openshift · mburke5678 · Jul 18, 2025
diff --git a/modules/nodes-cma-autoscaling-custom-prometheus-config.adoc b/modules/nodes-cma-autoscaling-custom-prometheus-config.adoc
@@ -18,7 +18,6 @@ These steps are not required for an external Prometheus source.
 You must perform the following tasks, as described in this section:
 
 * Create a service account.
-* Create a secret that generates a token for the service account.
 * Create the trigger authentication.
 * Create a role.
 * Add that role to the service account.
@@ -45,7 +44,7 @@ $ oc project <project_name> <1>
 *  If you are using a trigger authentication, specify the project with the object you want to scale.
 *  If you are using a cluster trigger authentication, specify the `openshift-keda` project.
 
-. Create a service account and token, if your cluster does not have one:
+. Create a service account if your cluster does not have one:
 
 .. Create a `service account` object by using the following command:
 +
@@ -55,53 +54,6 @@ $ oc create serviceaccount thanos <1>
 ----
 <1> Specifies the name of the service account.
 
-.. Create a `secret` YAML to generate a service account token:
-+
-[source,yaml]
-----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: thanos-token
-  annotations:
-    kubernetes.io/service-account.name: thanos <1>
-type: kubernetes.io/service-account-token
-----
-<1> Specifies the name of the service account.
-
-.. Create the secret object by using the following command:
-+
-[source,terminal]
-----
-$ oc create -f <file_name>.yaml
-----
-
-.. Use the following command to locate the token assigned to the service account:
-+
-[source,terminal]
-----
-$ oc describe serviceaccount thanos <1>
-----
-+
-<1> Specifies the name of the service account.
-+
---
-.Example output
-[source,terminal]
-----
-Name:                thanos
-Namespace:           <namespace_name>
-Labels:              <none>
-Annotations:         <none>
-Image pull secrets:  thanos-dockercfg-nnwgj
-Mountable secrets:   thanos-dockercfg-nnwgj
-Tokens:              thanos-token <1>
-Events:              <none>
-
-----
-<1> Use this token in the trigger authentication.
---
-
 . Create a trigger authentication with the service account token:
 
 .. Create a YAML file similar to the following:
@@ -113,23 +65,18 @@ kind: <authentication_method> <1>
 metadata:
   name: keda-trigger-auth-prometheus
 spec:
-  secretTargetRef: <2>
-  - parameter: bearerToken <3>
-    name: thanos-token <4>
-    key: token <5>
-  - parameter: ca
-    name: thanos-token
-    key: ca.crt
+  boundServiceAccountToken: <2>
+    - parameter: bearerToken <3>
+      serviceAccountName: thanos <4>
 ----
 <1> Specifies one of the following trigger authentication methods:
 +
 *  If you are using a trigger authentication, specify `TriggerAuthentication`. This example configures a trigger authentication.
 *  If you are using a cluster trigger authentication, specify `ClusterTriggerAuthentication`.
 +
-<2> Specifies that this object uses a secret for authorization.
-<3> Specifies the authentication parameter to supply by using the token.
-<4> Specifies the name of the token to use.
-<5> Specifies the key in the token to use with the specified parameter.
+<2> Specifies that this trigger authentication uses a bound service account token for authorization when connecting to the metrics endpoint.
+<3> Specifies the authentication parameter to supply by using the token. Here, the example uses bearer authentication.
+<4> Specifies the name of the service account to use.
 
 .. Create the CR object:
 +
@@ -221,3 +168,53 @@ You can now deploy a scaled object or scaled job to enable autoscaling for your
 * `triggers.metadata.authModes` must be `bearer`
 * `triggers.metadata.namespace` must be set to the namespace of the object to scale
 * `triggers.authenticationRef` must point to the trigger authentication resource specified in the previous step
+
+////
+Hiding, might not need it. If so, place this as step 2.
+.. Create a `secret` YAML to generate a service account token:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: thanos-token
+  annotations:
+    kubernetes.io/service-account.name: thanos <1>
+type: kubernetes.io/service-account-token
+----
+<1> Specifies the name of the service account.
+
+.. Create the secret object by using the following command:
++
+[source,terminal]
+----
+$ oc create -f <file_name>.yaml
+----
+
+.. Use the following command to locate the token assigned to the service account:
++
+[source,terminal]
+----
+$ oc describe serviceaccount thanos <1>
+----
++
+<1> Specifies the name of the service account.
++
+--
+.Example output
+[source,terminal]
+----
+Name:                thanos
+Namespace:           <namespace_name>
+Labels:              <none>
+Annotations:         <none>
+Image pull secrets:  thanos-dockercfg-nnwgj
+Mountable secrets:   thanos-dockercfg-nnwgj
+Tokens:              thanos-token <1>
+Events:              <none>
+
+----
+<1> Use this token in the trigger authentication.
+--
+////
diff --git a/modules/nodes-cma-autoscaling-custom-trigger-auth-using.adoc b/modules/nodes-cma-autoscaling-custom-trigger-auth-using.adoc
@@ -12,43 +12,69 @@ You use trigger authentications and cluster trigger authentications by using a c
 
 * The Custom Metrics Autoscaler Operator must be installed.
 
-* If you are using a secret, the `Secret` object must exist, for example:
+* If you are using a bound service account token, the service account must exist.
+
+* If you are using a bound service account token, a role-based access control (RBAC) object that enables the Custom Metrics Autoscaler Operator to request service account tokens from the service account must exist.
 +
-.Example secret
 [source,yaml]
 ----
-apiVersion: v1
-kind: Secret
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: keda-operator-token-creator
+  namespace: <namespace_name> <1>
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+  resourceNames:
+  - thanos <2>
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
-  name: my-secret
-data:
-  user-name: <base64_USER_NAME>
-  password: <base64_USER_PASSWORD>
+  name: keda-operator-token-creator-binding
+  namespace: <namespace_name> <3>
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: keda-operator-token-creator
+subjects:
+- kind: ServiceAccount
+  name: keda-operator
+  namespace: openshift-keda
 ----
+<1> Specifies the namespace of the service account.
+<2> Specifies the name of the service account.
+<3> Specifies the namespace of the service account.
+
+* If you are using a secret, the `Secret` object must exist.
 
 .Procedure
 
 . Create the `TriggerAuthentication` or  `ClusterTriggerAuthentication` object.
 
 .. Create a YAML file that defines the object:
 +
-.Example trigger authentication with a secret
+.Example trigger authentication with a bound service account token
 [source,yaml]
 ----
 kind: TriggerAuthentication
 apiVersion: keda.sh/v1alpha1
 metadata:
   name: prom-triggerauthentication
-  namespace: my-namespace
-spec:
-  secretTargetRef:
-  - parameter: user-name
-    name: my-secret
-    key: USER_NAME
-  - parameter: password
-    name: my-secret
-    key: USER_PASSWORD
+  namespace: my-namespace <1>
+  spec:
+  boundServiceAccountToken: <2>
+    - parameter: token
+      serviceAccountName: thanos <3>
 ----
+<1> Specifies the namespace of the object you want to scale.
+<2> Specifies that this trigger authentication uses a bound service account token for authorization when connecting to the metrics endpoint.
+<3> Specifies the name of the service account to use.
 
 .. Create the `TriggerAuthentication` object:
 +