kedacore
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apis/keda/v1alpha1/triggerauthentication_types.go‎
Lines changed: 3 additions & 0 deletions b/‎apis/keda/v1alpha1/triggerauthentication_types.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎config/crd/bases/keda.sh_clustertriggerauthentications.yaml‎
Lines changed: 2 additions & 0 deletions b/‎config/crd/bases/keda.sh_clustertriggerauthentications.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎config/crd/bases/keda.sh_triggerauthentications.yaml‎
Lines changed: 2 additions & 0 deletions b/‎config/crd/bases/keda.sh_triggerauthentications.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎pkg/scaling/resolver/hashicorpvault_handler.go‎
Lines changed: 24 additions & 12 deletions b/‎pkg/scaling/resolver/hashicorpvault_handler.go‎
Lines changed: 24 additions & 12 deletions
@@ -69,6 +69,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio
 - **General**: Enable support on s390x for KEDA ([#6543](https://github.com/kedacore/keda/issues/6543))
 - **General**: Introduce new Solace Direct Messaging scaler ([#6545](https://github.com/kedacore/keda/issues/6545))
 - **General**: Introduce new Sumo Logic Scaler ([#6734](https://github.com/kedacore/keda/issues/6734))
+- **General**: Vault authentication via cross-namespace service accounts ([#6153](https://github.com/kedacore/keda/issues/6153))
 
 #### Experimental
 
 
@@ -239,6 +239,9 @@ type Credential struct {
 
 	// +optional
 	ServiceAccount string `json:"serviceAccount,omitempty"`
+
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 // VaultAuthentication contains the list of Hashicorp Vault authentication methods
 
@@ -451,6 +451,8 @@ spec:
                     properties:
                       serviceAccount:
                         type: string
+                      serviceAccountName:
+                        type: string
                       token:
                         type: string
                     type: object
 
@@ -450,6 +450,8 @@ spec:
                     properties:
                       serviceAccount:
                         type: string
+                      serviceAccountName:
+                        type: string
                       token:
                         type: string
                     type: object
 
@@ -17,6 +17,7 @@ limitations under the License.
 package resolver
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"os"
@@ -26,19 +27,24 @@ import (
 	vaultapi "github.com/hashicorp/vault/api"
 
 	kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1"
+	"github.com/kedacore/keda/v2/pkg/scalers/authentication"
 )
 
 // HashicorpVaultHandler is a specification of HashiCorp Vault
 type HashicorpVaultHandler struct {
-	vault  *kedav1alpha1.HashiCorpVault
-	client *vaultapi.Client
-	stopCh chan struct{}
+	vault     *kedav1alpha1.HashiCorpVault
+	client    *vaultapi.Client
+	acs       *authentication.AuthClientSet
+	namespace string
+	stopCh    chan struct{}
 }
 
 // NewHashicorpVaultHandler creates a HashicorpVaultHandler object
-func NewHashicorpVaultHandler(v *kedav1alpha1.HashiCorpVault) *HashicorpVaultHandler {
+func NewHashicorpVaultHandler(v *kedav1alpha1.HashiCorpVault, acs *authentication.AuthClientSet, namespace string) *HashicorpVaultHandler {
 	return &HashicorpVaultHandler{
-		vault: v,
+		vault:     v,
+		acs:       acs,
+		namespace: namespace,
 	}
 }
 
@@ -87,6 +93,8 @@ func (vh *HashicorpVaultHandler) Initialize(logger logr.Logger) error {
 // token Extract a vault token from the Authentication method
 func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error) {
 	var token string
+	var jwt []byte
+	var err error
 
 	switch vh.vault.Authentication {
 	case kedav1alpha1.VaultAuthenticationToken:
@@ -115,23 +123,27 @@ func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error)
 			vh.vault.Credential = &defaultCred
 		}
 
-		if len(vh.vault.Credential.ServiceAccount) == 0 {
-			return token, errors.New("k8s SA file not in config")
+		if vh.vault.Credential.ServiceAccountName == "" && vh.vault.Credential.ServiceAccount == "" {
+			return token, errors.New("k8s SA file not in config or serviceAccountName not supplied")
 		}
 
-		// Get the JWT from POD
-		jwt, err := os.ReadFile(vh.vault.Credential.ServiceAccount)
-		if err != nil {
-			return token, err
+		if vh.vault.Credential.ServiceAccountName != "" {
+			jwt = []byte(GenerateBoundServiceAccountToken(context.Background(), vh.vault.Credential.ServiceAccountName, vh.namespace, vh.acs))
+		} else if len(vh.vault.Credential.ServiceAccount) != 0 {
+			// Get the JWT from POD
+			jwt, err = os.ReadFile(vh.vault.Credential.ServiceAccount)
+			if err != nil {
+				return token, err
+			}
 		}
 
 		data := map[string]interface{}{"jwt": string(jwt), "role": vh.vault.Role}
 		secret, err := client.Logical().Write(fmt.Sprintf("auth/%s/login", vh.vault.Mount), data)
 		if err != nil {
 			return token, err
 		}
-
 		token = secret.Auth.ClientToken
+
 	default:
 		return token, fmt.Errorf("vault auth method %s is not supported", vh.vault.Authentication)
 	}
Original file line number	Diff line number	Diff line change
`@@ -239,6 +239,9 @@ type Credential struct {`
`239`	`239`
`240`	`240`	`// +optional`
`241`	`241`	ServiceAccount string `json:"serviceAccount,omitempty"`
	`242`	`+`
	`243`	`+ // +optional`
	`244`	+ ServiceAccountName string `json:"serviceAccountName,omitempty"`
`242`	`245`	`}`
`243`	`246`
`244`	`247`	`// VaultAuthentication contains the list of Hashicorp Vault authentication methods`