1. Isolating credentials in KEDA with TriggerAuthentication

    TypeScript

    When integrating Kubernetes Event-driven Autoscaling (KEDA) with any trigger sources that require credentials, it's a common and necessary practice to keep those credentials secure. The TriggerAuthentication resource that KEDA provides enables you to define such credentials outside of your scaled object, thus making your setup more secure and easier to manage.

    Below is a Pulumi program that demonstrates how to create a TriggerAuthentication resource in Kubernetes to use with KEDA. This example assumes that you have already got a Kubernetes cluster, and KEDA installed in your cluster.

    We will use the kubernetes Pulumi package to interact with your Kubernetes cluster for managing the TriggerAuthentication resource, consistent with Kubernetes' approach to resource management.

    The TriggerAuthentication resource is not specific to KEDA but a custom resource offered by KEDA. Therefore, it does not directly appear in the Pulumi Registry but can be managed through the general CustomResource class from the @pulumi/kubernetes SDK.

    Here is a TypeScript program that defines a TriggerAuthentication that stores a username and password for authentication with a hypothetical external service:

    import * as kubernetes from "@pulumi/kubernetes"; // Here we are creating a new KEDA TriggerAuthentication resource in the "keda" namespace. // This assumes that you have KEDA installed in the "keda" namespace and `my-username` // and `my-password` are the credentials required by the trigger source. const triggerAuth = new kubernetes.apiextensions.CustomResource("my-trigger-auth", { apiVersion: "keda.sh/v1alpha1", kind: "TriggerAuthentication", metadata: { // Namespace depends on where KEDA is installed namespace: "keda", }, spec: { // The secretTargetRef refers to a Kubernetes Secret resource that should // already be defined in the cluster with the key-value pairs being the credentials. secretTargetRef: [ { // Key of the secret to be used when authentication is required by a trigger parameter: "username", // Name of the secret in Kubernetes name: "my-secret", // Key within the secret key: "username" }, { parameter: "password", name: "my-secret", key: "password" }, ], }, }, { dependsOn: [/* dependencies such as the KEDA deployment or Secret */] }); // Export the name of the TriggerAuthentication export const triggerAuthenticationName = triggerAuth.metadata.name;

    In the above program, my-secret is a Kubernetes Secret that you should create which contains the credentials (username and password keys). The TriggerAuthentication references these values securely, and KEDA will use this TriggerAuthentication to interact with the trigger source that requires these credentials safely.

    Remember to replace my-secret, my-username, my-password, and the namespace according to your setup. Also, you may need to adjust apiVersion, kind, or other properties according to the version of KEDA you are using.

    Ensure to apply this configuration as part of your deployment strategy where you configure your ScaledObject or other KEDA resources to point to this TriggerAuthentication resource.

    For more details on working with Kubernetes resources in Pulumi, you can visit the official documentation:

    For specific details on KEDA's TriggerAuthentication and how to configure scaling, please refer to the KEDA documentation: