Understanding custom metrics autoscaler trigger authentications
A trigger authentication allows you to include authentication information in a scaled object or a scaled job that can be used by the associated containers. You can use trigger authentications to pass OKD secrets, platform-native pod authentication mechanisms, environment variables, and so on.
You define a TriggerAuthentication
object in the same namespace as the object that you want to scale. That trigger authentication can be used only by objects in that namespace.
Alternatively, to share credentials between objects in multiple namespaces, you can create a ClusterTriggerAuthentication
object that can be used across all namespaces.
Trigger authentications and cluster trigger authentication use the same configuration. However, a cluster trigger authentication requires an additional kind
parameter in the authentication reference of the scaled object.
Example trigger authentication with a secret
kind: TriggerAuthentication
apiVersion: keda.sh/v1alpha1
metadata:
name: secret-triggerauthentication
namespace: my-namespace (1)
spec:
secretTargetRef: (2)
- parameter: user-name (3)
name: my-secret (4)
key: USER_NAME (5)
- parameter: password
name: my-secret
key: USER_PASSWORD
1 | Specifies the namespace of the object you want to scale. |
2 | Specifies that this trigger authentication uses a secret for authorization. |
3 | Specifies the authentication parameter to supply by using the secret. |
4 | Specifies the name of the secret to use. |
5 | Specifies the key in the secret to use with the specified parameter. |
Example cluster trigger authentication with a secret
kind: ClusterTriggerAuthentication
apiVersion: keda.sh/v1alpha1
metadata: (1)
name: secret-cluster-triggerauthentication
spec:
secretTargetRef: (2)
- parameter: user-name (3)
name: secret-name (4)
key: USER_NAME (5)
- parameter: user-password
name: secret-name
key: USER_PASSWORD
1 | Note that no namespace is used with a cluster trigger authentication. |
2 | Specifies that this trigger authentication uses a secret for authorization. |
3 | Specifies the authentication parameter to supply by using the secret. |
4 | Specifies the name of the secret to use. |
5 | Specifies the key in the secret to use with the specified parameter. |
Example trigger authentication with a token
kind: TriggerAuthentication
apiVersion: keda.sh/v1alpha1
metadata:
name: token-triggerauthentication
namespace: my-namespace (1)
spec:
secretTargetRef: (2)
- parameter: bearerToken (3)
name: my-token-2vzfq (4)
key: token (5)
- parameter: ca
name: my-token-2vzfq
key: ca.crt
1 | Specifies the namespace of the object you want to scale. |
2 | Specifies that this trigger authentication uses a secret for authorization. |
3 | Specifies the authentication parameter to supply by using the token. |
4 | Specifies the name of the token to use. |
5 | Specifies the key in the token to use with the specified parameter. |
Example trigger authentication with an environment variable
kind: TriggerAuthentication
apiVersion: keda.sh/v1alpha1
metadata:
name: env-var-triggerauthentication
namespace: my-namespace (1)
spec:
env: (2)
- parameter: access_key (3)
name: ACCESS_KEY (4)
containerName: my-container (5)
1 | Specifies the namespace of the object you want to scale. |
2 | Specifies that this trigger authentication uses environment variables for authorization. |
3 | Specify the parameter to set with this variable. |
4 | Specify the name of the environment variable. |
5 | Optional: Specify a container that requires authentication. The container must be in the same resource as referenced by scaleTargetRef in the scaled object. |
Example trigger authentication with pod authentication providers
kind: TriggerAuthentication
apiVersion: keda.sh/v1alpha1
metadata:
name: pod-id-triggerauthentication
namespace: my-namespace (1)
spec:
podIdentity: (2)
provider: aws-eks (3)
1 | Specifies the namespace of the object you want to scale. |
2 | Specifies that this trigger authentication uses a platform-native pod authentication method for authorization. |
3 | Specifies a pod identity. Supported values are none , azure , aws-eks , or aws-kiam . The default is none . |
Additional resources
- For information about OKD secrets, see Providing sensitive data to pods.
Using trigger authentications
You use trigger authentications and cluster trigger authentications by using a custom resource to create the authentication, then add a reference to a scaled object or scaled job.
Prerequisites
The Custom Metrics Autoscaler Operator must be installed.
If you are using a secret, the
Secret
object must exist, for example:Example secret
apiVersion: v1
kind: Secret
metadata:
name: my-secret
data:
user-name: <base64_USER_NAME>
password: <base64_USER_PASSWORD>
Procedure
Create the
TriggerAuthentication
orClusterTriggerAuthentication
object.Create a YAML file that defines the object:
Example trigger authentication with a secret
kind: TriggerAuthentication
apiVersion: keda.sh/v1alpha1
metadata:
name: prom-triggerauthentication
namespace: my-namespace
spec:
secretTargetRef:
- parameter: user-name
name: my-secret
key: USER_NAME
- parameter: password
name: my-secret
key: USER_PASSWORD
Create the
TriggerAuthentication
object:$ oc create -f <filename>.yaml
Create or edit a
ScaledObject
YAML file that uses the trigger authentication:Create a YAML file that defines the object by running the following command:
Example scaled object with a trigger authentication
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
name: scaledobject
namespace: my-namespace
spec:
scaleTargetRef:
name: example-deployment
maxReplicaCount: 100
minReplicaCount: 0
pollingInterval: 30
triggers:
- type: prometheus
metadata:
serverAddress: https://thanos-querier.openshift-monitoring.svc.cluster.local:9092
namespace: kedatest # replace <NAMESPACE>
metricName: http_requests_total
threshold: '5'
query: sum(rate(http_requests_total{job="test-app"}[1m]))
authModes: "basic"
authenticationRef:
name: prom-triggerauthentication (1)
kind: TriggerAuthentication (2)
1 Specify the name of your trigger authentication object. 2 Specify TriggerAuthentication
.TriggerAuthentication
is the default.Example scaled object with a cluster trigger authentication
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
name: scaledobject
namespace: my-namespace
spec:
scaleTargetRef:
name: example-deployment
maxReplicaCount: 100
minReplicaCount: 0
pollingInterval: 30
triggers:
- type: prometheus
metadata:
serverAddress: https://thanos-querier.openshift-monitoring.svc.cluster.local:9092
namespace: kedatest # replace <NAMESPACE>
metricName: http_requests_total
threshold: '5'
query: sum(rate(http_requests_total{job="test-app"}[1m]))
authModes: "basic"
authenticationRef:
name: prom-cluster-triggerauthentication (1)
kind: ClusterTriggerAuthentication (2)
1 Specify the name of your trigger authentication object. 2 Specify ClusterTriggerAuthentication
.Create the scaled object by running the following command:
$ oc apply -f <filename>