From 264ce93b6388a1a294246b8cbff26629d4e3462c Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Fri, 18 Jul 2025 15:25:20 -0400 Subject: [PATCH] CMA should support bound service account tokens/default Keda Controller --- ...-autoscaling-custom-prometheus-config.adoc | 117 +++++++++--------- ...autoscaling-custom-trigger-auth-using.adoc | 62 +++++++--- ...s-cma-autoscaling-custom-trigger-auth.adoc | 110 ++++++++-------- 3 files changed, 162 insertions(+), 127 deletions(-) diff --git a/modules/nodes-cma-autoscaling-custom-prometheus-config.adoc b/modules/nodes-cma-autoscaling-custom-prometheus-config.adoc index 6f8273794994..961f1f3376cc 100644 --- a/modules/nodes-cma-autoscaling-custom-prometheus-config.adoc +++ b/modules/nodes-cma-autoscaling-custom-prometheus-config.adoc @@ -18,7 +18,6 @@ These steps are not required for an external Prometheus source. You must perform the following tasks, as described in this section: * Create a service account. -* Create a secret that generates a token for the service account. * Create the trigger authentication. * Create a role. * Add that role to the service account. @@ -45,7 +44,7 @@ $ oc project <1> * If you are using a trigger authentication, specify the project with the object you want to scale. * If you are using a cluster trigger authentication, specify the `openshift-keda` project. -. Create a service account and token, if your cluster does not have one: +. Create a service account if your cluster does not have one: .. Create a `service account` object by using the following command: + @@ -55,53 +54,6 @@ $ oc create serviceaccount thanos <1> ---- <1> Specifies the name of the service account. -.. Create a `secret` YAML to generate a service account token: -+ -[source,yaml] ----- -apiVersion: v1 -kind: Secret -metadata: - name: thanos-token - annotations: - kubernetes.io/service-account.name: thanos <1> -type: kubernetes.io/service-account-token ----- -<1> Specifies the name of the service account. - -.. Create the secret object by using the following command: -+ -[source,terminal] ----- -$ oc create -f .yaml ----- - -.. Use the following command to locate the token assigned to the service account: -+ -[source,terminal] ----- -$ oc describe serviceaccount thanos <1> ----- -+ -<1> Specifies the name of the service account. -+ --- -.Example output -[source,terminal] ----- -Name: thanos -Namespace: -Labels: -Annotations: -Image pull secrets: thanos-dockercfg-nnwgj -Mountable secrets: thanos-dockercfg-nnwgj -Tokens: thanos-token <1> -Events: - ----- -<1> Use this token in the trigger authentication. --- - . Create a trigger authentication with the service account token: .. Create a YAML file similar to the following: @@ -113,23 +65,18 @@ kind: <1> metadata: name: keda-trigger-auth-prometheus spec: - secretTargetRef: <2> - - parameter: bearerToken <3> - name: thanos-token <4> - key: token <5> - - parameter: ca - name: thanos-token - key: ca.crt + boundServiceAccountToken: <2> + - parameter: bearerToken <3> + serviceAccountName: thanos <4> ---- <1> Specifies one of the following trigger authentication methods: + * If you are using a trigger authentication, specify `TriggerAuthentication`. This example configures a trigger authentication. * If you are using a cluster trigger authentication, specify `ClusterTriggerAuthentication`. + -<2> Specifies that this object uses a secret for authorization. -<3> Specifies the authentication parameter to supply by using the token. -<4> Specifies the name of the token to use. -<5> Specifies the key in the token to use with the specified parameter. +<2> Specifies that this trigger authentication uses a bound service account token for authorization when connecting to the metrics endpoint. +<3> Specifies the authentication parameter to supply by using the token. Here, the example uses bearer authentication. +<4> Specifies the name of the service account to use. .. Create the CR object: + @@ -221,3 +168,53 @@ You can now deploy a scaled object or scaled job to enable autoscaling for your * `triggers.metadata.authModes` must be `bearer` * `triggers.metadata.namespace` must be set to the namespace of the object to scale * `triggers.authenticationRef` must point to the trigger authentication resource specified in the previous step + +//// +Hiding, might not need it. If so, place this as step 2. +.. Create a `secret` YAML to generate a service account token: ++ +[source,yaml] +---- +apiVersion: v1 +kind: Secret +metadata: + name: thanos-token + annotations: + kubernetes.io/service-account.name: thanos <1> +type: kubernetes.io/service-account-token +---- +<1> Specifies the name of the service account. + +.. Create the secret object by using the following command: ++ +[source,terminal] +---- +$ oc create -f .yaml +---- + +.. Use the following command to locate the token assigned to the service account: ++ +[source,terminal] +---- +$ oc describe serviceaccount thanos <1> +---- ++ +<1> Specifies the name of the service account. ++ +-- +.Example output +[source,terminal] +---- +Name: thanos +Namespace: +Labels: +Annotations: +Image pull secrets: thanos-dockercfg-nnwgj +Mountable secrets: thanos-dockercfg-nnwgj +Tokens: thanos-token <1> +Events: + +---- +<1> Use this token in the trigger authentication. +-- +//// diff --git a/modules/nodes-cma-autoscaling-custom-trigger-auth-using.adoc b/modules/nodes-cma-autoscaling-custom-trigger-auth-using.adoc index 65bafa1ef8cd..b747b5272cc6 100644 --- a/modules/nodes-cma-autoscaling-custom-trigger-auth-using.adoc +++ b/modules/nodes-cma-autoscaling-custom-trigger-auth-using.adoc @@ -12,19 +12,46 @@ You use trigger authentications and cluster trigger authentications by using a c * The Custom Metrics Autoscaler Operator must be installed. -* If you are using a secret, the `Secret` object must exist, for example: +* If you are using a bound service account token, the service account must exist. + +* If you are using a bound service account token, a role-based access control (RBAC) object that enables the Custom Metrics Autoscaler Operator to request service account tokens from the service account must exist. + -.Example secret [source,yaml] ---- -apiVersion: v1 -kind: Secret +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: keda-operator-token-creator + namespace: <1> +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + resourceNames: + - thanos <2> +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: - name: my-secret -data: - user-name: - password: + name: keda-operator-token-creator-binding + namespace: <3> +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: keda-operator-token-creator +subjects: +- kind: ServiceAccount + name: keda-operator + namespace: openshift-keda ---- +<1> Specifies the namespace of the service account. +<2> Specifies the name of the service account. +<3> Specifies the namespace of the service account. + +* If you are using a secret, the `Secret` object must exist. .Procedure @@ -32,23 +59,22 @@ data: .. Create a YAML file that defines the object: + -.Example trigger authentication with a secret +.Example trigger authentication with a bound service account token [source,yaml] ---- kind: TriggerAuthentication apiVersion: keda.sh/v1alpha1 metadata: name: prom-triggerauthentication - namespace: my-namespace -spec: - secretTargetRef: - - parameter: user-name - name: my-secret - key: USER_NAME - - parameter: password - name: my-secret - key: USER_PASSWORD + namespace: my-namespace <1> + spec: + boundServiceAccountToken: <2> + - parameter: token + serviceAccountName: thanos <3> ---- +<1> Specifies the namespace of the object you want to scale. +<2> Specifies that this trigger authentication uses a bound service account token for authorization when connecting to the metrics endpoint. +<3> Specifies the name of the service account to use. .. Create the `TriggerAuthentication` object: + diff --git a/nodes/cma/nodes-cma-autoscaling-custom-trigger-auth.adoc b/nodes/cma/nodes-cma-autoscaling-custom-trigger-auth.adoc index 1fc10d4e1b7d..932db4f9a179 100644 --- a/nodes/cma/nodes-cma-autoscaling-custom-trigger-auth.adoc +++ b/nodes/cma/nodes-cma-autoscaling-custom-trigger-auth.adoc @@ -15,50 +15,47 @@ Alternatively, to share credentials between objects in multiple namespaces, you Trigger authentications and cluster trigger authentication use the same configuration. However, a cluster trigger authentication requires an additional `kind` parameter in the authentication reference of the scaled object. -.Example secret for Basic authentication +.Example trigger authentication that uses a bound service account token [source,yaml] ---- -apiVersion: v1 -kind: Secret +kind: TriggerAuthentication +apiVersion: keda.sh/v1alpha1 metadata: - name: my-basic-secret - namespace: default -data: - username: "dXNlcm5hbWU=" <1> - password: "cGFzc3dvcmQ=" + name: secret-triggerauthentication + namespace: my-namespace <1> +spec: + boundServiceAccountToken: <2> + - parameter: bearerToken + serviceAccountName: thanos <3> ---- -<1> User name and password to supply to the trigger authentication. The values in a `data` stanza must be base-64 encoded. +<1> Specifies the namespace of the object you want to scale. +<2> Specifies that this trigger authentication uses a bound service account token for authorization when connecting to the metrics endpoint. +<3> Specifies the name of the service account to use. -.Example trigger authentication using a secret for Basic authentication +.Example cluster trigger authentication that uses a bound service account token [source,yaml] ---- -kind: TriggerAuthentication +kind: ClusterTriggerAuthentication apiVersion: keda.sh/v1alpha1 metadata: - name: secret-triggerauthentication - namespace: my-namespace <1> + name: bound-service-account-token-triggerauthentication <1> spec: - secretTargetRef: <2> - - parameter: username <3> - name: my-basic-secret <4> - key: username <5> - - parameter: password - name: my-basic-secret - key: password + boundServiceAccountToken: <2> + - parameter: bearerToken + serviceAccountName: thanos <3> ---- <1> Specifies the namespace of the object you want to scale. -<2> Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint. -<3> Specifies the authentication parameter to supply by using the secret. -<4> Specifies the name of the secret to use. -<5> Specifies the key in the secret to use with the specified parameter. +<2> Specifies that this cluster trigger authentication uses a bound service account token for authorization when connecting to the metrics endpoint. +<3> Specifies the name of the service account to use. -.Example cluster trigger authentication with a secret for Basic authentication +.Example trigger authentication that uses a secret for Basic authentication [source,yaml] ---- -kind: ClusterTriggerAuthentication +kind: TriggerAuthentication apiVersion: keda.sh/v1alpha1 -metadata: <1> - name: secret-cluster-triggerauthentication +metadata: + name: secret-triggerauthentication + namespace: my-namespace <1> spec: secretTargetRef: <2> - parameter: username <3> @@ -68,29 +65,27 @@ spec: name: my-basic-secret key: password ---- -<1> Note that no namespace is used with a cluster trigger authentication. +<1> Specifies the namespace of the object you want to scale. <2> Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint. <3> Specifies the authentication parameter to supply by using the secret. -<4> Specifies the name of the secret to use. +<4> Specifies the name of the secret to use. See the following example secret for Basic authentication. <5> Specifies the key in the secret to use with the specified parameter. -.Example secret with certificate authority (CA) details +.Example secret for Basic authentication [source,yaml] ---- apiVersion: v1 kind: Secret metadata: - name: my-secret - namespace: my-namespace -data: - ca-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0... <1> - client-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0... <2> - client-key.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0t... + name: my-basic-secret + namespace: default +data: + username: "dXNlcm5hbWU=" <1> + password: "cGFzc3dvcmQ=" ---- -<1> Specifies the TLS CA Certificate for authentication of the metrics endpoint. The value must be base-64 encoded. -<2> Specifies the TLS certificates and key for TLS client authentication. The values must be base-64 encoded. +<1> User name and password to supply to the trigger authentication. The values in the `data` stanza must be base-64 encoded. -.Example trigger authentication using a secret for CA details +.Example trigger authentication that uses a secret for CA details [source,yaml] ---- kind: TriggerAuthentication @@ -113,10 +108,10 @@ spec: <4> Specifies the name of the secret to use. <5> Specifies the key in the secret to use with the specified parameter. <6> Specifies the authentication parameter for a custom CA when connecting to the metrics endpoint. -<7> Specifies the name of the secret to use. +<7> Specifies the name of the secret to use. See the following example secret with certificate authority (CA) details. <8> Specifies the key in the secret to use with the specified parameter. -.Example secret with a bearer token +.Example secret with certificate authority (CA) details [source,yaml] ---- apiVersion: v1 @@ -125,11 +120,14 @@ metadata: name: my-secret namespace: my-namespace data: - bearerToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV" <1> + ca-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0... <1> + client-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0... <2> + client-key.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0t... ---- -<1> Specifies a bearer token to use with bearer authentication. The value in a `data` stanza must be base-64 encoded. +<1> Specifies the TLS CA Certificate for authentication of the metrics endpoint. The value must be base-64 encoded. +<2> Specifies the TLS certificates and key for TLS client authentication. The values must be base-64 encoded. -.Example trigger authentication with a bearer token +.Example trigger authentication that uses a bearer token [source,yaml] ---- kind: TriggerAuthentication @@ -146,10 +144,23 @@ spec: <1> Specifies the namespace of the object you want to scale. <2> Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint. <3> Specifies the type of authentication to use. -<4> Specifies the name of the secret to use. +<4> Specifies the name of the secret to use. See the following example secret for a bearer token. <5> Specifies the key in the token to use with the specified parameter. -.Example trigger authentication with an environment variable +.Example secret for a bearer token +[source,yaml] +---- +apiVersion: v1 +kind: Secret +metadata: + name: my-secret + namespace: my-namespace +data: + bearerToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV" <1> +---- +<1> Specifies a bearer token to use with bearer authentication. The value must be base-64 encoded. + +.Example trigger authentication that uses an environment variable [source,yaml] ---- kind: TriggerAuthentication @@ -169,7 +180,7 @@ spec: <4> Specify the name of the environment variable. <5> Optional: Specify a container that requires authentication. The container must be in the same resource as referenced by `scaleTargetRef` in the scaled object. -.Example trigger authentication with pod authentication providers +.Example trigger authentication that uses pod authentication providers [source,yaml] ---- kind: TriggerAuthentication @@ -189,7 +200,8 @@ spec: // ifndef::openshift-rosa,openshift-dedicated[] .Additional resources -* For information about {product-title} secrets, see xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets[Providing sensitive data to pods]. +* xref:../../authentication/understanding-and-creating-service-accounts.adoc#understanding-service-accounts[Understanding and creating service accounts] +* xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets[Providing sensitive data to pods]. // endif::openshift-rosa,openshift-dedicated[] include::modules/nodes-cma-autoscaling-custom-trigger-auth-using.adoc[leveloffset=+1]