From 1a650dcbaecd1c8a4db58ebeae490057ec6d1f90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFs=20Postula?= Date: Tue, 10 Oct 2023 20:35:48 +0200 Subject: [PATCH 1/3] feat: add doc for hashicorp vault secret mode and data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Loïs Postula --- .../docs/2.13/authentication-providers/hashicorp-vault.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/content/docs/2.13/authentication-providers/hashicorp-vault.md b/content/docs/2.13/authentication-providers/hashicorp-vault.md index d26c4025c..c876f5eea 100644 --- a/content/docs/2.13/authentication-providers/hashicorp-vault.md +++ b/content/docs/2.13/authentication-providers/hashicorp-vault.md @@ -23,6 +23,8 @@ hashiCorpVault: # Optional. serviceAccount: {path-to-service-account-file} # Optional. secrets: # Required. - parameter: {scaledObject-parameter-name} # Required. - key: {hasicorp-vault-secret-key-name} # Required. - path: {hasicorp-vault-secret-path} # Required. + key: {hashicorp-vault-secret-key-name} # Required. + path: {hashicorp-vault-secret-path} # Required. + type: {hashicorp-vault-secret-mode} # Optional. Default to `""` + pkidata: {hashicorp-vault-secret-pkidata} # Optional. Data to be send with the secret if `hashicorp-vault-secret-type` is pki request ``` From 8293d706dac139ad41f8b22623dc8ffb26da23ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFs=20Postula?= Date: Thu, 12 Oct 2023 15:27:14 +0200 Subject: [PATCH 2/3] feat: add HashiCorp Vault example MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Loïs Postula --- .../hashicorp-vault.md | 89 +++++++++++++++---- 1 file changed, 74 insertions(+), 15 deletions(-) diff --git a/content/docs/2.13/authentication-providers/hashicorp-vault.md b/content/docs/2.13/authentication-providers/hashicorp-vault.md index c876f5eea..4155427e9 100644 --- a/content/docs/2.13/authentication-providers/hashicorp-vault.md +++ b/content/docs/2.13/authentication-providers/hashicorp-vault.md @@ -12,19 +12,78 @@ You can pull one or more Hashicorp Vault secrets into the trigger by defining th > The support for Vault secrets backend **version 1** was added on version `2.10`. ```yaml -hashiCorpVault: # Optional. - address: {hashicorp-vault-address} # Required. - namespace: {hashicorp-vault-namespace} # Optional. Default is root namespace. Useful for Vault Enterprise - authentication: token | kubernetes # Required. - role: {hashicorp-vault-role} # Optional. - mount: {hashicorp-vault-mount} # Optional. - credential: # Optional. - token: {hashicorp-vault-token} # Optional. - serviceAccount: {path-to-service-account-file} # Optional. - secrets: # Required. - - parameter: {scaledObject-parameter-name} # Required. - key: {hashicorp-vault-secret-key-name} # Required. - path: {hashicorp-vault-secret-path} # Required. - type: {hashicorp-vault-secret-mode} # Optional. Default to `""` - pkidata: {hashicorp-vault-secret-pkidata} # Optional. Data to be send with the secret if `hashicorp-vault-secret-type` is pki request +hashiCorpVault: # Optional. + address: {hashicorp-vault-address} # Required. + namespace: {hashicorp-vault-namespace} # Optional. Default is root namespace. Useful for Vault Enterprise + authentication: token | kubernetes # Required. + role: {hashicorp-vault-role} # Optional. + mount: {hashicorp-vault-mount} # Optional. + credential: # Optional. + token: {hashicorp-vault-token} # Optional. + serviceAccount: {path-to-service-account-file} # Optional. + secrets: # Required. + - parameter: {scaledObject-parameter-name} # Required. + key: {hashicorp-vault-secret-key-name} # Required. + path: {hashicorp-vault-secret-path} # Required. + type: {hashicorp-vault-secret-mode} # Optional. Default to `""` + pkidata: {hashicorp-vault-secret-pkidata} # Optional. Data to be send with the secret if `hashicorp-vault-secret-type` is pki request + commonName: {hashicorp-vault-secret-pkidata-commonName} # Optional. + altNames: {hashicorp-vault-secret-pkidata-altNames} # Optional. + ipSans: {hashicorp-vault-secret-pkidata-ipSans} # Optional. + uriSans: {hashicorp-vault-secret-pkidata-uriSans} # Optional. + otherSans: {hashicorp-vault-secret-pkidata-otherSans} # Optional. + ttl: {hashicorp-vault-secret-pkidata-ttl} # Optional. + format: {hashicorp-vault-secret-pkidata-format} # Optional. +``` + +### Example +Vault Secret can be used to provide authentication for a Scaler. If using the [Prometheus scaler](https://keda.sh/docs/2.3/scalers/prometheus/), mTls can be used by the `ScaledObject` to authenticate to the Prometheus server. The following example would request a certificate to Vault dynamically. +```yaml +apiVersion: keda.sh/v1alpha1 +kind: TriggerAuthentication +metadata: + name: {trigger-authentication-mame} + namespace: default +spec: + hashiCorpVault: + address: {hashicorp-vault-address} + authentication: token + credential: + token: {hashicorp-vault-token} + secrets: + - key: "ca_chain" + parameter: "ca" + path: {hashicorp-vault-secret-path} + type: pki + pki_data: + common_name: {hashicorp-vault-secret-pkidata-commonName} + - key: "private_key" + parameter: "key" + path: {hashicorp-vault-secret-path} + type: pki + pki_data: + common_name: {hashicorp-vault-secret-pkidata-commonName} + - key: "certificate" + parameter: "cert" + path: {hashicorp-vault-secret-path} + type: pki + pki_data: + common_name: {hashicorp-vault-secret-pkidata-commonName} +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {scaled-object-name} + namespace: default +spec: + scaleTargetRef: + name: {deployment-name} + triggers: + - type: prometheus + metadata: + serverAddress: http://:9090 + query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + authModes: "tls" + authenticationRef: + name: { trigger-authentication-mame } ``` From 524f0bfc89455e0cefe0682d780e53eef68d77a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFs=20Postula?= Date: Fri, 13 Oct 2023 14:44:03 +0200 Subject: [PATCH 3/3] feat: add allowed values to the doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Loïs Postula --- content/docs/2.13/authentication-providers/hashicorp-vault.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/docs/2.13/authentication-providers/hashicorp-vault.md b/content/docs/2.13/authentication-providers/hashicorp-vault.md index 4155427e9..a09b01a4e 100644 --- a/content/docs/2.13/authentication-providers/hashicorp-vault.md +++ b/content/docs/2.13/authentication-providers/hashicorp-vault.md @@ -25,7 +25,7 @@ hashiCorpVault: # Optional. - parameter: {scaledObject-parameter-name} # Required. key: {hashicorp-vault-secret-key-name} # Required. path: {hashicorp-vault-secret-path} # Required. - type: {hashicorp-vault-secret-mode} # Optional. Default to `""` + type: {hashicorp-vault-secret-type} # Optional. Default to `""`. Allowed values: `secret`, `secretV2`, `pki` pkidata: {hashicorp-vault-secret-pkidata} # Optional. Data to be send with the secret if `hashicorp-vault-secret-type` is pki request commonName: {hashicorp-vault-secret-pkidata-commonName} # Optional. altNames: {hashicorp-vault-secret-pkidata-altNames} # Optional. @@ -37,7 +37,7 @@ hashiCorpVault: # Optional. ``` ### Example -Vault Secret can be used to provide authentication for a Scaler. If using the [Prometheus scaler](https://keda.sh/docs/2.3/scalers/prometheus/), mTls can be used by the `ScaledObject` to authenticate to the Prometheus server. The following example would request a certificate to Vault dynamically. +Vault Secret can be used to provide authentication for a Scaler. If using the [Prometheus scaler](https://keda.sh/docs/2.3/scalers/prometheus/), mTls can be used by the `ScaledObject` to authenticate to the Prometheus server. The following example would request a certificate to Vault dynamically. ```yaml apiVersion: keda.sh/v1alpha1 kind: TriggerAuthentication