From a3eeacc8e8658135a4ea755a8568d2bf7b1a0f19 Mon Sep 17 00:00:00 2001 From: marpio Date: Wed, 24 Mar 2021 11:10:41 +0100 Subject: [PATCH] Prometheus scaler auth (#364) Signed-off-by: marpio --- content/docs/2.2/scalers/metrics-api.md | 2 + content/docs/2.3/scalers/prometheus.md | 235 +++++++++++++++++++++++- 2 files changed, 236 insertions(+), 1 deletion(-) diff --git a/content/docs/2.2/scalers/metrics-api.md b/content/docs/2.2/scalers/metrics-api.md index 848db1db6..e1fd938eb 100644 --- a/content/docs/2.2/scalers/metrics-api.md +++ b/content/docs/2.2/scalers/metrics-api.md @@ -61,6 +61,8 @@ because many applications implement basic auth with a username as apikey and pas - `cert`: Certificate for client authentication. This is a required field. - `key`: Key for client authentication. Optional. This is a required field. +> 💡 **NOTE:**It's also possible to set the CA certificate regardless of the selected `authMode` (also without any authentication). This might be usefull if you are using an enterprise CA. + ### Example Here is a full example of scaled object definition using Metric API trigger: diff --git a/content/docs/2.3/scalers/prometheus.md b/content/docs/2.3/scalers/prometheus.md index ed579930b..e7820cc29 100644 --- a/content/docs/2.3/scalers/prometheus.md +++ b/content/docs/2.3/scalers/prometheus.md @@ -31,7 +31,26 @@ triggers: ### Authentication Parameters -Not supported yet. +Prometheus Scaler supports three types of authentication - bearer authentication, basic authentication and TLS authentication. + +You can use `TriggerAuthentication` CRD to configure the authentication. It is possible to specify multiple authentication types i.e. `authModes: "tls,basic"` Specify `authModes` and other trigger parameters along with secret credentials in `TriggerAuthentication` as mentioned below: + +**Bearer authentication:** +- `authModes`: It must contain `bearer` in case of Bearer Authentication. Specify this in trigger configuration. +- `bearerToken`: The token needed for authentication. This is a required field. + +**Basic authentication:** +- `authMode`: It must contain `basic` in case of Basic Authentication. Specify this in trigger configuration. +- `username`: This is a required field. Provide the username to be used for basic authentication. +- `password`: Provide the password to be used for authentication. For convenience, this has been marked optional, because many applications implement basic auth with a username as apikey and password as empty. + +**TLS authentication:** +- `authMode`: It must contain `tls` in case of TLS Authentication. Specify this in trigger configuration. +- `ca`: Certificate authority file for TLS client authentication. +- `cert`: Certificate for client authentication. This is a required field. +- `key`: Key for client authentication. Optional. This is a required field. + +> 💡 **NOTE:**It's also possible to set the CA certificate regardless of the selected `authMode` (also without any authentication). This might be usefull if you are using an enterprise CA. ### Example @@ -52,3 +71,217 @@ spec: threshold: '100' query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) ``` + +Here is an example of a prometheus scaler with bearer authentication, + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: keda-prom-secret + namespace: default +data: + bearerToken: "BEARER_TOKEN" + ca: "CUSTOM_CA_CERT" +--- +apiVersion: keda.sh/v1alpha1 +kind: TriggerAuthentication +metadata: + name: keda-prom-creds + namespace: default +spec: + secretTargetRef: + - parameter: bearerToken + name: keda-prom-secret + key: bearerToken + # might be required if you're using a custom CA + - parameter: ca + name: keda-prom-secret + key: ca +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: prometheus-scaledobject + namespace: keda + labels: + deploymentName: dummy +spec: + maxReplicaCount: 12 + scaleTargetRef: + name: dummy + triggers: + - type: prometheus + metadata: + serverAddress: http://:9090 + metricName: http_requests_total + threshold: '100' + query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + authModes: "bearer" + authenticationRef: + name: keda-prom-creds +``` + +Here is an example of a prometheus scaler with Basic Authentication, define the `Secret` and `TriggerAuthentication` as follows + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: keda-prom-secret + namespace: default +data: + username: "username" + password: "password" +--- +apiVersion: keda.sh/v1alpha1 +kind: TriggerAuthentication +metadata: + name: keda-prom-creds + namespace: default +spec: + secretTargetRef: + - parameter: username + name: keda-prom-secret + key: username + - parameter: password + name: keda-prom-secret + key: password +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: prometheus-scaledobject + namespace: keda + labels: + deploymentName: dummy +spec: + maxReplicaCount: 12 + scaleTargetRef: + name: dummy + triggers: + - type: metrics-api + metadata: + serverAddress: http://:9090 + metricName: http_requests_total + threshold: '100' + query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + authModes: "basic" + authenticationRef: + name: keda-prom-creds +``` + + +Here is an example of a prometheus scaler with TLS Authentication, define the `Secret` and `TriggerAuthentication` as follows + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: keda-prom-secret + namespace: default +data: + cert: "cert" + key: "key" + ca: "ca" +--- +apiVersion: keda.sh/v1alpha1 +kind: TriggerAuthentication +metadata: + name: keda-prom-creds + namespace: default +spec: + secretTargetRef: + - parameter: cert + name: keda-prom-secret + key: cert + - parameter: key + name: keda-prom-secret + key: key + - parameter: ca + name: keda-prom-secret + key: ca +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: prometheus-scaledobject + namespace: keda + labels: + deploymentName: dummy +spec: + maxReplicaCount: 12 + scaleTargetRef: + name: dummy + triggers: + - type: metrics-api + metadata: + serverAddress: http://:9090 + metricName: http_requests_total + threshold: '100' + query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + authModes: "tls" + authenticationRef: + name: keda-prom-creds +``` + +Here is an example of a prometheus scaler with TLS and Basic Authentication, define the `Secret` and `TriggerAuthentication` as follows + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: keda-prom-secret + namespace: default +data: + cert: "cert" + key: "key" + ca: "ca" + username: "username" + password: "password" +--- +apiVersion: keda.sh/v1alpha1 +kind: TriggerAuthentication +metadata: + name: keda-prom-creds + namespace: default +spec: + secretTargetRef: + - parameter: cert + name: keda-prom-secret + key: cert + - parameter: key + name: keda-prom-secret + key: key + - parameter: ca + name: keda-prom-secret + key: ca + - parameter: username + name: keda-prom-secret + key: username + - parameter: password + name: keda-prom-secret + key: password +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: prometheus-scaledobject + namespace: keda + labels: + deploymentName: dummy +spec: + maxReplicaCount: 12 + scaleTargetRef: + name: dummy + triggers: + - type: metrics-api + metadata: + serverAddress: http://:9090 + metricName: http_requests_total + threshold: '100' + query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + authModes: "tls,basic" + authenticationRef: + name: keda-prom-creds +``` \ No newline at end of file