diff --git a/apis/keda/v1alpha1/triggerauthentication_types.go b/apis/keda/v1alpha1/triggerauthentication_types.go index c1eb0c55b81..b27a0161fd1 100644 --- a/apis/keda/v1alpha1/triggerauthentication_types.go +++ b/apis/keda/v1alpha1/triggerauthentication_types.go @@ -288,7 +288,7 @@ type AzureKeyVaultCloudInfo struct { // AwsSecretManager is used to authenticate using AwsSecretManager type AwsSecretManager struct { Credentials *AwsSecretManagerCredentials `json:"credentials"` - Secrets []AwsSecretManagerSecret `json:"secret"` + Secrets []AwsSecretManagerSecret `json:"secrets"` // +optional PodIdentity *AuthPodIdentity `json:"podIdentity"` @@ -297,7 +297,10 @@ type AwsSecretManager struct { } type AwsSecretManagerCredentials struct { - ValuesFrom string `json:"valueFrom"` + AccessKey ValueFromSecret `json:"accessKey"` + AccessSecretKey ValueFromSecret `json:"accessSecretKey"` + // +optional + AccessToken ValueFromSecret `json:"accessToken,omitempty"` } type AwsSecretManagerSecret struct { diff --git a/apis/keda/v1alpha1/zz_generated.deepcopy.go b/apis/keda/v1alpha1/zz_generated.deepcopy.go index 6dbb2a02110..6d5781fea8a 100755 --- a/apis/keda/v1alpha1/zz_generated.deepcopy.go +++ b/apis/keda/v1alpha1/zz_generated.deepcopy.go @@ -150,6 +150,9 @@ func (in *AwsSecretManager) DeepCopy() *AwsSecretManager { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AwsSecretManagerCredentials) DeepCopyInto(out *AwsSecretManagerCredentials) { *out = *in + out.AccessKey = in.AccessKey + out.AccessSecretKey = in.AccessSecretKey + out.AccessToken = in.AccessToken } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsSecretManagerCredentials. diff --git a/config/crd/bases/keda.sh_clustertriggerauthentications.yaml b/config/crd/bases/keda.sh_clustertriggerauthentications.yaml index cc9cacc688f..50ac2766ab6 100644 --- a/config/crd/bases/keda.sh_clustertriggerauthentications.yaml +++ b/config/crd/bases/keda.sh_clustertriggerauthentications.yaml @@ -59,6 +59,100 @@ spec: spec: description: TriggerAuthenticationSpec defines the various ways to authenticate properties: + awsSecretManager: + description: AwsSecretManager is used to authenticate using AwsSecretManager + properties: + cloud: + properties: + endpoint: + type: string + region: + type: string + type: object + credentials: + properties: + accessKey: + properties: + secretKeyRef: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + required: + - secretKeyRef + type: object + accessSecretKey: + properties: + secretKeyRef: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + required: + - secretKeyRef + type: object + accessToken: + properties: + secretKeyRef: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + required: + - secretKeyRef + type: object + required: + - accessKey + - accessSecretKey + type: object + podIdentity: + description: AuthPodIdentity allows users to select the platform + native identity mechanism + properties: + identityId: + type: string + provider: + description: PodIdentityProvider contains the list of providers + type: string + required: + - provider + type: object + secrets: + items: + properties: + name: + type: string + parameter: + type: string + versionId: + type: string + versionStage: + type: string + required: + - name + - parameter + type: object + type: array + required: + - cloud + - credentials + - secrets + type: object azureKeyVault: description: AzureKeyVault is used to authenticate using Azure Key Vault diff --git a/config/crd/bases/keda.sh_triggerauthentications.yaml b/config/crd/bases/keda.sh_triggerauthentications.yaml index 6589a44301b..f3b6cb8e6d1 100644 --- a/config/crd/bases/keda.sh_triggerauthentications.yaml +++ b/config/crd/bases/keda.sh_triggerauthentications.yaml @@ -58,6 +58,100 @@ spec: spec: description: TriggerAuthenticationSpec defines the various ways to authenticate properties: + awsSecretManager: + description: AwsSecretManager is used to authenticate using AwsSecretManager + properties: + cloud: + properties: + endpoint: + type: string + region: + type: string + type: object + credentials: + properties: + accessKey: + properties: + secretKeyRef: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + required: + - secretKeyRef + type: object + accessSecretKey: + properties: + secretKeyRef: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + required: + - secretKeyRef + type: object + accessToken: + properties: + secretKeyRef: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + required: + - secretKeyRef + type: object + required: + - accessKey + - accessSecretKey + type: object + podIdentity: + description: AuthPodIdentity allows users to select the platform + native identity mechanism + properties: + identityId: + type: string + provider: + description: PodIdentityProvider contains the list of providers + type: string + required: + - provider + type: object + secrets: + items: + properties: + name: + type: string + parameter: + type: string + versionId: + type: string + versionStage: + type: string + required: + - name + - parameter + type: object + type: array + required: + - cloud + - credentials + - secrets + type: object azureKeyVault: description: AzureKeyVault is used to authenticate using Azure Key Vault diff --git a/pkg/scaling/resolver/aws_secretManager_handler.go b/pkg/scaling/resolver/aws_secretManager_handler.go index 6bced1387ff..69c0df77cc6 100644 --- a/pkg/scaling/resolver/aws_secretManager_handler.go +++ b/pkg/scaling/resolver/aws_secretManager_handler.go @@ -7,22 +7,21 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/secretsmanager" "github.com/go-logr/logr" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" corev1listers "k8s.io/client-go/listers/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1" ) -const ( - AccessKeyID = "AWS_ACCESS_KEY_ID" - SecretAccessKey = "AWS_SECRET_ACCESS_KEY" -) - type AwsSecretManagerHandler struct { secretManager *kedav1alpha1.AwsSecretManager + session *session.Session secretclient *secretsmanager.SecretsManager } @@ -34,11 +33,14 @@ func NewAwsSecretManagerHandler(a *kedav1alpha1.AwsSecretManager) *AwsSecretMana func (ash *AwsSecretManagerHandler) Read(secretName, versionID, versionStage string) (string, error) { input := &secretsmanager.GetSecretValueInput{ - SecretId: aws.String(secretName), - VersionId: aws.String(versionID), - VersionStage: aws.String(versionStage), + SecretId: aws.String(secretName), + } + if versionID != "" { + input.VersionId = aws.String(versionID) + } + if versionStage != "" { + input.VersionStage = aws.String(versionStage) } - result, err := ash.secretclient.GetSecretValue(input) if err != nil { if aerr, ok := err.(awserr.Error); ok { @@ -63,8 +65,6 @@ func (ash *AwsSecretManagerHandler) Read(secretName, versionID, versionStage str return "", err } } else { - // Print the error, cast err to awserr.Error to get the Code and - // Message from an error. err = fmt.Errorf(err.Error()) return "", err } @@ -72,19 +72,23 @@ func (ash *AwsSecretManagerHandler) Read(secretName, versionID, versionStage str return *result.SecretString, nil } -func (ash *AwsSecretManagerHandler) Initialize(ctx context.Context, client client.Client, logger logr.Logger, triggerNamespace string, secretsLister corev1listers.SecretLister) error { - config, err := ash.getconfig(ctx, client, logger, triggerNamespace, secretsLister) +func (ash *AwsSecretManagerHandler) Initialize(ctx context.Context, client client.Client, logger logr.Logger, triggerNamespace string, secretsLister corev1listers.SecretLister, podTemplateSpec *corev1.PodTemplateSpec) error { + config, err := ash.getcredentials(ctx, client, logger, triggerNamespace, secretsLister, podTemplateSpec) if err != nil { return err } - - sess, err := session.NewSession() - - ash.secretclient = secretsmanager.New(sess, config) + if ash.secretManager.Cloud.Region != "" { + config.WithRegion(ash.secretManager.Cloud.Region) + } + if ash.secretManager.Cloud.Endpoint != "" { + config.WithEndpoint(ash.secretManager.Cloud.Endpoint) + } + ash.session = session.Must(session.NewSession()) + ash.secretclient = secretsmanager.New(ash.session, config) return err } -func (ash *AwsSecretManagerHandler) getconfig(ctx context.Context, client client.Client, logger logr.Logger, triggerNamespace string, secretsLister corev1listers.SecretLister) (*aws.Config, error) { +func (ash *AwsSecretManagerHandler) getcredentials(ctx context.Context, client client.Client, logger logr.Logger, triggerNamespace string, secretsLister corev1listers.SecretLister, podTemplateSpec *corev1.PodTemplateSpec) (*aws.Config, error) { config := aws.NewConfig() podIdentity := ash.secretManager.PodIdentity @@ -94,32 +98,36 @@ func (ash *AwsSecretManagerHandler) getconfig(ctx context.Context, client client switch podIdentity.Provider { case "", kedav1alpha1.PodIdentityProviderNone: - secretName := ash.secretManager.Credentials.ValuesFrom - accessKeyID := resolveAuthSecret(ctx, client, logger, secretName, triggerNamespace, AccessKeyID, secretsLister) - accessSecretKey := resolveAuthSecret(ctx, client, logger, secretName, triggerNamespace, SecretAccessKey, secretsLister) + accessKeyID := resolveAuthSecret(ctx, client, logger, ash.secretManager.Credentials.AccessKey.SecretKeyRef.Name, triggerNamespace, ash.secretManager.Credentials.AccessKey.SecretKeyRef.Key, secretsLister) + accessSecretKey := resolveAuthSecret(ctx, client, logger, ash.secretManager.Credentials.AccessSecretKey.SecretKeyRef.Name, triggerNamespace, ash.secretManager.Credentials.AccessSecretKey.SecretKeyRef.Key, secretsLister) if accessKeyID == "" || accessSecretKey == "" { - return nil, fmt.Errorf("%s and %s are expected when not using a pod identity provider", AccessKeyID, SecretAccessKey) + return nil, fmt.Errorf("AccessKeyId and AccessSecretKey are expected when not using a pod identity provider") } config.WithCredentials(credentials.NewStaticCredentials(accessKeyID, accessSecretKey, "")) - if ash.secretManager.Cloud.Region != "" { - config.WithRegion(ash.secretManager.Cloud.Region) - } - if ash.secretManager.Cloud.Endpoint != "" { - config.WithEndpoint(ash.secretManager.Cloud.Endpoint) - } return config, nil - case kedav1alpha1.PodIdentityProviderAwsKiam, kedav1alpha1.PodIdentityProviderAwsEKS: - if ash.secretManager.Cloud.Region != "" { - config.WithRegion(ash.secretManager.Cloud.Region) - } - if ash.secretManager.Cloud.Endpoint != "" { - config.WithEndpoint(ash.secretManager.Cloud.Endpoint) + case kedav1alpha1.PodIdentityProviderAwsEKS: + awsRoleArn, err := ash.getRoleArnAwsEKS(ctx, client, logger, triggerNamespace, podTemplateSpec) + if err != nil { + return nil, fmt.Errorf("error resolving role arn for AwsEKS pod identity: %s", err) } - + config.WithCredentials(stscreds.NewCredentials(ash.session, awsRoleArn)) + return config, nil + case kedav1alpha1.PodIdentityProviderAwsKiam: + awsRoleArn := podTemplateSpec.ObjectMeta.Annotations[kedav1alpha1.PodIdentityAnnotationKiam] + config.WithCredentials(stscreds.NewCredentials(ash.session, awsRoleArn)) return config, nil - default: return nil, fmt.Errorf("pod identity provider %s not supported", podIdentity.Provider) } } + +func (ash *AwsSecretManagerHandler) getRoleArnAwsEKS(ctx context.Context, client client.Client, _ logr.Logger, triggerNamespace string, podTemplateSpec *corev1.PodTemplateSpec) (string, error) { + serviceAccountName := podTemplateSpec.Spec.ServiceAccountName + serviceAccount := &corev1.ServiceAccount{} + err := client.Get(ctx, types.NamespacedName{Name: serviceAccountName, Namespace: triggerNamespace}, serviceAccount) + if err != nil { + return "", err + } + return serviceAccount.Annotations[kedav1alpha1.PodIdentityAnnotationEKS], nil +} diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go index 542f9ca817f..0921fbc77a9 100644 --- a/pkg/scaling/resolver/scale_resolvers.go +++ b/pkg/scaling/resolver/scale_resolvers.go @@ -20,7 +20,6 @@ import ( "bytes" "context" "fmt" - "strconv" "strings" "github.com/go-logr/logr" @@ -39,12 +38,10 @@ import ( ) const ( - referenceOperator = '$' - referenceOpener = '(' - referenceCloser = ')' - boolTrue = true - boolFalse = false - defaultServiceAccount = "default" + referenceOperator = '$' + referenceOpener = '(' + referenceCloser = ')' + isrestrictSecretAccess = "true" ) var ( @@ -56,13 +53,13 @@ var ( // isSecretAccessRestricted returns whether secret access need to be restricted in KEDA namespace func isSecretAccessRestricted(logger logr.Logger) bool { if restrictSecretAccess == "" { - return boolFalse + return false } - if strings.ToLower(restrictSecretAccess) == strconv.FormatBool(boolTrue) { + if strings.ToLower(restrictSecretAccess) == isrestrictSecretAccess { logger.V(1).Info("Secret Access is restricted to be in Cluster Object Namespace, please use ClusterTriggerAuthentication instead of TriggerAuthentication", "Cluster Object Namespace", kedaNamespace, "Env Var", util.RestrictSecretAccessEnvVar, "Env Value", strings.ToLower(restrictSecretAccess)) - return boolTrue + return true } - return boolFalse + return false } // ResolveScaleTargetPodSpec for given scalableObject inspects the scale target workload, @@ -74,25 +71,6 @@ func ResolveScaleTargetPodSpec(ctx context.Context, kubeClient client.Client, sc case *kedav1alpha1.ScaledObject: // Try to get a real object instance for better cache usage, but fall back to an Unstructured if needed. podTemplateSpec := corev1.PodTemplateSpec{} - - // trying to prevent operator crashes, due to some race condition, sometimes obj.Status.ScaleTargetGVKR is nil - // see https://github.com/kedacore/keda/issues/4389 - // Tracking issue: https://github.com/kedacore/keda/issues/4955 - if obj.Status.ScaleTargetGVKR == nil { - scaledObject := &kedav1alpha1.ScaledObject{} - err := kubeClient.Get(ctx, types.NamespacedName{Name: obj.Name, Namespace: obj.Namespace}, scaledObject) - if err != nil { - log.Error(err, "failed to get ScaledObject", "name", obj.Name, "namespace", obj.Namespace) - return nil, "", err - } - obj = scaledObject - } - if obj.Status.ScaleTargetGVKR == nil { - err := fmt.Errorf("failed to get ScaledObject.Status.ScaleTargetGVKR, probably invalid ScaledObject cache") - log.Error(err, "failed to get ScaledObject.Status.ScaleTargetGVKR, probably invalid ScaledObject cache", "scaledObject.Name", obj.Name, "scaledObject.Namespace", obj.Namespace) - return nil, "", err - } - gvk := obj.Status.ScaleTargetGVKR.GroupVersionKind() objKey := client.ObjectKey{Namespace: obj.Namespace, Name: obj.Spec.ScaleTargetRef.Name} @@ -113,7 +91,7 @@ func ResolveScaleTargetPodSpec(ctx context.Context, kubeClient client.Client, sc statefulSet := &appsv1.StatefulSet{} if err := kubeClient.Get(ctx, objKey, statefulSet); err != nil { // resource doesn't exist - logger.Error(err, "target statefulset doesn't exist") + logger.Error(err, "target deployment doesn't exist") return nil, "", err } podTemplateSpec.ObjectMeta = statefulSet.ObjectMeta @@ -156,11 +134,11 @@ func ResolveContainerEnv(ctx context.Context, client client.Client, logger logr. var container corev1.Container if containerName != "" { - containerWithNameFound := boolFalse + containerWithNameFound := false for _, c := range podSpec.Containers { if c.Name == containerName { container = c - containerWithNameFound = boolTrue + containerWithNameFound = true break } } @@ -180,14 +158,10 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log triggerAuthRef *kedav1alpha1.AuthenticationRef, podTemplateSpec *corev1.PodTemplateSpec, namespace string, secretsLister corev1listers.SecretLister) (map[string]string, kedav1alpha1.AuthPodIdentity, error) { if podTemplateSpec != nil { - authParams, podIdentity := resolveAuthRef(ctx, client, logger, triggerAuthRef, &podTemplateSpec.Spec, namespace, secretsLister) + authParams, podIdentity := resolveAuthRef(ctx, client, logger, triggerAuthRef, podTemplateSpec, namespace, secretsLister) - switch podIdentity.Provider { - case kedav1alpha1.PodIdentityProviderAwsEKS: - serviceAccountName := defaultServiceAccount - if podTemplateSpec.Spec.ServiceAccountName != "" { - serviceAccountName = podTemplateSpec.Spec.ServiceAccountName - } + if podIdentity.Provider == kedav1alpha1.PodIdentityProviderAwsEKS { + serviceAccountName := podTemplateSpec.Spec.ServiceAccountName serviceAccount := &corev1.ServiceAccount{} err := client.Get(ctx, types.NamespacedName{Name: serviceAccountName, Namespace: namespace}, serviceAccount) if err != nil { @@ -195,17 +169,8 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log fmt.Errorf("error getting service account: '%s', error: %w", serviceAccountName, err) } authParams["awsRoleArn"] = serviceAccount.Annotations[kedav1alpha1.PodIdentityAnnotationEKS] - case kedav1alpha1.PodIdentityProviderAwsKiam: + } else if podIdentity.Provider == kedav1alpha1.PodIdentityProviderAwsKiam { authParams["awsRoleArn"] = podTemplateSpec.ObjectMeta.Annotations[kedav1alpha1.PodIdentityAnnotationKiam] - case kedav1alpha1.PodIdentityProviderAzure, kedav1alpha1.PodIdentityProviderAzureWorkload: - if podIdentity.Provider == kedav1alpha1.PodIdentityProviderAzure { - // FIXME: Delete this for v2.15 - logger.Info("WARNING: Azure AD Pod Identity has been archived (https://github.com/Azure/aad-pod-identity#-announcement) and will be removed from KEDA on v2.15") - } - if podIdentity.IdentityID != nil && *podIdentity.IdentityID == "" { - return nil, kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, fmt.Errorf("IdentityID of PodIdentity should not be empty") - } - default: } return authParams, podIdentity, nil } @@ -217,7 +182,7 @@ func ResolveAuthRefAndPodIdentity(ctx context.Context, client client.Client, log // resolveAuthRef provides authentication parameters needed authenticate scaler with the environment. // based on authentication method defined in TriggerAuthentication, authParams and podIdentity is returned func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logger, - triggerAuthRef *kedav1alpha1.AuthenticationRef, podSpec *corev1.PodSpec, + triggerAuthRef *kedav1alpha1.AuthenticationRef, podTemplateSpec *corev1.PodTemplateSpec, namespace string, secretsLister corev1listers.SecretLister) (map[string]string, kedav1alpha1.AuthPodIdentity) { result := make(map[string]string) var podIdentity kedav1alpha1.AuthPodIdentity @@ -232,11 +197,11 @@ func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logge } if triggerAuthSpec.Env != nil { for _, e := range triggerAuthSpec.Env { - if podSpec == nil { + if podTemplateSpec == nil { result[e.Parameter] = "" continue } - env, err := ResolveContainerEnv(ctx, client, logger, podSpec, e.ContainerName, namespace, secretsLister) + env, err := ResolveContainerEnv(ctx, client, logger, &podTemplateSpec.Spec, e.ContainerName, namespace, secretsLister) if err != nil { result[e.Parameter] = "" } else { @@ -244,11 +209,6 @@ func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logge } } } - if triggerAuthSpec.ConfigMapTargetRef != nil { - for _, e := range triggerAuthSpec.ConfigMapTargetRef { - result[e.Parameter] = resolveAuthConfigMap(ctx, client, logger, e.Name, triggerNamespace, e.Key) - } - } if triggerAuthSpec.SecretTargetRef != nil { for _, e := range triggerAuthSpec.SecretTargetRef { result[e.Parameter] = resolveAuthSecret(ctx, client, logger, e.Name, triggerNamespace, e.Key, secretsLister) @@ -260,16 +220,22 @@ func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logge if err != nil { logger.Error(err, "error authenticate to Vault", "triggerAuthRef.Name", triggerAuthRef.Name) } else { - secrets, err := vault.ResolveSecrets(triggerAuthSpec.HashiCorpVault.Secrets) - if err != nil { - logger.Error(err, "could not get secrets from vault", - "triggerAuthRef.Name", triggerAuthRef.Name, - ) - } else { - for _, e := range secrets { - result[e.Parameter] = e.Value + for _, e := range triggerAuthSpec.HashiCorpVault.Secrets { + secret, err := vault.Read(e.Path) + if err != nil { + logger.Error(err, "error trying to read secret from Vault", "triggerAuthRef.Name", triggerAuthRef.Name, + "secret.path", e.Path) + } else { + if secret == nil { + // sometimes there is no error, but `vault.Read(e.Path)` is not being able to parse the secret and returns nil + logger.Error(fmt.Errorf("unable to parse secret, is the provided path correct?"), "Error trying to read secret from Vault", + "triggerAuthRef.Name", triggerAuthRef.Name, "secret.path", e.Path) + } else { + result[e.Parameter] = resolveVaultSecret(logger, secret.Data, e.Key) + } } } + vault.Stop() } } @@ -292,7 +258,7 @@ func resolveAuthRef(ctx context.Context, client client.Client, logger logr.Logge } if triggerAuthSpec.AwsSecretManager != nil && len(triggerAuthSpec.AwsSecretManager.Secrets) > 0 { AwsSecretManagerHandler := NewAwsSecretManagerHandler(triggerAuthSpec.AwsSecretManager) - err := AwsSecretManagerHandler.Initialize(ctx, client, logger, triggerNamespace, secretsLister) + err := AwsSecretManagerHandler.Initialize(ctx, client, logger, triggerNamespace, secretsLister, podTemplateSpec) if err != nil { logger.Error(err, "error authenticating to Aws Secret Manager", "triggerAuthRef.Name", triggerAuthRef.Name) } else { @@ -338,8 +304,7 @@ func getTriggerAuthSpec(ctx context.Context, client client.Client, triggerAuthRe func resolveEnv(ctx context.Context, client client.Client, logger logr.Logger, container *corev1.Container, namespace string, secretsLister corev1listers.SecretLister) (map[string]string, error) { resolved := make(map[string]string) - secretAccessRestricted := isSecretAccessRestricted(logger) - accessSecrets := readSecrets(secretAccessRestricted, namespace) + if container.EnvFrom != nil { for _, source := range container.EnvFrom { if source.ConfigMapRef != nil { @@ -355,7 +320,7 @@ func resolveEnv(ctx context.Context, client client.Client, logger logr.Logger, c default: return nil, fmt.Errorf("error reading config ref %s on namespace %s/: %w", source.ConfigMapRef, namespace, err) } - } else if source.SecretRef != nil && accessSecrets { + } else if source.SecretRef != nil { secretsMap, err := resolveSecretMap(ctx, client, logger, source.SecretRef, namespace, secretsLister) switch { case err == nil: @@ -384,7 +349,7 @@ func resolveEnv(ctx context.Context, client client.Client, logger logr.Logger, c } else if envVar.ValueFrom != nil { // env is an EnvVarSource, that can be on of the 4 below switch { - case envVar.ValueFrom.SecretKeyRef != nil && accessSecrets: + case envVar.ValueFrom.SecretKeyRef != nil: // env is a secret selector value, err = resolveSecretValue(ctx, client, logger, envVar.ValueFrom.SecretKeyRef, envVar.ValueFrom.SecretKeyRef.Key, namespace, secretsLister) if err != nil { @@ -419,13 +384,6 @@ func resolveEnv(ctx context.Context, client client.Client, logger logr.Logger, c return resolved, nil } -func readSecrets(secretAccessRestricted bool, namespace string) bool { - if secretAccessRestricted && (namespace != kedaNamespace) { - return boolFalse - } - return boolTrue -} - func resolveEnvValue(value string, env map[string]string) string { var buf bytes.Buffer checkpoint := 0 @@ -525,16 +483,6 @@ func resolveConfigValue(ctx context.Context, client client.Client, configKeyRef return configMap.Data[keyName], nil } -func resolveAuthConfigMap(ctx context.Context, client client.Client, logger logr.Logger, name, namespace, key string) string { - ref := &corev1.ConfigMapKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: name}, Key: key} - val, err := resolveConfigValue(ctx, client, ref, key, namespace) - if err != nil { - logger.Error(err, "error trying to get config map from namespace", "ConfigMap.Namespace", namespace, "ConfigMap.Name", name) - return "" - } - return val -} - func resolveAuthSecret(ctx context.Context, client client.Client, logger logr.Logger, name, namespace, key string, secretsLister corev1listers.SecretLister) string { if name == "" || namespace == "" || key == "" { logger.Error(fmt.Errorf("error trying to get secret"), "name, namespace and key are required", "Secret.Namespace", namespace, "Secret.Name", name, "key", key) @@ -560,3 +508,23 @@ func resolveAuthSecret(ctx context.Context, client client.Client, logger logr.Lo return string(result) } + +func resolveVaultSecret(logger logr.Logger, data map[string]interface{}, key string) string { + if v2Data, ok := data["data"].(map[string]interface{}); ok { + if value, ok := v2Data[key]; ok { + if s, ok := value.(string); ok { + return s + } + } else { + logger.Error(fmt.Errorf("key '%s' not found", key), "error trying to get key from Vault secret") + return "" + } + } else if vData, ok := data[key]; ok { + if s, ok := vData.(string); ok { + return s + } + } + + logger.Error(fmt.Errorf("unable to convert Vault Data value"), "error trying to convert Data secret vaule") + return "" +} diff --git a/pkg/scaling/resolver/scale_resolvers_test.go b/pkg/scaling/resolver/scale_resolvers_test.go index 32596824b46..2ed2d31ed83 100644 --- a/pkg/scaling/resolver/scale_resolvers_test.go +++ b/pkg/scaling/resolver/scale_resolvers_test.go @@ -251,7 +251,7 @@ func TestResolveAuthRef(t *testing.T) { name string existing []runtime.Object soar *kedav1alpha1.AuthenticationRef - podSpec *corev1.PodSpec + podTemplateSpec *corev1.PodTemplateSpec expected map[string]string expectedPodIdentity kedav1alpha1.AuthPodIdentity }{ @@ -537,7 +537,7 @@ func TestResolveAuthRef(t *testing.T) { fake.NewClientBuilder().WithScheme(scheme.Scheme).WithRuntimeObjects(test.existing...).Build(), logf.Log.WithName("test"), test.soar, - test.podSpec, + test.podTemplateSpec, namespace, secretsLister) if diff := cmp.Diff(gotMap, test.expected); diff != "" {