Isolating credentials in KEDA with TriggerAuthentication
TypeScriptWhen integrating Kubernetes Event-driven Autoscaling (KEDA) with any trigger sources that require credentials, it's a common and necessary practice to keep those credentials secure. The
TriggerAuthentication
resource that KEDA provides enables you to define such credentials outside of your scaled object, thus making your setup more secure and easier to manage.Below is a Pulumi program that demonstrates how to create a
TriggerAuthentication
resource in Kubernetes to use with KEDA. This example assumes that you have already got a Kubernetes cluster, and KEDA installed in your cluster.We will use the
kubernetes
Pulumi package to interact with your Kubernetes cluster for managing theTriggerAuthentication
resource, consistent with Kubernetes' approach to resource management.The
TriggerAuthentication
resource is not specific to KEDA but a custom resource offered by KEDA. Therefore, it does not directly appear in the Pulumi Registry but can be managed through the generalCustomResource
class from the@pulumi/kubernetes
SDK.Here is a TypeScript program that defines a
TriggerAuthentication
that stores a username and password for authentication with a hypothetical external service:import * as kubernetes from "@pulumi/kubernetes"; // Here we are creating a new KEDA TriggerAuthentication resource in the "keda" namespace. // This assumes that you have KEDA installed in the "keda" namespace and `my-username` // and `my-password` are the credentials required by the trigger source. const triggerAuth = new kubernetes.apiextensions.CustomResource("my-trigger-auth", { apiVersion: "keda.sh/v1alpha1", kind: "TriggerAuthentication", metadata: { // Namespace depends on where KEDA is installed namespace: "keda", }, spec: { // The secretTargetRef refers to a Kubernetes Secret resource that should // already be defined in the cluster with the key-value pairs being the credentials. secretTargetRef: [ { // Key of the secret to be used when authentication is required by a trigger parameter: "username", // Name of the secret in Kubernetes name: "my-secret", // Key within the secret key: "username" }, { parameter: "password", name: "my-secret", key: "password" }, ], }, }, { dependsOn: [/* dependencies such as the KEDA deployment or Secret */] }); // Export the name of the TriggerAuthentication export const triggerAuthenticationName = triggerAuth.metadata.name;
In the above program,
my-secret
is a Kubernetes Secret that you should create which contains the credentials (username
andpassword
keys). TheTriggerAuthentication
references these values securely, and KEDA will use thisTriggerAuthentication
to interact with the trigger source that requires these credentials safely.Remember to replace
my-secret
,my-username
,my-password
, and the namespace according to your setup. Also, you may need to adjustapiVersion
,kind
, or other properties according to the version of KEDA you are using.Ensure to apply this configuration as part of your deployment strategy where you configure your
ScaledObject
or other KEDA resources to point to thisTriggerAuthentication
resource.For more details on working with Kubernetes resources in Pulumi, you can visit the official documentation:
For specific details on KEDA's
TriggerAuthentication
and how to configure scaling, please refer to the KEDA documentation: