Skip to content

Support secret refs for Hashicorp Vault token auth in TriggerAuthentication#7571

Open
Kunalbehbud wants to merge 1 commit intokedacore:mainfrom
Kunalbehbud:feat/vault-token-from-secret
Open

Support secret refs for Hashicorp Vault token auth in TriggerAuthentication#7571
Kunalbehbud wants to merge 1 commit intokedacore:mainfrom
Kunalbehbud:feat/vault-token-from-secret

Conversation

@Kunalbehbud
Copy link
Copy Markdown

@Kunalbehbud Kunalbehbud commented Mar 26, 2026
edited
Loading

This PR adds secret-based token resolution for Hashicorp Vault authentication in TriggerAuthentication while preserving backward compatibility for existing plain-text configurations.

Checklist

  • When introducing a new scaler, I agree with the scaling governance policy (not applicable)
  • I have verified that my change is according to the deprecations & breaking changes policy
  • Tests have been added (if applicable)
  • Ensure make generate-scalers-schema has been run to update any outdated generated files
  • Changelog has been updated and is aligned with our changelog requirements, only when the change impacts end users
  • A PR is opened to update our Helm chart (repo) (not applicable)
  • A PR is opened to update the documentation on (repo) (if applicable)
  • Commits are signed with Developer Certificate of Origin (DCO - learn more)

Fixes #6026

Relates to kedacore/keda-docs#1724

What changed

  • add spec.hashiCorpVault.credential.tokenFrom.secretKeyRef so Vault token auth can read the token from a Kubernetes Secret
  • keep existing spec.hashiCorpVault.credential.token support for backward compatibility, but mark it deprecated via admission warnings and documentation
  • resolve tokenFrom.secretKeyRef before constructing the Vault handler for both TriggerAuthentication and ClusterTriggerAuthentication
  • fix the Hashicorp Vault token auth path to return a clear error when credentials are missing instead of hitting a nil reference panic
  • update CRDs, generated deepcopy code, changelog, unit tests, and Hashicorp Vault e2e manifests/docs

Backward compatibility

  • existing plain-text credential.token configurations continue to work
  • when both tokenFrom.secretKeyRef and token are set, tokenFrom.secretKeyRef takes precedence
  • users receive admission warnings recommending migration away from plain-text Vault tokens

How it was tested

  • make generate
  • make manifests
  • make generate-scalers-schema
  • PATH="$(go env GOPATH)/bin:$PATH" make golangci
  • make test
  • go test -tags e2e ./tests/secret-providers/hashicorp_vault -run TestDoesNotExist

@Kunalbehbud Kunalbehbud requested a review from a team as a code owner March 26, 2026 08:23
@keda-automation keda-automation requested a review from a team March 26, 2026 08:23
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 26, 2026

Thank you for your contribution! 🙏

Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected.

While you are waiting, make sure to:

  • Add an entry in our changelog in alphabetical order and link related issue
  • Update the documentation, if needed
  • Add unit & e2e tests for your changes
  • GitHub checks are passing
  • Is the DCO check failing? Here is how you can fix DCO issues

Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient.

Learn more about our contribution guide.

@snyk-io
Copy link
Copy Markdown

snyk-io bot commented Mar 26, 2026

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@rickbrouwer rickbrouwer added auth and removed auth labels Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Hashicorp vault auth allow tokens directly set in TriggerAuthentication

2 participants

@Kunalbehbud @rickbrouwer