×

A trigger authentication allows you to include authentication information in a scaled object or a scaled job that can be used by the associated containers. You can use trigger authentications to pass OKD secrets, platform-native pod authentication mechanisms, environment variables, and so on.

You define a TriggerAuthentication object in the same namespace as the object that you want to scale. That trigger authentication can be used only by objects in that namespace.

Alternatively, to share credentials between objects in multiple namespaces, you can create a ClusterTriggerAuthentication object that can be used across all namespaces.

Trigger authentications and cluster trigger authentication use the same configuration. However, a cluster trigger authentication requires an additional kind parameter in the authentication reference of the scaled object.

Example secret for Basic authentication
apiVersion: v1
kind: Secret
metadata:
  name: my-basic-secret
  namespace: default
data:
  username: "dXNlcm5hbWU=" (1)
  password: "cGFzc3dvcmQ="
1 User name and password to supply to the trigger authentication. The values in a data stanza must be base-64 encoded.
Example trigger authentication using a secret for Basic authentication
kind: TriggerAuthentication
apiVersion: keda.sh/v1alpha1
metadata:
  name: secret-triggerauthentication
  namespace: my-namespace (1)
spec:
  secretTargetRef: (2)
  - parameter: username (3)
    name: my-basic-secret (4)
    key: username (5)
  - parameter: password
    name: my-basic-secret
    key: password
1 Specifies the namespace of the object you want to scale.
2 Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint.
3 Specifies the authentication parameter to supply by using the secret.
4 Specifies the name of the secret to use.
5 Specifies the key in the secret to use with the specified parameter.
Example cluster trigger authentication with a secret for Basic authentication
kind: ClusterTriggerAuthentication
apiVersion: keda.sh/v1alpha1
metadata: (1)
  name: secret-cluster-triggerauthentication
spec:
  secretTargetRef: (2)
  - parameter: username (3)
    name: my-basic-secret (4)
    key: username (5)
  - parameter: password
    name: my-basic-secret
    key: password
1 Note that no namespace is used with a cluster trigger authentication.
2 Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint.
3 Specifies the authentication parameter to supply by using the secret.
4 Specifies the name of the secret to use.
5 Specifies the key in the secret to use with the specified parameter.
Example secret with certificate authority (CA) details
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: my-namespace
data:
  ca-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0... (1)
  client-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0... (2)
  client-key.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0t...
1 Specifies the TLS CA Certificate for authentication of the metrics endpoint. The value must be base-64 encoded.
2 Specifies the TLS certificates and key for TLS client authentication. The values must be base-64 encoded.
Example trigger authentication using a secret for CA details
kind: TriggerAuthentication
apiVersion: keda.sh/v1alpha1
metadata:
  name: secret-triggerauthentication
  namespace: my-namespace (1)
spec:
  secretTargetRef: (2)
    - parameter: key (3)
      name: my-secret (4)
      key: client-key.pem (5)
    - parameter: ca (6)
      name: my-secret (7)
      key: ca-cert.pem (8)
1 Specifies the namespace of the object you want to scale.
2 Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint.
3 Specifies the type of authentication to use.
4 Specifies the name of the secret to use.
5 Specifies the key in the secret to use with the specified parameter.
6 Specifies the authentication parameter for a custom CA when connecting to the metrics endpoint.
7 Specifies the name of the secret to use.
8 Specifies the key in the secret to use with the specified parameter.
Example secret with a bearer token
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: my-namespace
data:
  bearerToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV" (1)
1 Specifies a bearer token to use with bearer authentication. The value in a data stanza must be base-64 encoded.
Example trigger authentication with a bearer token
kind: TriggerAuthentication
apiVersion: keda.sh/v1alpha1
metadata:
  name: token-triggerauthentication
  namespace: my-namespace (1)
spec:
  secretTargetRef: (2)
  - parameter: bearerToken (3)
    name: my-secret (4)
    key: bearerToken (5)
1 Specifies the namespace of the object you want to scale.
2 Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint.
3 Specifies the type of authentication to use.
4 Specifies the name of the secret to use.
5 Specifies the key in the token to use with the specified parameter.
Example trigger authentication with an environment variable
kind: TriggerAuthentication
apiVersion: keda.sh/v1alpha1
metadata:
  name: env-var-triggerauthentication
  namespace: my-namespace (1)
spec:
  env: (2)
  - parameter: access_key (3)
    name: ACCESS_KEY (4)
    containerName: my-container (5)
1 Specifies the namespace of the object you want to scale.
2 Specifies that this trigger authentication uses environment variables for authorization when connecting to the metrics endpoint.
3 Specify the parameter to set with this variable.
4 Specify the name of the environment variable.
5 Optional: Specify a container that requires authentication. The container must be in the same resource as referenced by scaleTargetRef in the scaled object.
Example trigger authentication with pod authentication providers
kind: TriggerAuthentication
apiVersion: keda.sh/v1alpha1
metadata:
  name: pod-id-triggerauthentication
  namespace: my-namespace (1)
spec:
  podIdentity: (2)
    provider: aws-eks (3)
1 Specifies the namespace of the object you want to scale.
2 Specifies that this trigger authentication uses a platform-native pod authentication when connecting to the metrics endpoint.
3 Specifies a pod identity. Supported values are none, azure, gcp, aws-eks, or aws-kiam. The default is none.
Additional resources

Using trigger authentications

You use trigger authentications and cluster trigger authentications by using a custom resource to create the authentication, then add a reference to a scaled object or scaled job.

Prerequisites
  • The Custom Metrics Autoscaler Operator must be installed.

  • If you are using a secret, the Secret object must exist, for example:

    Example secret
    apiVersion: v1
    kind: Secret
    metadata:
      name: my-secret
    data:
      user-name: <base64_USER_NAME>
      password: <base64_USER_PASSWORD>
Procedure
  1. Create the TriggerAuthentication or ClusterTriggerAuthentication object.

    1. Create a YAML file that defines the object:

      Example trigger authentication with a secret
      kind: TriggerAuthentication
      apiVersion: keda.sh/v1alpha1
      metadata:
        name: prom-triggerauthentication
        namespace: my-namespace
      spec:
        secretTargetRef:
        - parameter: user-name
          name: my-secret
          key: USER_NAME
        - parameter: password
          name: my-secret
          key: USER_PASSWORD
    2. Create the TriggerAuthentication object:

      $ oc create -f <filename>.yaml
  2. Create or edit a ScaledObject YAML file that uses the trigger authentication:

    1. Create a YAML file that defines the object by running the following command:

      Example scaled object with a trigger authentication
      apiVersion: keda.sh/v1alpha1
      kind: ScaledObject
      metadata:
        name: scaledobject
        namespace: my-namespace
      spec:
        scaleTargetRef:
          name: example-deployment
        maxReplicaCount: 100
        minReplicaCount: 0
        pollingInterval: 30
        triggers:
        - type: prometheus
          metadata:
            serverAddress: https://thanos-querier.openshift-monitoring.svc.cluster.local:9092
            namespace: kedatest # replace <NAMESPACE>
            metricName: http_requests_total
            threshold: '5'
            query: sum(rate(http_requests_total{job="test-app"}[1m]))
            authModes: "basic"
          authenticationRef:
            name: prom-triggerauthentication (1)
            kind: TriggerAuthentication (2)
      1 Specify the name of your trigger authentication object.
      2 Specify TriggerAuthentication. TriggerAuthentication is the default.
      Example scaled object with a cluster trigger authentication
      apiVersion: keda.sh/v1alpha1
      kind: ScaledObject
      metadata:
        name: scaledobject
        namespace: my-namespace
      spec:
        scaleTargetRef:
          name: example-deployment
        maxReplicaCount: 100
        minReplicaCount: 0
        pollingInterval: 30
        triggers:
        - type: prometheus
          metadata:
            serverAddress: https://thanos-querier.openshift-monitoring.svc.cluster.local:9092
            namespace: kedatest # replace <NAMESPACE>
            metricName: http_requests_total
            threshold: '5'
            query: sum(rate(http_requests_total{job="test-app"}[1m]))
            authModes: "basic"
          authenticationRef:
            name: prom-cluster-triggerauthentication (1)
            kind: ClusterTriggerAuthentication (2)
      1 Specify the name of your trigger authentication object.
      2 Specify ClusterTriggerAuthentication.
    2. Create the scaled object by running the following command:

      $ oc apply -f <filename>