Provide support for authentication with secrets from HashiCorp Vault (#…

…56)

Signed-off-by: Nisan Itzhakov <[email protected]>

keda/templates/12-keda-deployment.yaml

@@ -60,19 +60,31 @@ spec:
                   fieldPath: metadata.name
             - name: OPERATOR_NAME
               value: {{ .Values.operatorName }}
-          {{- if .Values.grpcTLSCertsSecret }}
+            {{- if .Values.env }}
+            {{- toYaml .Values.env | nindent 12 -}}
+            {{- end }}
           volumeMounts:
+          {{- if .Values.grpcTLSCertsSecret }}
           - name: grpc-certs
             mountPath: /grpccerts
           {{- end }}
+          {{- if .Values.hashiCorpVaultTLS }}
+          - name: hashicorp-vault-certs
+            mountPath: /hashicorp-vaultcerts
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-      {{- if .Values.grpcTLSCertsSecret }}
       volumes:
+      {{- if .Values.grpcTLSCertsSecret }}
       - name: grpc-certs
         secret:
           secretName: {{ .Values.grpcTLSCertsSecret }}
       {{- end }}
+      {{- if .Values.hashiCorpVaultTLS }}
+      - name: hashicorp-vault-certs
+        secret:
+          secretName: {{ .Values.hashiCorpVaultTLS }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

keda/templates/22-metrics-deployment.yaml

@@ -46,6 +46,9 @@ spec:
           env:
             - name: WATCH_NAMESPACE
               value: ""
+            {{- if .Values.env }}
+            {{- toYaml .Values.env | nindent 12 -}}
+            {{- end }}
           args:
           - /usr/local/bin/keda-adapter
           - --secure-port=6443
@@ -58,19 +61,28 @@ spec:
             - containerPort: {{ .Values.service.portHttpTarget }}
               name: http
               protocol: TCP
-          {{- if .Values.grpcTLSCertsSecret }}
           volumeMounts:
+          {{- if .Values.grpcTLSCertsSecret }}
           - name: grpc-certs
             mountPath: /grpccerts
           {{- end }}
+          {{- if .Values.hashiCorpVaultTLS }}
+          - name: hashicorp-vault-certs
+            mountPath: /hashicorp-vaultcerts
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-      {{- if .Values.grpcTLSCertsSecret }}
       volumes:
+      {{- if .Values.grpcTLSCertsSecret }}
       - name: grpc-certs
         secret:
           secretName: {{ .Values.grpcTLSCertsSecret }}
       {{- end }}
+      {{- if .Values.hashiCorpVaultTLS }}
+      - name: hashicorp-vault-certs
+        secret:
+          secretName: {{ .Values.hashiCorpVaultTLS }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

keda/values.yaml

@@ -47,6 +47,11 @@ aadPodIdentity: ""
 # will be mounted to the /grpccerts path on the Pod
 grpcTLSCertsSecret: ""
 
+# Set this if you are using HashiCorp Vault and want to communicate
+# over TLS (recommended). This variable holds the name of the secret that
+# will be mounted to the /vault path on the Pod
+hashiCorpVaultTLS: ""
+
 ## Logging level for KEDA Controller 
 # allowed values: 'debug', 'info', 'error', or an integer value greater than 0, specified as string
 # default value: info
@@ -110,3 +115,8 @@ affinity: {}
 
 ## Optional priorityClassName for KEDA Controller and Metrics Adapter
 priorityClassName: ""
+
+## Extra environment variables that will be passed onto Keda operator and metrics api service
+env:
+# - name: ENV_NAME
+#   value: 'ENV-VALUE'