From dbe1f608396cb9ddaae5b4b16c6870c980ef3bc4 Mon Sep 17 00:00:00 2001 From: Nisan Itzhakov Date: Wed, 8 Jul 2020 11:55:14 +0300 Subject: [PATCH] Provide support for authentication with secrets from HashiCorp Vault (#56) Signed-off-by: Nisan Itzhakov --- keda/templates/12-keda-deployment.yaml | 16 ++++++++++++++-- keda/templates/22-metrics-deployment.yaml | 16 ++++++++++++++-- keda/values.yaml | 10 ++++++++++ 3 files changed, 38 insertions(+), 4 deletions(-) diff --git a/keda/templates/12-keda-deployment.yaml b/keda/templates/12-keda-deployment.yaml index 46a41020..efc44495 100644 --- a/keda/templates/12-keda-deployment.yaml +++ b/keda/templates/12-keda-deployment.yaml @@ -60,19 +60,31 @@ spec: fieldPath: metadata.name - name: OPERATOR_NAME value: {{ .Values.operatorName }} - {{- if .Values.grpcTLSCertsSecret }} + {{- if .Values.env }} + {{- toYaml .Values.env | nindent 12 -}} + {{- end }} volumeMounts: + {{- if .Values.grpcTLSCertsSecret }} - name: grpc-certs mountPath: /grpccerts {{- end }} + {{- if .Values.hashiCorpVaultTLS }} + - name: hashicorp-vault-certs + mountPath: /hashicorp-vaultcerts + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.grpcTLSCertsSecret }} volumes: + {{- if .Values.grpcTLSCertsSecret }} - name: grpc-certs secret: secretName: {{ .Values.grpcTLSCertsSecret }} {{- end }} + {{- if .Values.hashiCorpVaultTLS }} + - name: hashicorp-vault-certs + secret: + secretName: {{ .Values.hashiCorpVaultTLS }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/keda/templates/22-metrics-deployment.yaml b/keda/templates/22-metrics-deployment.yaml index 1acde84c..33a1ff50 100644 --- a/keda/templates/22-metrics-deployment.yaml +++ b/keda/templates/22-metrics-deployment.yaml @@ -46,6 +46,9 @@ spec: env: - name: WATCH_NAMESPACE value: "" + {{- if .Values.env }} + {{- toYaml .Values.env | nindent 12 -}} + {{- end }} args: - /usr/local/bin/keda-adapter - --secure-port=6443 @@ -58,19 +61,28 @@ spec: - containerPort: {{ .Values.service.portHttpTarget }} name: http protocol: TCP - {{- if .Values.grpcTLSCertsSecret }} volumeMounts: + {{- if .Values.grpcTLSCertsSecret }} - name: grpc-certs mountPath: /grpccerts {{- end }} + {{- if .Values.hashiCorpVaultTLS }} + - name: hashicorp-vault-certs + mountPath: /hashicorp-vaultcerts + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.grpcTLSCertsSecret }} volumes: + {{- if .Values.grpcTLSCertsSecret }} - name: grpc-certs secret: secretName: {{ .Values.grpcTLSCertsSecret }} {{- end }} + {{- if .Values.hashiCorpVaultTLS }} + - name: hashicorp-vault-certs + secret: + secretName: {{ .Values.hashiCorpVaultTLS }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/keda/values.yaml b/keda/values.yaml index ac13a1ba..f192db0d 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -47,6 +47,11 @@ aadPodIdentity: "" # will be mounted to the /grpccerts path on the Pod grpcTLSCertsSecret: "" +# Set this if you are using HashiCorp Vault and want to communicate +# over TLS (recommended). This variable holds the name of the secret that +# will be mounted to the /vault path on the Pod +hashiCorpVaultTLS: "" + ## Logging level for KEDA Controller # allowed values: 'debug', 'info', 'error', or an integer value greater than 0, specified as string # default value: info @@ -110,3 +115,8 @@ affinity: {} ## Optional priorityClassName for KEDA Controller and Metrics Adapter priorityClassName: "" + +## Extra environment variables that will be passed onto Keda operator and metrics api service +env: +# - name: ENV_NAME +# value: 'ENV-VALUE' \ No newline at end of file