diff --git a/nodes/cma/nodes-cma-autoscaling-custom-trigger-auth.adoc b/nodes/cma/nodes-cma-autoscaling-custom-trigger-auth.adoc index 932db4f9a179..6c5209fe4023 100644 --- a/nodes/cma/nodes-cma-autoscaling-custom-trigger-auth.adoc +++ b/nodes/cma/nodes-cma-autoscaling-custom-trigger-auth.adoc @@ -15,47 +15,50 @@ Alternatively, to share credentials between objects in multiple namespaces, you Trigger authentications and cluster trigger authentication use the same configuration. However, a cluster trigger authentication requires an additional `kind` parameter in the authentication reference of the scaled object. -.Example trigger authentication that uses a bound service account token +.Example secret for Basic authentication [source,yaml] ---- -kind: TriggerAuthentication -apiVersion: keda.sh/v1alpha1 +apiVersion: v1 +kind: Secret metadata: - name: secret-triggerauthentication - namespace: my-namespace <1> -spec: - boundServiceAccountToken: <2> - - parameter: bearerToken - serviceAccountName: thanos <3> + name: my-basic-secret + namespace: default +data: + username: "dXNlcm5hbWU=" <1> + password: "cGFzc3dvcmQ=" ---- -<1> Specifies the namespace of the object you want to scale. -<2> Specifies that this trigger authentication uses a bound service account token for authorization when connecting to the metrics endpoint. -<3> Specifies the name of the service account to use. +<1> User name and password to supply to the trigger authentication. The values in a `data` stanza must be base-64 encoded. -.Example cluster trigger authentication that uses a bound service account token +.Example trigger authentication using a secret for Basic authentication [source,yaml] ---- -kind: ClusterTriggerAuthentication +kind: TriggerAuthentication apiVersion: keda.sh/v1alpha1 metadata: - name: bound-service-account-token-triggerauthentication <1> + name: secret-triggerauthentication + namespace: my-namespace <1> spec: - boundServiceAccountToken: <2> - - parameter: bearerToken - serviceAccountName: thanos <3> + secretTargetRef: <2> + - parameter: username <3> + name: my-basic-secret <4> + key: username <5> + - parameter: password + name: my-basic-secret + key: password ---- <1> Specifies the namespace of the object you want to scale. -<2> Specifies that this cluster trigger authentication uses a bound service account token for authorization when connecting to the metrics endpoint. -<3> Specifies the name of the service account to use. +<2> Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint. +<3> Specifies the authentication parameter to supply by using the secret. +<4> Specifies the name of the secret to use. +<5> Specifies the key in the secret to use with the specified parameter. -.Example trigger authentication that uses a secret for Basic authentication +.Example cluster trigger authentication with a secret for Basic authentication [source,yaml] ---- -kind: TriggerAuthentication +kind: ClusterTriggerAuthentication apiVersion: keda.sh/v1alpha1 -metadata: - name: secret-triggerauthentication - namespace: my-namespace <1> +metadata: <1> + name: secret-cluster-triggerauthentication spec: secretTargetRef: <2> - parameter: username <3> @@ -65,27 +68,29 @@ spec: name: my-basic-secret key: password ---- -<1> Specifies the namespace of the object you want to scale. +<1> Note that no namespace is used with a cluster trigger authentication. <2> Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint. <3> Specifies the authentication parameter to supply by using the secret. -<4> Specifies the name of the secret to use. See the following example secret for Basic authentication. +<4> Specifies the name of the secret to use. <5> Specifies the key in the secret to use with the specified parameter. -.Example secret for Basic authentication +.Example secret with certificate authority (CA) details [source,yaml] ---- apiVersion: v1 kind: Secret metadata: - name: my-basic-secret - namespace: default -data: - username: "dXNlcm5hbWU=" <1> - password: "cGFzc3dvcmQ=" + name: my-secret + namespace: my-namespace +data: + ca-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0... <1> + client-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0... <2> + client-key.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0t... ---- -<1> User name and password to supply to the trigger authentication. The values in the `data` stanza must be base-64 encoded. +<1> Specifies the TLS CA Certificate for authentication of the metrics endpoint. The value must be base-64 encoded. +<2> Specifies the TLS certificates and key for TLS client authentication. The values must be base-64 encoded. -.Example trigger authentication that uses a secret for CA details +.Example trigger authentication using a secret for CA details [source,yaml] ---- kind: TriggerAuthentication @@ -108,10 +113,10 @@ spec: <4> Specifies the name of the secret to use. <5> Specifies the key in the secret to use with the specified parameter. <6> Specifies the authentication parameter for a custom CA when connecting to the metrics endpoint. -<7> Specifies the name of the secret to use. See the following example secret with certificate authority (CA) details. +<7> Specifies the name of the secret to use. <8> Specifies the key in the secret to use with the specified parameter. -.Example secret with certificate authority (CA) details +.Example secret with a bearer token [source,yaml] ---- apiVersion: v1 @@ -120,14 +125,11 @@ metadata: name: my-secret namespace: my-namespace data: - ca-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0... <1> - client-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0... <2> - client-key.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0t... + bearerToken: "dG9rZW4=..." <1> ---- -<1> Specifies the TLS CA Certificate for authentication of the metrics endpoint. The value must be base-64 encoded. -<2> Specifies the TLS certificates and key for TLS client authentication. The values must be base-64 encoded. +<1> Specifies a bearer token to use with bearer authentication. The value in a `data` stanza must be base-64 encoded. -.Example trigger authentication that uses a bearer token +.Example trigger authentication with a bearer token [source,yaml] ---- kind: TriggerAuthentication @@ -144,23 +146,10 @@ spec: <1> Specifies the namespace of the object you want to scale. <2> Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint. <3> Specifies the type of authentication to use. -<4> Specifies the name of the secret to use. See the following example secret for a bearer token. +<4> Specifies the name of the secret to use. <5> Specifies the key in the token to use with the specified parameter. -.Example secret for a bearer token -[source,yaml] ----- -apiVersion: v1 -kind: Secret -metadata: - name: my-secret - namespace: my-namespace -data: - bearerToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV" <1> ----- -<1> Specifies a bearer token to use with bearer authentication. The value must be base-64 encoded. - -.Example trigger authentication that uses an environment variable +.Example trigger authentication with an environment variable [source,yaml] ---- kind: TriggerAuthentication @@ -180,7 +169,7 @@ spec: <4> Specify the name of the environment variable. <5> Optional: Specify a container that requires authentication. The container must be in the same resource as referenced by `scaleTargetRef` in the scaled object. -.Example trigger authentication that uses pod authentication providers +.Example trigger authentication with pod authentication providers [source,yaml] ---- kind: TriggerAuthentication @@ -200,8 +189,7 @@ spec: // ifndef::openshift-rosa,openshift-dedicated[] .Additional resources -* xref:../../authentication/understanding-and-creating-service-accounts.adoc#understanding-service-accounts[Understanding and creating service accounts] -* xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets[Providing sensitive data to pods]. +* For information about {product-title} secrets, see xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets[Providing sensitive data to pods]. // endif::openshift-rosa,openshift-dedicated[] include::modules/nodes-cma-autoscaling-custom-trigger-auth-using.adoc[leveloffset=+1]