Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support BoundServiceAccountToken triggerAuth provider #701

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: support BoundServiceAccountToken triggerAuth provider #701

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
285f693
Update CRDs for BoundServiceAccountToken triggerAuth source
maxcao13 Nov 6, 2024
af77d3c
Add serviceAccountTokenCreationRoles helm chart array value
maxcao13 Feb 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions keda/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ their default values.
| `operator.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) |
| `permissions.operator.restrict.namesAllowList` | list | `[]` | Array of strings denoting what secrets the KEDA operator will be able to read, this takes into account also the configured `watchNamespace`. the default is an empty array -> no restriction on the secret name |
| `permissions.operator.restrict.secret` | bool | `false` | Restrict Secret Access for KEDA operator if true, KEDA operator will be able to read only secrets in {{ .Release.Namespace }} namespace |
| `permissions.operator.restrict.serviceAccountTokenCreationRoles` | list | `[]` | Creates roles and rolebindings from namespaced service accounts in the array which allow the KEDA operator to request service account tokens |
| `podAnnotations.keda` | object | `{}` | Pod annotations for KEDA operator |
| `podDisruptionBudget.operator` | object | `{}` | Capability to configure [Pod Disruption Budget] |
| `podLabels.keda` | object | `{}` | Pod labels for KEDA operator |
Expand Down
12 changes: 12 additions & 0 deletions keda/templates/crds/crd-clustertriggerauthentications.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,18 @@ spec:
- secrets
- vaultUri
type: object
boundServiceAccountToken:
items:
properties:
parameter:
type: string
serviceAccountName:
type: string
required:
- parameter
- serviceAccountName
type: object
type: array
configMapTargetRef:
items:
description: AuthConfigMapTargetRef is used to authenticate using
Expand Down
12 changes: 12 additions & 0 deletions keda/templates/crds/crd-triggerauthentications.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,18 @@ spec:
- secrets
- vaultUri
type: object
boundServiceAccountToken:
items:
properties:
parameter:
type: string
serviceAccountName:
type: string
required:
- parameter
- serviceAccountName
type: object
type: array
configMapTargetRef:
items:
description: AuthConfigMapTargetRef is used to authenticate using
Expand Down
47 changes: 47 additions & 0 deletions keda/templates/manager/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,4 +210,51 @@ rules:
- list
- watch
{{- end -}}
{{- if .Values.permissions.operator.restrict.serviceAccountTokenCreationRoles }}
{{- range $r := .Values.permissions.operator.restrict.serviceAccountTokenCreationRoles }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
{{- with $.Values.additionalAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/name: {{ $.Values.operator.name }}
{{- include "keda.labels" $ | indent 4 }}
name: {{ $.Values.operator.name }}-token-creator-{{ $r.name }}
namespace: {{ $r.namespace }}
rules:
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
resourceNames:
- {{ $r.name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
{{- with $.Values.additionalAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/name: {{ $.Values.operator.name }}
{{- include "keda.labels" $ | indent 4 }}
name: {{ $.Values.operator.name }}-token-creator-{{ $r.name }}
namespace: {{ $r.namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $.Values.operator.name }}-token-creator-{{ $r.name }}
subjects:
- kind: ServiceAccount
name: {{ $.Values.operator.name }}
namespace: {{ $.Release.Namespace }}
{{- end }}
{{- end }}
{{- end -}}
7 changes: 7 additions & 0 deletions keda/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -846,6 +846,12 @@ permissions:
# also the configured `watchNamespace`.
# the default is an empty array -> no restriction on the secret name
namesAllowList: []
# -- Creates roles and rolebindings from namespaced service accounts in the array which allow the KEDA operator
# to request service account tokens for use with the boundServiceAccountToken trigger source.
# If the namespace does not exist, this will cause the helm chart installation to fail.
serviceAccountTokenCreationRoles: []
# - name: myServiceAccount
# namespace: myServiceAccountNamespace

# -- Array of extra K8s manifests to deploy
extraObjects: []
Expand All @@ -867,3 +873,4 @@ customManagedBy: ""
# -- Enable service links in pods. Although enabled, mirroring k8s default, it is highly recommended to disable,
# due to its legacy status [Legacy container links](https://docs.docker.com/engine/network/links/)
enableServiceLinks: true