Understanding custom metrics autoscaler trigger authentications

A trigger authentication allows you to include authentication information in a scaled object or a scaled job that can be used by the associated containers. You can use trigger authentications to pass OKD secrets, platform-native pod authentication mechanisms, environment variables, and so on.

You define a TriggerAuthentication object in the same namespace as the object that you want to scale. That trigger authentication can be used only by objects in that namespace.

Alternatively, to share credentials between objects in multiple namespaces, you can create a ClusterTriggerAuthentication object that can be used across all namespaces.

Trigger authentications and cluster trigger authentication use the same configuration. However, a cluster trigger authentication requires an additional kind parameter in the authentication reference of the scaled object.

Example trigger authentication with a secret

  1. kind: TriggerAuthentication
  2. apiVersion: keda.sh/v1alpha1
  3. metadata:
  4. name: secret-triggerauthentication
  5. namespace: my-namespace (1)
  6. spec:
  7. secretTargetRef: (2)
  8. - parameter: user-name (3)
  9. name: my-secret (4)
  10. key: USER_NAME (5)
  11. - parameter: password
  12. name: my-secret
  13. key: USER_PASSWORD
1Specifies the namespace of the object you want to scale.
2Specifies that this trigger authentication uses a secret for authorization.
3Specifies the authentication parameter to supply by using the secret.
4Specifies the name of the secret to use.
5Specifies the key in the secret to use with the specified parameter.

Example cluster trigger authentication with a secret

  1. kind: ClusterTriggerAuthentication
  2. apiVersion: keda.sh/v1alpha1
  3. metadata: (1)
  4. name: secret-cluster-triggerauthentication
  5. spec:
  6. secretTargetRef: (2)
  7. - parameter: user-name (3)
  8. name: secret-name (4)
  9. key: USER_NAME (5)
  10. - parameter: user-password
  11. name: secret-name
  12. key: USER_PASSWORD
1Note that no namespace is used with a cluster trigger authentication.
2Specifies that this trigger authentication uses a secret for authorization.
3Specifies the authentication parameter to supply by using the secret.
4Specifies the name of the secret to use.
5Specifies the key in the secret to use with the specified parameter.

Example trigger authentication with a token

  1. kind: TriggerAuthentication
  2. apiVersion: keda.sh/v1alpha1
  3. metadata:
  4. name: token-triggerauthentication
  5. namespace: my-namespace (1)
  6. spec:
  7. secretTargetRef: (2)
  8. - parameter: bearerToken (3)
  9. name: my-token-2vzfq (4)
  10. key: token (5)
  11. - parameter: ca
  12. name: my-token-2vzfq
  13. key: ca.crt
1Specifies the namespace of the object you want to scale.
2Specifies that this trigger authentication uses a secret for authorization.
3Specifies the authentication parameter to supply by using the token.
4Specifies the name of the token to use.
5Specifies the key in the token to use with the specified parameter.

Example trigger authentication with an environment variable

  1. kind: TriggerAuthentication
  2. apiVersion: keda.sh/v1alpha1
  3. metadata:
  4. name: env-var-triggerauthentication
  5. namespace: my-namespace (1)
  6. spec:
  7. env: (2)
  8. - parameter: access_key (3)
  9. name: ACCESS_KEY (4)
  10. containerName: my-container (5)
1Specifies the namespace of the object you want to scale.
2Specifies that this trigger authentication uses environment variables for authorization.
3Specify the parameter to set with this variable.
4Specify the name of the environment variable.
5Optional: Specify a container that requires authentication. The container must be in the same resource as referenced by scaleTargetRef in the scaled object.

Example trigger authentication with pod authentication providers

  1. kind: TriggerAuthentication
  2. apiVersion: keda.sh/v1alpha1
  3. metadata:
  4. name: pod-id-triggerauthentication
  5. namespace: my-namespace (1)
  6. spec:
  7. podIdentity: (2)
  8. provider: aws-eks (3)
1Specifies the namespace of the object you want to scale.
2Specifies that this trigger authentication uses a platform-native pod authentication method for authorization.
3Specifies a pod identity. Supported values are none, azure, aws-eks, or aws-kiam. The default is none.

Additional resources

Using trigger authentications

You use trigger authentications and cluster trigger authentications by using a custom resource to create the authentication, then add a reference to a scaled object or scaled job.

Prerequisites

  • The Custom Metrics Autoscaler Operator must be installed.

  • If you are using a secret, the Secret object must exist, for example:

    Example secret

    1. apiVersion: v1
    2. kind: Secret
    3. metadata:
    4. name: my-secret
    5. data:
    6. user-name: <base64_USER_NAME>
    7. password: <base64_USER_PASSWORD>

Procedure

  1. Create the TriggerAuthentication or ClusterTriggerAuthentication object.

    1. Create a YAML file that defines the object:

      Example trigger authentication with a secret

      1. kind: TriggerAuthentication
      2. apiVersion: keda.sh/v1alpha1
      3. metadata:
      4. name: prom-triggerauthentication
      5. namespace: my-namespace
      6. spec:
      7. secretTargetRef:
      8. - parameter: user-name
      9. name: my-secret
      10. key: USER_NAME
      11. - parameter: password
      12. name: my-secret
      13. key: USER_PASSWORD
    2. Create the TriggerAuthentication object:

      1. $ oc create -f <filename>.yaml
  2. Create or edit a ScaledObject YAML file that uses the trigger authentication:

    1. Create a YAML file that defines the object by running the following command:

      Example scaled object with a trigger authentication

      1. apiVersion: keda.sh/v1alpha1
      2. kind: ScaledObject
      3. metadata:
      4. name: scaledobject
      5. namespace: my-namespace
      6. spec:
      7. scaleTargetRef:
      8. name: example-deployment
      9. maxReplicaCount: 100
      10. minReplicaCount: 0
      11. pollingInterval: 30
      12. triggers:
      13. - type: prometheus
      14. metadata:
      15. serverAddress: https://thanos-querier.openshift-monitoring.svc.cluster.local:9092
      16. namespace: kedatest # replace <NAMESPACE>
      17. metricName: http_requests_total
      18. threshold: '5'
      19. query: sum(rate(http_requests_total{job="test-app"}[1m]))
      20. authModes: "basic"
      21. authenticationRef:
      22. name: prom-triggerauthentication (1)
      23. kind: TriggerAuthentication (2)
      1Specify the name of your trigger authentication object.
      2Specify TriggerAuthentication. TriggerAuthentication is the default.

      Example scaled object with a cluster trigger authentication

      1. apiVersion: keda.sh/v1alpha1
      2. kind: ScaledObject
      3. metadata:
      4. name: scaledobject
      5. namespace: my-namespace
      6. spec:
      7. scaleTargetRef:
      8. name: example-deployment
      9. maxReplicaCount: 100
      10. minReplicaCount: 0
      11. pollingInterval: 30
      12. triggers:
      13. - type: prometheus
      14. metadata:
      15. serverAddress: https://thanos-querier.openshift-monitoring.svc.cluster.local:9092
      16. namespace: kedatest # replace <NAMESPACE>
      17. metricName: http_requests_total
      18. threshold: '5'
      19. query: sum(rate(http_requests_total{job="test-app"}[1m]))
      20. authModes: "basic"
      21. authenticationRef:
      22. name: prom-cluster-triggerauthentication (1)
      23. kind: ClusterTriggerAuthentication (2)
      1Specify the name of your trigger authentication object.
      2Specify ClusterTriggerAuthentication.
    2. Create the scaled object by running the following command:

      1. $ oc apply -f <filename>