From 1c560ae0ce29c2ae5e58411de0a1fda8586b4ef2 Mon Sep 17 00:00:00 2001 From: Dao Thanh Tung Date: Mon, 20 Nov 2023 13:20:09 +0000 Subject: [PATCH] Fix operator panic when spec.hashiCorpVault.credential.serviceAccount is not set (#5180) Signed-off-by: dttung2905 --- CHANGELOG.md | 1 + .../resolver/hashicorpvault_handler.go | 7 +++++++ .../resolver/hashicorpvault_handler_test.go | 19 +++++++++++++++++++ 3 files changed, 27 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b2950472e5e..6b2871ad466 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -63,6 +63,7 @@ Here is an overview of all new **experimental** features: - **General**: Add parameter queryParameters to prometheus-scaler ([#4962](https://github.com/kedacore/keda/issues/4962)) - **General**: Support TriggerAuthentication properties from ConfigMap ([#4830](https://github.com/kedacore/keda/issues/4830)) - **Hashicorp Vault**: Add support to get secret that needs write operation (e.g. pki) ([#5067](https://github.com/kedacore/keda/issues/5067)) +- **Hashicorp Vault**: Fix operator panic when spec.hashiCorpVault.credential.serviceAccount is not set ([#4964](https://github.com/kedacore/keda/issues/4964)) - **Kafka Scaler**: Ability to set upper bound to the number of partitions with lag ([#3997](https://github.com/kedacore/keda/issues/3997)) - **Kafka Scaler**: Add more logging to check Sarama DescribeTopics method ([#5102](https://github.com/kedacore/keda/issues/5102)) - **Kafka Scaler**: Add support for Kerberos authentication (SASL / GSSAPI) ([#4836](https://github.com/kedacore/keda/issues/4836)) diff --git a/pkg/scaling/resolver/hashicorpvault_handler.go b/pkg/scaling/resolver/hashicorpvault_handler.go index 67427feb571..b2c7f94f6e5 100644 --- a/pkg/scaling/resolver/hashicorpvault_handler.go +++ b/pkg/scaling/resolver/hashicorpvault_handler.go @@ -110,6 +110,13 @@ func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error) return token, errors.New("k8s role not in config") } + if vh.vault.Credential == nil { + defaultCred := kedav1alpha1.Credential{ + ServiceAccount: "/var/run/secrets/kubernetes.io/serviceaccount/token", + } + vh.vault.Credential = &defaultCred + } + if len(vh.vault.Credential.ServiceAccount) == 0 { return token, errors.New("k8s SA file not in config") } diff --git a/pkg/scaling/resolver/hashicorpvault_handler_test.go b/pkg/scaling/resolver/hashicorpvault_handler_test.go index d05397fae9d..9faf1e3c5c7 100644 --- a/pkg/scaling/resolver/hashicorpvault_handler_test.go +++ b/pkg/scaling/resolver/hashicorpvault_handler_test.go @@ -345,6 +345,25 @@ func TestHashicorpVaultHandler_ResolveSecret(t *testing.T) { } } +func TestHashicorpVaultHandler_DefaultKubernetesVaultRole(t *testing.T) { + defaultServiceAccountPath := "/var/run/secrets/kubernetes.io/serviceaccount/token" + server := mockVault(t) + defer server.Close() + + vault := kedav1alpha1.HashiCorpVault{ + Address: server.URL, + Authentication: kedav1alpha1.VaultAuthenticationKubernetes, + Mount: "my-mount", + Role: "my-role", + } + + vaultHandler := NewHashicorpVaultHandler(&vault) + err := vaultHandler.Initialize(logf.Log.WithName("test")) + defer vaultHandler.Stop() + assert.Errorf(t, err, "open %s : no such file or directory", defaultServiceAccountPath) + assert.Equal(t, vaultHandler.vault.Credential.ServiceAccount, defaultServiceAccountPath) +} + func TestHashicorpVaultHandler_ResolveSecrets_SameCertAndKey(t *testing.T) { server := mockVault(t) defer server.Close()