diff --git a/CHANGELOG.md b/CHANGELOG.md index d230956e6a4..fd4216996ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -62,6 +62,7 @@ Here is an overview of all new **experimental** features: - **General**: Add parameter queryParameters to prometheus-scaler ([#4962](https://github.com/kedacore/keda/issues/4962)) - **General**: Support TriggerAuthentication properties from ConfigMap ([#4830](https://github.com/kedacore/keda/issues/4830)) +- **Hashicorp Vault*: Fix operator panic when spec.hashiCorpVault.credential.serviceAccount is not set ([#4964](https://github.com/kedacore/keda/issues/4964)) - **Hashicorp Vault**: Add support to get secret that needs write operation (e.g. pki) ([#5067](https://github.com/kedacore/keda/issues/5067)) - **Kafka Scaler**: Ability to set upper bound to the number of partitions with lag ([#3997](https://github.com/kedacore/keda/issues/3997)) - **Kafka Scaler**: Add support for Kerberos authentication (SASL / GSSAPI) ([#4836](https://github.com/kedacore/keda/issues/4836)) diff --git a/pkg/scaling/resolver/hashicorpvault_handler.go b/pkg/scaling/resolver/hashicorpvault_handler.go index 67427feb571..b2c7f94f6e5 100644 --- a/pkg/scaling/resolver/hashicorpvault_handler.go +++ b/pkg/scaling/resolver/hashicorpvault_handler.go @@ -110,6 +110,13 @@ func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error) return token, errors.New("k8s role not in config") } + if vh.vault.Credential == nil { + defaultCred := kedav1alpha1.Credential{ + ServiceAccount: "/var/run/secrets/kubernetes.io/serviceaccount/token", + } + vh.vault.Credential = &defaultCred + } + if len(vh.vault.Credential.ServiceAccount) == 0 { return token, errors.New("k8s SA file not in config") } diff --git a/pkg/scaling/resolver/hashicorpvault_handler_test.go b/pkg/scaling/resolver/hashicorpvault_handler_test.go index d05397fae9d..9faf1e3c5c7 100644 --- a/pkg/scaling/resolver/hashicorpvault_handler_test.go +++ b/pkg/scaling/resolver/hashicorpvault_handler_test.go @@ -345,6 +345,25 @@ func TestHashicorpVaultHandler_ResolveSecret(t *testing.T) { } } +func TestHashicorpVaultHandler_DefaultKubernetesVaultRole(t *testing.T) { + defaultServiceAccountPath := "/var/run/secrets/kubernetes.io/serviceaccount/token" + server := mockVault(t) + defer server.Close() + + vault := kedav1alpha1.HashiCorpVault{ + Address: server.URL, + Authentication: kedav1alpha1.VaultAuthenticationKubernetes, + Mount: "my-mount", + Role: "my-role", + } + + vaultHandler := NewHashicorpVaultHandler(&vault) + err := vaultHandler.Initialize(logf.Log.WithName("test")) + defer vaultHandler.Stop() + assert.Errorf(t, err, "open %s : no such file or directory", defaultServiceAccountPath) + assert.Equal(t, vaultHandler.vault.Credential.ServiceAccount, defaultServiceAccountPath) +} + func TestHashicorpVaultHandler_ResolveSecrets_SameCertAndKey(t *testing.T) { server := mockVault(t) defer server.Close()