b/keda/values.yaml
index e429fe09..1291f96e 100644
--- a/keda/values.yaml
+++ b/keda/values.yaml
@@ -842,6 +842,8 @@ permissions:
       # -- Restrict Secret Access for KEDA operator
       # if true, KEDA operator will be able to read only secrets in {{ .Release.Namespace }} namespace
       secret: false
+      # -- Restrict Service Token Access for KEDA operator
+      saTokens: true
       # -- Array of strings denoting what secrets the KEDA operator will be able to read, this takes into account
       # also the configured `watchNamespace`.
       # the default is an empty array -> no restriction on the secret name