feat: add doc for hashicorp vault secret mode and data (#1242)

Signed-off-by: Loïs Postula <[email protected]>
kedacore · Oct 13, 2023 · dfdde58 · dfdde58
1 parent 3f1a9aa
commit dfdde58
Showing 1 changed file with 74 additions and 13 deletions.
diff --git a/content/docs/2.13/authentication-providers/hashicorp-vault.md b/content/docs/2.13/authentication-providers/hashicorp-vault.md
@@ -12,17 +12,78 @@ You can pull one or more Hashicorp Vault secrets into the trigger by defining th
 > The support for Vault secrets backend **version 1** was added on version `2.10`.
 
 ```yaml
-hashiCorpVault:                                     # Optional.
-  address: {hashicorp-vault-address}                # Required.
-  namespace: {hashicorp-vault-namespace}            # Optional. Default is root namespace. Useful for Vault Enterprise
-  authentication: token | kubernetes                # Required.
-  role: {hashicorp-vault-role}                      # Optional.
-  mount: {hashicorp-vault-mount}                    # Optional.
-  credential:                                       # Optional.
-    token: {hashicorp-vault-token}                  # Optional.
-    serviceAccount: {path-to-service-account-file}  # Optional.
-  secrets:                                          # Required.
-  - parameter: {scaledObject-parameter-name}        # Required.
-    key: {hasicorp-vault-secret-key-name}           # Required.
-    path: {hasicorp-vault-secret-path}              # Required.
+hashiCorpVault:                                               # Optional.
+  address: {hashicorp-vault-address}                          # Required.
+  namespace: {hashicorp-vault-namespace}                      # Optional. Default is root namespace. Useful for Vault Enterprise
+  authentication: token | kubernetes                          # Required.
+  role: {hashicorp-vault-role}                                # Optional.
+  mount: {hashicorp-vault-mount}                              # Optional.
+  credential:                                                 # Optional.
+    token: {hashicorp-vault-token}                            # Optional.
+    serviceAccount: {path-to-service-account-file}            # Optional.
+  secrets:                                                    # Required.
+  - parameter: {scaledObject-parameter-name}                  # Required.
+    key: {hashicorp-vault-secret-key-name}                    # Required.
+    path: {hashicorp-vault-secret-path}                       # Required.
+    type: {hashicorp-vault-secret-type}                       # Optional. Default to `""`. Allowed values: `secret`, `secretV2`, `pki`
+    pkidata: {hashicorp-vault-secret-pkidata}                 # Optional. Data to be send with the secret  if `hashicorp-vault-secret-type` is pki request
+      commonName: {hashicorp-vault-secret-pkidata-commonName} # Optional.
+      altNames: {hashicorp-vault-secret-pkidata-altNames}     # Optional.
+      ipSans: {hashicorp-vault-secret-pkidata-ipSans}         # Optional.
+      uriSans: {hashicorp-vault-secret-pkidata-uriSans}       # Optional.
+      otherSans: {hashicorp-vault-secret-pkidata-otherSans}   # Optional.
+      ttl: {hashicorp-vault-secret-pkidata-ttl}               # Optional.
+      format: {hashicorp-vault-secret-pkidata-format}         # Optional.
+```
+
+### Example
+Vault Secret can be used to provide authentication for a Scaler. If using the [Prometheus scaler](https://keda.sh/docs/2.3/scalers/prometheus/), mTls can be used by the `ScaledObject` to authenticate to the Prometheus server. The following example would request a certificate to Vault dynamically.
+```yaml
+apiVersion: keda.sh/v1alpha1
+kind: TriggerAuthentication
+metadata:
+  name: {trigger-authentication-mame}
+  namespace: default
+spec:
+  hashiCorpVault:
+    address: {hashicorp-vault-address}
+    authentication: token
+    credential:
+      token: {hashicorp-vault-token}
+    secrets:
+      - key: "ca_chain"
+        parameter: "ca"
+        path: {hashicorp-vault-secret-path}
+        type: pki
+        pki_data:
+          common_name: {hashicorp-vault-secret-pkidata-commonName}
+      - key: "private_key"
+        parameter: "key"
+        path: {hashicorp-vault-secret-path}
+        type: pki
+        pki_data:
+          common_name: {hashicorp-vault-secret-pkidata-commonName}
+      - key: "certificate"
+        parameter: "cert"
+        path: {hashicorp-vault-secret-path}
+        type: pki
+        pki_data:
+          common_name: {hashicorp-vault-secret-pkidata-commonName}
+---
+apiVersion: keda.sh/v1alpha1
+kind: ScaledObject
+metadata:
+  name: {scaled-object-name}
+  namespace: default
+spec:
+  scaleTargetRef:
+    name: {deployment-name}
+  triggers:
+    - type: prometheus
+      metadata:
+        serverAddress: http://<prometheus-host>:9090
+        query: sum(rate(http_requests_total{deployment="my-deployment"}[2m]))
+        authModes: "tls"
+      authenticationRef:
+        name: { trigger-authentication-mame }
 ```