From c23635ea66ea2813d84be3d757708fa777f657d1 Mon Sep 17 00:00:00 2001 From: Tom Kerkhove Date: Mon, 14 Mar 2022 13:14:28 +0100 Subject: [PATCH] Document GCP PodIdentity for PubSub contributed by (#614) * Document GCP PodIdentity for PubSub contributed by @hermanbanken Signed-off-by: Tom Kerkhove * Align v2.6 Signed-off-by: Tom Kerkhove * Add missing sample Signed-off-by: Tom Kerkhove --- content/docs/2.5/concepts/authentication.md | 44 +++++------ content/docs/2.5/scalers/gcp-pub-sub.md | 88 +++++++++++---------- content/docs/2.6/concepts/authentication.md | 44 +++++------ content/docs/2.6/scalers/gcp-pub-sub.md | 88 +++++++++++---------- 4 files changed, 138 insertions(+), 126 deletions(-) diff --git a/content/docs/2.5/concepts/authentication.md b/content/docs/2.5/concepts/authentication.md index 96bb8728399..3576f6289d0 100644 --- a/content/docs/2.5/concepts/authentication.md +++ b/content/docs/2.5/concepts/authentication.md @@ -92,28 +92,28 @@ metadata: namespace: default # must be same namespace as the ScaledObject spec: podIdentity: - provider: none | azure | aws-eks | aws-kiam # Optional. Default: none - secretTargetRef: # Optional. - - parameter: {scaledObject-parameter-name} # Required. - name: {secret-name} # Required. - key: {secret-key-name} # Required. - env: # Optional. - - parameter: {scaledObject-parameter-name} # Required. - name: {env-name} # Required. - containerName: {container-name} # Optional. Default: scaleTargetRef.envSourceContainerName of ScaledObject - hashiCorpVault: # Optional. - address: {hashicorp-vault-address} # Required. - namespace: {hashicorp-vault-namespace} # Optional. Default is root namespace. Useful for Vault Enterprise - authentication: token | kubernetes # Required. - role: {hashicorp-vault-role} # Optional. - mount: {hashicorp-vault-mount} # Optional. - credential: # Optional. - token: {hashicorp-vault-token} # Optional. - serviceAccount: {path-to-service-account-file} # Optional. - secrets: # Required. - - parameter: {scaledObject-parameter-name} # Required. - key: {hasicorp-vault-secret-key-name} # Required. - path: {hasicorp-vault-secret-path} # Required. + provider: none | azure | gcp | aws-eks | aws-kiam # Optional. Default: none + secretTargetRef: # Optional. + - parameter: {scaledObject-parameter-name} # Required. + name: {secret-name} # Required. + key: {secret-key-name} # Required. + env: # Optional. + - parameter: {scaledObject-parameter-name} # Required. + name: {env-name} # Required. + containerName: {container-name} # Optional. Default: scaleTargetRef.envSourceContainerName of ScaledObject + hashiCorpVault: # Optional. + address: {hashicorp-vault-address} # Required. + namespace: {hashicorp-vault-namespace} # Optional. Default is root namespace. Useful for Vault Enterprise + authentication: token | kubernetes # Required. + role: {hashicorp-vault-role} # Optional. + mount: {hashicorp-vault-mount} # Optional. + credential: # Optional. + token: {hashicorp-vault-token} # Optional. + serviceAccount: {path-to-service-account-file} # Optional. + secrets: # Required. + - parameter: {scaledObject-parameter-name} # Required. + key: {hasicorp-vault-secret-key-name} # Required. + path: {hasicorp-vault-secret-path} # Required. ``` Based on the requirements you can mix and match the reference types providers in order to configure all required parameters. diff --git a/content/docs/2.5/scalers/gcp-pub-sub.md b/content/docs/2.5/scalers/gcp-pub-sub.md index 004f6770ca6..e01e1ce4836 100644 --- a/content/docs/2.5/scalers/gcp-pub-sub.md +++ b/content/docs/2.5/scalers/gcp-pub-sub.md @@ -1,35 +1,35 @@ +++ -title = "Google Cloud Platform‎ Pub/Sub" +title = "Google Cloud Platform Pub/Sub" layout = "scaler" availability = "v1.0+" maintainer = "Community" -description = "Scale applications based on Google Cloud Platform‎ Pub/Sub." +description = "Scale applications based on Google Cloud Platform Pub/Sub." go_file = "gcp_pub_sub_scaler" +++ ### Trigger Specification -This specification describes the `gcp-pubsub` trigger for Google Cloud Platform‎ Pub/Sub. +This specification describes the `gcp-pubsub` trigger for Google Cloud Platform Pub/Sub. ```yaml triggers: - type: gcp-pubsub + authenticationRef: gcp-pubsub-credentials # Required metadata: subscriptionSize: "5" # Deprecated, use mode and value fields instead mode: "SubscriptionSize" # Optional - Default is SubscriptionSize - SubscriptionSize or OldestUnackedMessageAge value: "5" # Optional - Default is 5 for SubscriptionSize | Default is 10 for OldestUnackedMessageAge subscriptionName: "mysubscription" # Required - credentialsFromEnv: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required ``` -The Google Cloud Platform‎ (GCP) Pub/Sub trigger allows you to scale based on the number of messages or oldest unacked message age in your Pub/Sub subscription. +The Google Cloud Platform (GCP) Pub/Sub trigger allows you to scale based on the number of messages or oldest unacked message age in your Pub/Sub subscription. -The `credentialsFromEnv` property maps to the name of an environment variable in the scale target (`scaleTargetRef`) that contains the service account credentials (JSON). KEDA will use those to connect to Google Cloud Platform and collect the required stack driver metrics in order to read the number of messages in the Pub/Sub subscription. +`authenticationRef` defines how KEDA connect to Google Cloud Platform, to collect the required stack driver metrics in order to read the number of messages in the Pub/Sub subscription. `subscriptionName` defines the subscription that should be monitored. You can use different formulas: - Just the subscription name, in which case you will reference a subscription from the current project or the one specified in the credentials file used. -- Use the full link provided by Google, so that you can reference a subscription that is hosted in another project Eg: `projects/myproject/subscriptions/mysubscription`. +- Use the full link provided by Google, so that you can reference a subscription that is hosted in another project Eg: `projects/myproject/subscriptions/mysubscription`. You can use either `subscriptionSize` to define the target average which the deployment will be scaled on or `mode` and `value` fields. `subscriptionSize` field is deprecated, it is recommended to use `mode` and `value` fields instead. Scaler will not work if you define both `subscriptionSize` and at least one of `mode` or `value`. The mode chooses whether to scale using number of messages `SubscriptionSize` or using oldest unacked message age `OldestUnackedMessageAge`. @@ -38,45 +38,62 @@ The `value` determines the target average which the deployment will be scaled on Here's an [example](https://github.com/kedacore/sample-go-gcppubsub). ### Authentication Parameters -You can use `TriggerAuthentication` CRD to configure the authenticate by providing the service account credentials in JSON. +You can configure authorization for a `ScaledObject` either directly using credentials in `credentialsFromEnv` or using an `authenticationRef` referencing a `TriggerAuthentication` CRD which configures authorization. +**Pod identity based authentication:** +- `podIdentity.provider` - Needs to be set to `gcp` on the `TriggerAuthentication` and the pod's [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) or node's (default) service account must be configured correctly. -**Credential based authentication:** +**Credential based authentication via TriggerAuthentication:** +- `secretTargetRef` - Needs to be set on the `TriggerAuthentication`, with `parameter=GoogleApplicationCredentials` and `name` must reference a Secret in which `key` is the key containing the JSON ServiceAccount value. -- `GoogleApplicationCredentials` - Service account credentials in JSON. +**Credential based authentication via ScaledObject:** +- `credentialsFromEnv` - Needs to be set on the `ScaledObject`. -### Example +### Examples +To use the GCP default authentication, you need to create a `TriggerAuthentication` as this example, and reference it in the `ScaledObject`. ```yaml apiVersion: keda.sh/v1alpha1 +kind: TriggerAuthentication +metadata: + name: gcp-pubsub-credentials +spec: + podIdentity: + provider: gcp # Required +--- +apiVersion: keda.sh/v1alpha1 kind: ScaledObject metadata: name: pubsub-scaledobject - namespace: keda-pubsub-test spec: scaleTargetRef: name: keda-pubsub-go triggers: - type: gcp-pubsub metadata: - mode: "SubscriptionSize" - value: "5" - subscriptionName: "mysubscription" # Required - credentialsFromEnv: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required + subscriptionName: "input" # Required + authenticationRef: + name: gcp-pubsub-credentials ``` -### Example using TriggerAuthentication - +Alternatively, you can configure the credentials in a secet, via the `TriggerAuthentication`: ```yaml +apiVersion: v1 +kind: Secret +metadata: + name: pubsub-secret +data: + GOOGLE_APPLICATION_CREDENTIALS_JSON: +--- apiVersion: keda.sh/v1alpha1 kind: TriggerAuthentication metadata: - name: keda-trigger-auth-gcp-credentials + name: gcp-pubsub-credentials spec: secretTargetRef: - parameter: GoogleApplicationCredentials - name: pubsub-secret # Required. Refers to the name of the secret - key: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required. + name: pubsub-secret # Required. Refers to the name of the secret + key: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required --- apiVersion: keda.sh/v1alpha1 kind: ScaledObject @@ -87,40 +104,29 @@ spec: name: keda-pubsub-go triggers: - type: gcp-pubsub - authenticationRef: - name: keda-trigger-auth-gcp-credentials metadata: - subscriptionName: "input" # Required + subscriptionName: "input" # Required + authenticationRef: + name: gcp-pubsub-credentials # Required ``` -**Identity based authentication:** - -You can also use `TriggerAuthentication` CRD to configure the authentication using the associated service account of the running machine in Google Cloud. You only need to create a `TriggerAuthentication` as this example, and reference it in the `ScaledObject`. `ClusterTriggerAuthentication` can also be used if you pretend to use it globally in your cluster. - -### Example using TriggerAuthentication with GCP Identity +The `credentialsFromEnv` property maps to the name of an environment variable in the scale target (`scaleTargetRef`) that contains the service account credentials (JSON). ```yaml apiVersion: keda.sh/v1alpha1 -kind: TriggerAuthentication -metadata: - name: keda-trigger-auth-gcp-credentials -spec: - podIdentity: - provider: gcp ---- -apiVersion: keda.sh/v1alpha1 kind: ScaledObject metadata: name: pubsub-scaledobject + namespace: keda-pubsub-test spec: scaleTargetRef: name: keda-pubsub-go triggers: - type: gcp-pubsub - authenticationRef: - name: keda-trigger-auth-gcp-credentials metadata: - subscriptionName: "input" # Required + subscriptionSize: "5" + subscriptionName: "mysubscription" # Required + credentialsFromEnv: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required ``` ## Example using ClusterTriggerAuthentication with GCP Identity @@ -148,4 +154,4 @@ spec: kind: ClusterTriggerAuthentication metadata: subscriptionName: "input" # Required -``` \ No newline at end of file +``` diff --git a/content/docs/2.6/concepts/authentication.md b/content/docs/2.6/concepts/authentication.md index 96bb8728399..3576f6289d0 100644 --- a/content/docs/2.6/concepts/authentication.md +++ b/content/docs/2.6/concepts/authentication.md @@ -92,28 +92,28 @@ metadata: namespace: default # must be same namespace as the ScaledObject spec: podIdentity: - provider: none | azure | aws-eks | aws-kiam # Optional. Default: none - secretTargetRef: # Optional. - - parameter: {scaledObject-parameter-name} # Required. - name: {secret-name} # Required. - key: {secret-key-name} # Required. - env: # Optional. - - parameter: {scaledObject-parameter-name} # Required. - name: {env-name} # Required. - containerName: {container-name} # Optional. Default: scaleTargetRef.envSourceContainerName of ScaledObject - hashiCorpVault: # Optional. - address: {hashicorp-vault-address} # Required. - namespace: {hashicorp-vault-namespace} # Optional. Default is root namespace. Useful for Vault Enterprise - authentication: token | kubernetes # Required. - role: {hashicorp-vault-role} # Optional. - mount: {hashicorp-vault-mount} # Optional. - credential: # Optional. - token: {hashicorp-vault-token} # Optional. - serviceAccount: {path-to-service-account-file} # Optional. - secrets: # Required. - - parameter: {scaledObject-parameter-name} # Required. - key: {hasicorp-vault-secret-key-name} # Required. - path: {hasicorp-vault-secret-path} # Required. + provider: none | azure | gcp | aws-eks | aws-kiam # Optional. Default: none + secretTargetRef: # Optional. + - parameter: {scaledObject-parameter-name} # Required. + name: {secret-name} # Required. + key: {secret-key-name} # Required. + env: # Optional. + - parameter: {scaledObject-parameter-name} # Required. + name: {env-name} # Required. + containerName: {container-name} # Optional. Default: scaleTargetRef.envSourceContainerName of ScaledObject + hashiCorpVault: # Optional. + address: {hashicorp-vault-address} # Required. + namespace: {hashicorp-vault-namespace} # Optional. Default is root namespace. Useful for Vault Enterprise + authentication: token | kubernetes # Required. + role: {hashicorp-vault-role} # Optional. + mount: {hashicorp-vault-mount} # Optional. + credential: # Optional. + token: {hashicorp-vault-token} # Optional. + serviceAccount: {path-to-service-account-file} # Optional. + secrets: # Required. + - parameter: {scaledObject-parameter-name} # Required. + key: {hasicorp-vault-secret-key-name} # Required. + path: {hasicorp-vault-secret-path} # Required. ``` Based on the requirements you can mix and match the reference types providers in order to configure all required parameters. diff --git a/content/docs/2.6/scalers/gcp-pub-sub.md b/content/docs/2.6/scalers/gcp-pub-sub.md index 004f6770ca6..e01e1ce4836 100644 --- a/content/docs/2.6/scalers/gcp-pub-sub.md +++ b/content/docs/2.6/scalers/gcp-pub-sub.md @@ -1,35 +1,35 @@ +++ -title = "Google Cloud Platform‎ Pub/Sub" +title = "Google Cloud Platform Pub/Sub" layout = "scaler" availability = "v1.0+" maintainer = "Community" -description = "Scale applications based on Google Cloud Platform‎ Pub/Sub." +description = "Scale applications based on Google Cloud Platform Pub/Sub." go_file = "gcp_pub_sub_scaler" +++ ### Trigger Specification -This specification describes the `gcp-pubsub` trigger for Google Cloud Platform‎ Pub/Sub. +This specification describes the `gcp-pubsub` trigger for Google Cloud Platform Pub/Sub. ```yaml triggers: - type: gcp-pubsub + authenticationRef: gcp-pubsub-credentials # Required metadata: subscriptionSize: "5" # Deprecated, use mode and value fields instead mode: "SubscriptionSize" # Optional - Default is SubscriptionSize - SubscriptionSize or OldestUnackedMessageAge value: "5" # Optional - Default is 5 for SubscriptionSize | Default is 10 for OldestUnackedMessageAge subscriptionName: "mysubscription" # Required - credentialsFromEnv: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required ``` -The Google Cloud Platform‎ (GCP) Pub/Sub trigger allows you to scale based on the number of messages or oldest unacked message age in your Pub/Sub subscription. +The Google Cloud Platform (GCP) Pub/Sub trigger allows you to scale based on the number of messages or oldest unacked message age in your Pub/Sub subscription. -The `credentialsFromEnv` property maps to the name of an environment variable in the scale target (`scaleTargetRef`) that contains the service account credentials (JSON). KEDA will use those to connect to Google Cloud Platform and collect the required stack driver metrics in order to read the number of messages in the Pub/Sub subscription. +`authenticationRef` defines how KEDA connect to Google Cloud Platform, to collect the required stack driver metrics in order to read the number of messages in the Pub/Sub subscription. `subscriptionName` defines the subscription that should be monitored. You can use different formulas: - Just the subscription name, in which case you will reference a subscription from the current project or the one specified in the credentials file used. -- Use the full link provided by Google, so that you can reference a subscription that is hosted in another project Eg: `projects/myproject/subscriptions/mysubscription`. +- Use the full link provided by Google, so that you can reference a subscription that is hosted in another project Eg: `projects/myproject/subscriptions/mysubscription`. You can use either `subscriptionSize` to define the target average which the deployment will be scaled on or `mode` and `value` fields. `subscriptionSize` field is deprecated, it is recommended to use `mode` and `value` fields instead. Scaler will not work if you define both `subscriptionSize` and at least one of `mode` or `value`. The mode chooses whether to scale using number of messages `SubscriptionSize` or using oldest unacked message age `OldestUnackedMessageAge`. @@ -38,45 +38,62 @@ The `value` determines the target average which the deployment will be scaled on Here's an [example](https://github.com/kedacore/sample-go-gcppubsub). ### Authentication Parameters -You can use `TriggerAuthentication` CRD to configure the authenticate by providing the service account credentials in JSON. +You can configure authorization for a `ScaledObject` either directly using credentials in `credentialsFromEnv` or using an `authenticationRef` referencing a `TriggerAuthentication` CRD which configures authorization. +**Pod identity based authentication:** +- `podIdentity.provider` - Needs to be set to `gcp` on the `TriggerAuthentication` and the pod's [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) or node's (default) service account must be configured correctly. -**Credential based authentication:** +**Credential based authentication via TriggerAuthentication:** +- `secretTargetRef` - Needs to be set on the `TriggerAuthentication`, with `parameter=GoogleApplicationCredentials` and `name` must reference a Secret in which `key` is the key containing the JSON ServiceAccount value. -- `GoogleApplicationCredentials` - Service account credentials in JSON. +**Credential based authentication via ScaledObject:** +- `credentialsFromEnv` - Needs to be set on the `ScaledObject`. -### Example +### Examples +To use the GCP default authentication, you need to create a `TriggerAuthentication` as this example, and reference it in the `ScaledObject`. ```yaml apiVersion: keda.sh/v1alpha1 +kind: TriggerAuthentication +metadata: + name: gcp-pubsub-credentials +spec: + podIdentity: + provider: gcp # Required +--- +apiVersion: keda.sh/v1alpha1 kind: ScaledObject metadata: name: pubsub-scaledobject - namespace: keda-pubsub-test spec: scaleTargetRef: name: keda-pubsub-go triggers: - type: gcp-pubsub metadata: - mode: "SubscriptionSize" - value: "5" - subscriptionName: "mysubscription" # Required - credentialsFromEnv: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required + subscriptionName: "input" # Required + authenticationRef: + name: gcp-pubsub-credentials ``` -### Example using TriggerAuthentication - +Alternatively, you can configure the credentials in a secet, via the `TriggerAuthentication`: ```yaml +apiVersion: v1 +kind: Secret +metadata: + name: pubsub-secret +data: + GOOGLE_APPLICATION_CREDENTIALS_JSON: +--- apiVersion: keda.sh/v1alpha1 kind: TriggerAuthentication metadata: - name: keda-trigger-auth-gcp-credentials + name: gcp-pubsub-credentials spec: secretTargetRef: - parameter: GoogleApplicationCredentials - name: pubsub-secret # Required. Refers to the name of the secret - key: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required. + name: pubsub-secret # Required. Refers to the name of the secret + key: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required --- apiVersion: keda.sh/v1alpha1 kind: ScaledObject @@ -87,40 +104,29 @@ spec: name: keda-pubsub-go triggers: - type: gcp-pubsub - authenticationRef: - name: keda-trigger-auth-gcp-credentials metadata: - subscriptionName: "input" # Required + subscriptionName: "input" # Required + authenticationRef: + name: gcp-pubsub-credentials # Required ``` -**Identity based authentication:** - -You can also use `TriggerAuthentication` CRD to configure the authentication using the associated service account of the running machine in Google Cloud. You only need to create a `TriggerAuthentication` as this example, and reference it in the `ScaledObject`. `ClusterTriggerAuthentication` can also be used if you pretend to use it globally in your cluster. - -### Example using TriggerAuthentication with GCP Identity +The `credentialsFromEnv` property maps to the name of an environment variable in the scale target (`scaleTargetRef`) that contains the service account credentials (JSON). ```yaml apiVersion: keda.sh/v1alpha1 -kind: TriggerAuthentication -metadata: - name: keda-trigger-auth-gcp-credentials -spec: - podIdentity: - provider: gcp ---- -apiVersion: keda.sh/v1alpha1 kind: ScaledObject metadata: name: pubsub-scaledobject + namespace: keda-pubsub-test spec: scaleTargetRef: name: keda-pubsub-go triggers: - type: gcp-pubsub - authenticationRef: - name: keda-trigger-auth-gcp-credentials metadata: - subscriptionName: "input" # Required + subscriptionSize: "5" + subscriptionName: "mysubscription" # Required + credentialsFromEnv: GOOGLE_APPLICATION_CREDENTIALS_JSON # Required ``` ## Example using ClusterTriggerAuthentication with GCP Identity @@ -148,4 +154,4 @@ spec: kind: ClusterTriggerAuthentication metadata: subscriptionName: "input" # Required -``` \ No newline at end of file +```