Document GCP PodIdentity for PubSub contributed by (kedacore#614)

* Document GCP PodIdentity for PubSub contributed by @hermanbanken Signed-off-by: Tom Kerkhove <[email protected]> * Align v2.6 Signed-off-by: Tom Kerkhove <[email protected]> * Add missing sample Signed-off-by: Tom Kerkhove <[email protected]>
SpiritZhou · Mar 14, 2022 · c23635e · c23635e
1 parent 1871814
commit c23635e
Show file tree

Hide file tree

Showing 4 changed files with 138 additions and 126 deletions.
diff --git a/content/docs/2.5/concepts/authentication.md b/content/docs/2.5/concepts/authentication.md
@@ -92,28 +92,28 @@ metadata:
   namespace: default # must be same namespace as the ScaledObject
 spec:
   podIdentity:
-      provider: none | azure | aws-eks | aws-kiam  # Optional. Default: none
-  secretTargetRef:                                    # Optional.
-  - parameter: {scaledObject-parameter-name}          # Required.
-    name: {secret-name}                               # Required.
-    key: {secret-key-name}                            # Required.
-  env:                                                # Optional.
-  - parameter: {scaledObject-parameter-name}          # Required.
-    name: {env-name}                                  # Required.
-    containerName: {container-name}                   # Optional. Default: scaleTargetRef.envSourceContainerName of ScaledObject
-  hashiCorpVault:                                     # Optional.
-    address: {hashicorp-vault-address}                # Required.
-    namespace: {hashicorp-vault-namespace}            # Optional. Default is root namespace. Useful for Vault Enterprise
-    authentication: token | kubernetes                # Required.
-    role: {hashicorp-vault-role}                      # Optional.
-    mount: {hashicorp-vault-mount}                    # Optional.
-    credential:                                       # Optional.
-      token: {hashicorp-vault-token}                  # Optional.
-      serviceAccount: {path-to-service-account-file}  # Optional.
-    secrets:                                          # Required.
-    - parameter: {scaledObject-parameter-name}        # Required.
-      key: {hasicorp-vault-secret-key-name}           # Required.
-      path: {hasicorp-vault-secret-path}              # Required.
+      provider: none | azure | gcp | aws-eks | aws-kiam  # Optional. Default: none
+  secretTargetRef:                                       # Optional.
+  - parameter: {scaledObject-parameter-name}             # Required.
+    name: {secret-name}                                  # Required.
+    key: {secret-key-name}                               # Required.
+  env:                                                   # Optional.
+  - parameter: {scaledObject-parameter-name}             # Required.
+    name: {env-name}                                     # Required.
+    containerName: {container-name}                      # Optional. Default: scaleTargetRef.envSourceContainerName of ScaledObject
+  hashiCorpVault:                                        # Optional.
+    address: {hashicorp-vault-address}                   # Required.
+    namespace: {hashicorp-vault-namespace}               # Optional. Default is root namespace. Useful for Vault Enterprise
+    authentication: token | kubernetes                   # Required.
+    role: {hashicorp-vault-role}                         # Optional.
+    mount: {hashicorp-vault-mount}                       # Optional.
+    credential:                                          # Optional.
+      token: {hashicorp-vault-token}                     # Optional.
+      serviceAccount: {path-to-service-account-file}     # Optional.
+    secrets:                                             # Required.
+    - parameter: {scaledObject-parameter-name}           # Required.
+      key: {hasicorp-vault-secret-key-name}              # Required.
+      path: {hasicorp-vault-secret-path}                 # Required.
 ```
 
 Based on the requirements you can mix and match the reference types providers in order to configure all required parameters.

diff --git a/content/docs/2.5/scalers/gcp-pub-sub.md b/content/docs/2.5/scalers/gcp-pub-sub.md
@@ -1,35 +1,35 @@
 +++
-title = "Google Cloud Platform‎ Pub/Sub"
+title = "Google Cloud Platform Pub/Sub"
 layout = "scaler"
 availability = "v1.0+"
 maintainer = "Community"
-description = "Scale applications based on Google Cloud Platform‎ Pub/Sub."
+description = "Scale applications based on Google Cloud Platform Pub/Sub."
 go_file = "gcp_pub_sub_scaler"
 +++
 
 ### Trigger Specification
 
-This specification describes the `gcp-pubsub` trigger for Google Cloud Platform‎ Pub/Sub.
+This specification describes the `gcp-pubsub` trigger for Google Cloud Platform Pub/Sub.
 
 ```yaml
 triggers:
 - type: gcp-pubsub
+  authenticationRef: gcp-pubsub-credentials # Required
   metadata:
     subscriptionSize: "5" # Deprecated, use mode and value fields instead
     mode: "SubscriptionSize" # Optional - Default is SubscriptionSize - SubscriptionSize or OldestUnackedMessageAge
     value: "5" # Optional - Default is 5 for SubscriptionSize | Default is 10 for OldestUnackedMessageAge
     subscriptionName: "mysubscription" # Required
-    credentialsFromEnv: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required
 ```
 
-The Google Cloud Platform‎ (GCP) Pub/Sub trigger allows you to scale based on the number of messages or oldest unacked message age in your Pub/Sub subscription. 
+The Google Cloud Platform (GCP) Pub/Sub trigger allows you to scale based on the number of messages or oldest unacked message age in your Pub/Sub subscription.
 
-The `credentialsFromEnv` property maps to the name of an environment variable in the scale target (`scaleTargetRef`) that contains the service account credentials (JSON). KEDA will use those to connect to Google Cloud Platform and collect the required stack driver metrics in order to read the number of messages in the Pub/Sub subscription.
+`authenticationRef` defines how KEDA connect to Google Cloud Platform, to collect the required stack driver metrics in order to read the number of messages in the Pub/Sub subscription.
 
 `subscriptionName` defines the subscription that should be monitored. You can use different formulas:
 
 - Just the subscription name, in which case you will reference a subscription from the current project or the one specified in the credentials file used.
-- Use the full link provided by Google, so that you can reference a subscription that is hosted in another project Eg: `projects/myproject/subscriptions/mysubscription`. 
+- Use the full link provided by Google, so that you can reference a subscription that is hosted in another project Eg: `projects/myproject/subscriptions/mysubscription`.
 
 You can use either `subscriptionSize` to define the target average which the deployment will be scaled on or `mode` and `value` fields. `subscriptionSize` field is deprecated, it is recommended to use `mode` and `value` fields instead. Scaler will not work if you define both `subscriptionSize` and at least one of `mode` or `value`.
 The mode chooses whether to scale using number of messages `SubscriptionSize` or using oldest unacked message age `OldestUnackedMessageAge`. 
@@ -38,45 +38,62 @@ The `value` determines the target average which the deployment will be scaled on
 Here's an [example](https://github.com/kedacore/sample-go-gcppubsub).
 
 ### Authentication Parameters
-You can use `TriggerAuthentication` CRD to configure the authenticate by providing the service account credentials in JSON. 
+You can configure authorization for a `ScaledObject` either directly using credentials in `credentialsFromEnv` or using an `authenticationRef` referencing a `TriggerAuthentication` CRD which configures authorization.
 
+**Pod identity based authentication:**
+- `podIdentity.provider` - Needs to be set to `gcp` on the `TriggerAuthentication` and the pod's [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) or node's (default) service account must be configured correctly.
 
-**Credential based authentication:**
+**Credential based authentication via TriggerAuthentication:**
+- `secretTargetRef` - Needs to be set on the `TriggerAuthentication`, with `parameter=GoogleApplicationCredentials` and `name` must reference a Secret in which `key` is the key containing the JSON ServiceAccount value.
 
-- `GoogleApplicationCredentials` - Service account credentials in JSON.
+**Credential based authentication via ScaledObject:**
+- `credentialsFromEnv` - Needs to be set on the `ScaledObject`.
 
-### Example 
+### Examples
+To use the GCP default authentication, you need to create a `TriggerAuthentication` as this example, and reference it in the `ScaledObject`.
 
 ```yaml
 apiVersion: keda.sh/v1alpha1
+kind: TriggerAuthentication
+metadata:
+  name: gcp-pubsub-credentials
+spec:
+  podIdentity:
+    provider: gcp # Required
+---
+apiVersion: keda.sh/v1alpha1
 kind: ScaledObject
 metadata:
   name: pubsub-scaledobject
-  namespace: keda-pubsub-test
 spec:
   scaleTargetRef:
     name: keda-pubsub-go
   triggers:
   - type: gcp-pubsub
     metadata:
-      mode: "SubscriptionSize"
-      value: "5"
-      subscriptionName: "mysubscription" # Required
-      credentialsFromEnv: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required
+      subscriptionName: "input" # Required
+    authenticationRef:
+      name: gcp-pubsub-credentials
 ```
 
-### Example using TriggerAuthentication
-
+Alternatively, you can configure the credentials in a secet, via the `TriggerAuthentication`:
 ```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pubsub-secret
+data:
+  GOOGLE_APPLICATION_CREDENTIALS_JSON: <json-credential-value>
+---
 apiVersion: keda.sh/v1alpha1
 kind: TriggerAuthentication
 metadata:
-  name: keda-trigger-auth-gcp-credentials
+  name: gcp-pubsub-credentials
 spec:
   secretTargetRef:
   - parameter: GoogleApplicationCredentials 
-    name: pubsub-secret        # Required. Refers to the name of the secret
-    key: GOOGLE_APPLICATION_CREDENTIALS_JSON       # Required.
+    name: pubsub-secret  # Required. Refers to the name of the secret
+    key: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required
 ---
 apiVersion: keda.sh/v1alpha1
 kind: ScaledObject
@@ -87,40 +104,29 @@ spec:
     name: keda-pubsub-go
   triggers:
   - type: gcp-pubsub
-    authenticationRef:
-      name: keda-trigger-auth-gcp-credentials
     metadata:
-      subscriptionName: "input" # Required  
+      subscriptionName: "input" # Required
+    authenticationRef:
+      name: gcp-pubsub-credentials # Required
 ```
 
-**Identity based authentication:**
-
-You can also use `TriggerAuthentication` CRD to configure the authentication using the associated service account of the running machine in Google Cloud. You only need to create a `TriggerAuthentication` as this example, and reference it in the `ScaledObject`. `ClusterTriggerAuthentication` can also be used if you pretend to use it globally in your cluster.
-
-### Example using TriggerAuthentication with GCP Identity
+The `credentialsFromEnv` property maps to the name of an environment variable in the scale target (`scaleTargetRef`) that contains the service account credentials (JSON).
 
 ```yaml
 apiVersion: keda.sh/v1alpha1
-kind: TriggerAuthentication
-metadata:
-  name: keda-trigger-auth-gcp-credentials
-spec:
-  podIdentity:
-    provider: gcp
----
-apiVersion: keda.sh/v1alpha1
 kind: ScaledObject
 metadata:
   name: pubsub-scaledobject
+  namespace: keda-pubsub-test
 spec:
   scaleTargetRef:
     name: keda-pubsub-go
   triggers:
   - type: gcp-pubsub
-    authenticationRef:
-      name: keda-trigger-auth-gcp-credentials
     metadata:
-      subscriptionName: "input" # Required
+      subscriptionSize: "5"
+      subscriptionName: "mysubscription" # Required
+      credentialsFromEnv: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required
 ```
 
 ## Example using ClusterTriggerAuthentication with GCP Identity
@@ -148,4 +154,4 @@ spec:
       kind: ClusterTriggerAuthentication
     metadata:
       subscriptionName: "input" # Required
-```
+```
diff --git a/content/docs/2.6/concepts/authentication.md b/content/docs/2.6/concepts/authentication.md
@@ -92,28 +92,28 @@ metadata:
   namespace: default # must be same namespace as the ScaledObject
 spec:
   podIdentity:
-      provider: none | azure | aws-eks | aws-kiam  # Optional. Default: none
-  secretTargetRef:                                    # Optional.
-  - parameter: {scaledObject-parameter-name}          # Required.
-    name: {secret-name}                               # Required.
-    key: {secret-key-name}                            # Required.
-  env:                                                # Optional.
-  - parameter: {scaledObject-parameter-name}          # Required.
-    name: {env-name}                                  # Required.
-    containerName: {container-name}                   # Optional. Default: scaleTargetRef.envSourceContainerName of ScaledObject
-  hashiCorpVault:                                     # Optional.
-    address: {hashicorp-vault-address}                # Required.
-    namespace: {hashicorp-vault-namespace}            # Optional. Default is root namespace. Useful for Vault Enterprise
-    authentication: token | kubernetes                # Required.
-    role: {hashicorp-vault-role}                      # Optional.
-    mount: {hashicorp-vault-mount}                    # Optional.
-    credential:                                       # Optional.
-      token: {hashicorp-vault-token}                  # Optional.
-      serviceAccount: {path-to-service-account-file}  # Optional.
-    secrets:                                          # Required.
-    - parameter: {scaledObject-parameter-name}        # Required.
-      key: {hasicorp-vault-secret-key-name}           # Required.
-      path: {hasicorp-vault-secret-path}              # Required.
+      provider: none | azure | gcp | aws-eks | aws-kiam  # Optional. Default: none
+  secretTargetRef:                                       # Optional.
+  - parameter: {scaledObject-parameter-name}             # Required.
+    name: {secret-name}                                  # Required.
+    key: {secret-key-name}                               # Required.
+  env:                                                   # Optional.
+  - parameter: {scaledObject-parameter-name}             # Required.
+    name: {env-name}                                     # Required.
+    containerName: {container-name}                      # Optional. Default: scaleTargetRef.envSourceContainerName of ScaledObject
+  hashiCorpVault:                                        # Optional.
+    address: {hashicorp-vault-address}                   # Required.
+    namespace: {hashicorp-vault-namespace}               # Optional. Default is root namespace. Useful for Vault Enterprise
+    authentication: token | kubernetes                   # Required.
+    role: {hashicorp-vault-role}                         # Optional.
+    mount: {hashicorp-vault-mount}                       # Optional.
+    credential:                                          # Optional.
+      token: {hashicorp-vault-token}                     # Optional.
+      serviceAccount: {path-to-service-account-file}     # Optional.
+    secrets:                                             # Required.
+    - parameter: {scaledObject-parameter-name}           # Required.
+      key: {hasicorp-vault-secret-key-name}              # Required.
+      path: {hasicorp-vault-secret-path}                 # Required.
 ```
 
 Based on the requirements you can mix and match the reference types providers in order to configure all required parameters.