CMA should support bound service account tokens

modules/nodes-cma-autoscaling-custom-prometheus-config.adoc

@@ -18,7 +18,6 @@ These steps are not required for an external Prometheus source.
 You must perform the following tasks, as described in this section:
 
 * Create a service account.
-* Create a secret that generates a token for the service account.
 * Create the trigger authentication.
 * Create a role.
 * Add that role to the service account.
@@ -45,7 +44,7 @@ $ oc project <project_name> <1>
 *  If you are using a trigger authentication, specify the project with the object you want to scale.
 *  If you are using a cluster trigger authentication, specify the `openshift-keda` project.
 
-. Create a service account and token, if your cluster does not have one:
+. Create a service account, if your cluster does not have one:
 
 .. Create a `service account` object by using the following command:
 +
@@ -54,7 +53,8 @@ $ oc project <project_name> <1>
 $ oc create serviceaccount thanos <1>
 ----
 <1> Specifies the name of the service account.
-
+////
+Hiding, might not need it.
 .. Create a `secret` YAML to generate a service account token:
 +
 [source,yaml]
@@ -101,6 +101,7 @@ Events:              <none>
 ----
 <1> Use this token in the trigger authentication.
 --
+////
 
 . Create a trigger authentication with the service account token:
 
@@ -113,23 +114,17 @@ kind: <authentication_method> <1>
 metadata:
   name: keda-trigger-auth-prometheus
 spec:
-  secretTargetRef: <2>
-  - parameter: bearerToken <3>
-    name: thanos-token <4>
-    key: token <5>
-  - parameter: ca
-    name: thanos-token
-    key: ca.crt
+  boundServiceAccountToken: <2>
+    - parameter: token
+      serviceAccountName: my-service-account <3>
 ----
 <1> Specifies one of the following trigger authentication methods:
 +
 *  If you are using a trigger authentication, specify `TriggerAuthentication`. This example configures a trigger authentication.
 *  If you are using a cluster trigger authentication, specify `ClusterTriggerAuthentication`.
 +
-<2> Specifies that this object uses a secret for authorization.
-<3> Specifies the authentication parameter to supply by using the token.
-<4> Specifies the name of the token to use.
-<5> Specifies the key in the token to use with the specified parameter.
+<2> Specifies that this trigger authentication uses a bound service account token for authorization when connecting to the metrics endpoint.
+<3> Specifies the name of the service account to use.
 
 .. Create the CR object:
 +

modules/nodes-cma-autoscaling-custom-trigger-auth-using.adoc

@@ -12,42 +12,26 @@ You use trigger authentications and cluster trigger authentications by using a c
 
 * The Custom Metrics Autoscaler Operator must be installed.
 
-* If you are using a secret, the `Secret` object must exist, for example:
-+
-.Example secret
-[source,yaml]
-----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: my-secret
-data:
-  user-name: <base64_USER_NAME>
-  password: <base64_USER_PASSWORD>
-----
+* If you are using a bound service account token, the service account must exist.
 
 .Procedure
 
 . Create the `TriggerAuthentication` or  `ClusterTriggerAuthentication` object.
 
 .. Create a YAML file that defines the object:
 +
-.Example trigger authentication with a secret
+.Example trigger authentication with a bound service account token
 [source,yaml]
 ----
 kind: TriggerAuthentication
 apiVersion: keda.sh/v1alpha1
 metadata:
   name: prom-triggerauthentication
   namespace: my-namespace
-spec:
-  secretTargetRef:
-  - parameter: user-name
-    name: my-secret
-    key: USER_NAME
-  - parameter: password
-    name: my-secret
-    key: USER_PASSWORD
+  spec:
+    boundServiceAccountToken:
+      - parameter: token
+        serviceAccountName: my-service-account
 ----
 
 .. Create the `TriggerAuthentication` object:

nodes/cma/nodes-cma-autoscaling-custom-trigger-auth.adoc

@@ -15,50 +15,47 @@ Alternatively, to share credentials between objects in multiple namespaces, you
 
 Trigger authentications and cluster trigger authentication use the same configuration. However, a cluster trigger authentication requires an additional `kind` parameter in the authentication reference of the scaled object.
 
-.Example secret for Basic authentication
+.Example trigger authentication using a bound service account token for Basic authentication
 [source,yaml]
 ----
-apiVersion: v1
-kind: Secret
+kind: TriggerAuthentication
+apiVersion: keda.sh/v1alpha1
 metadata:
-  name: my-basic-secret
-  namespace: default
-data:
-  username: "dXNlcm5hbWU=" <1>
-  password: "cGFzc3dvcmQ="
+  name: secret-triggerauthentication
+  namespace: my-namespace <1>
+spec:
+  boundServiceAccountToken: <2>
+    - parameter: token
+      serviceAccountName: my-service-account <3>
 ----
-<1> User name and password to supply to the trigger authentication. The values in a `data` stanza must be base-64 encoded.
+<1> Specifies the namespace of the object you want to scale.
+<2> Specifies that this trigger authentication uses a bound service account token for authorization when connecting to the metrics endpoint.
+<3> Specifies the name of the service account to use.
 
-.Example trigger authentication using a secret for Basic authentication
+.Example cluster trigger authentication using a bound service account token for Basic authentication
 [source,yaml]
 ----
-kind: TriggerAuthentication
+kind: ClusterTriggerAuthentication
 apiVersion: keda.sh/v1alpha1
 metadata:
-  name: secret-triggerauthentication
-  namespace: my-namespace <1>
+  name: secret-cluster-triggerauthentication <1>
 spec:
-  secretTargetRef: <2>
-  - parameter: username <3>
-    name: my-basic-secret <4>
-    key: username <5>
-  - parameter: password
-    name: my-basic-secret
-    key: password
+  boundServiceAccountToken: <2>
+    - parameter: token
+      serviceAccountName: my-service-account <3>
 ----
 <1> Specifies the namespace of the object you want to scale.
-<2> Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint.
-<3> Specifies the authentication parameter to supply by using the secret.
-<4> Specifies the name of the secret to use.
-<5> Specifies the key in the secret to use with the specified parameter.
+<2> Specifies that this trigger authentication uses a bound service account token for authorization when connecting to the metrics endpoint.
+<3> Specifies the name of the service account to use.
 
-.Example cluster trigger authentication with a secret for Basic authentication
+.Example trigger authentication using a secret for Basic authentication
 [source,yaml]
 ----
-kind: ClusterTriggerAuthentication
+kind: TriggerAuthentication
 apiVersion: keda.sh/v1alpha1
-metadata: <1>
-  name: secret-cluster-triggerauthentication
+metadata:
+  name: secret-triggerauthentication
+  namespace: my-namespace <1>
 spec:
   secretTargetRef: <2>
   - parameter: username <3>
@@ -68,27 +65,42 @@ spec:
     name: my-basic-secret
     key: password
 ----
-<1> Note that no namespace is used with a cluster trigger authentication.
+<1> Specifies the namespace of the object you want to scale.
 <2> Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint.
 <3> Specifies the authentication parameter to supply by using the secret.
-<4> Specifies the name of the secret to use.
+<4> Specifies the name of the secret to use. See the following example secret for Basic authentication.
 <5> Specifies the key in the secret to use with the specified parameter.
 
-.Example secret with certificate authority (CA) details
+.Example secret for Basic authentication
 [source,yaml]
 ----
 apiVersion: v1
 kind: Secret
 metadata:
-  name: my-secret
-  namespace: my-namespace
-data: 
-  ca-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0... <1>
-  client-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0... <2>
-  client-key.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0t...
+  name: my-basic-secret
+  namespace: default
+data:
+  username: "dXNlcm5hbWU=" <1>
+  password: "cGFzc3dvcmQ="
 ----
-<1> Specifies the TLS CA Certificate for authentication of the metrics endpoint. The value must be base-64 encoded.
-<2> Specifies the TLS certificates and key for TLS client authentication. The values must be base-64 encoded.
+<1> User name and password to supply to the trigger authentication. The values in a `data` stanza must be base-64 encoded.
+
+.Example trigger authentication using a bound service account token for certificate authority (CA) details
+[source,yaml]
+----
+kind: TriggerAuthentication
+apiVersion: keda.sh/v1alpha1
+metadata:
+  name: secret-triggerauthentication
+  namespace: my-namespace <1>
+spec:
+  boundServiceAccountToken: <2>
+    - parameter: token
+      serviceAccountName: my-service-account <3>
+----
+<1> Specifies the namespace of the object you want to scale.
+<2> Specifies that this trigger authentication uses a bound service account token for authorization when connecting to the metrics endpoint.
+<3> Specifies the name of the service account to use.
 
 .Example trigger authentication using a secret for CA details
 [source,yaml]
@@ -113,10 +125,10 @@ spec:
 <4> Specifies the name of the secret to use.
 <5> Specifies the key in the secret to use with the specified parameter.
 <6> Specifies the authentication parameter for a custom CA when connecting to the metrics endpoint.
-<7> Specifies the name of the secret to use.
+<7> Specifies the name of the secret to use. See the following example secret with certificate authority (CA) details.
 <8> Specifies the key in the secret to use with the specified parameter.
 
-.Example secret with a bearer token
+.Example secret with certificate authority (CA) details
 [source,yaml]
 ----
 apiVersion: v1
@@ -125,11 +137,14 @@ metadata:
   name: my-secret
   namespace: my-namespace
 data: 
-  bearerToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV" <1>
+  ca-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0... <1>
+  client-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0... <2>
+  client-key.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0t...
 ----
-<1> Specifies a bearer token to use with bearer authentication. The value in a `data` stanza must be base-64 encoded.
+<1> Specifies the TLS CA Certificate for authentication of the metrics endpoint. The value must be base-64 encoded.
+<2> Specifies the TLS certificates and key for TLS client authentication. The values must be base-64 encoded.
 
-.Example trigger authentication with a bearer token
+.Example trigger authentication using a bearer token
 [source,yaml]
 ----
 kind: TriggerAuthentication
@@ -146,10 +161,23 @@ spec:
 <1> Specifies the namespace of the object you want to scale.
 <2> Specifies that this trigger authentication uses a secret for authorization when connecting to the metrics endpoint.
 <3> Specifies the type of authentication to use.
-<4> Specifies the name of the secret to use.
+<4> Specifies the name of the secret to use. See the following example secret with a bearer token.
 <5> Specifies the key in the token to use with the specified parameter.
 
-.Example trigger authentication with an environment variable
+.Example secret with a bearer token
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-secret
+  namespace: my-namespace
+data: 
+  bearerToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV" <1>
+----
+<1> Specifies a bearer token to use with bearer authentication. The value in a `data` stanza must be base-64 encoded.
+
+.Example trigger authentication using an environment variable
 [source,yaml]
 ----
 kind: TriggerAuthentication
@@ -169,7 +197,7 @@ spec:
 <4> Specify the name of the environment variable.
 <5> Optional: Specify a container that requires authentication. The container must be in the same resource as referenced by `scaleTargetRef` in the scaled object.
 
-.Example trigger authentication with pod authentication providers
+.Example trigger authentication using pod authentication providers
 [source,yaml]
 ----
 kind: TriggerAuthentication
@@ -189,7 +217,8 @@ spec:
 // ifndef::openshift-rosa,openshift-dedicated[]
 .Additional resources
 
-* For information about {product-title} secrets, see xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets[Providing sensitive data to pods].
+* xref:../../authentication/understanding-and-creating-service-accounts.adoc#understanding-service-accounts[Understanding and creating service accounts]
+* xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets[Providing sensitive data to pods].
 // endif::openshift-rosa,openshift-dedicated[]
 
 include::modules/nodes-cma-autoscaling-custom-trigger-auth-using.adoc[leveloffset=+1]