Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keda eks #174

Merged
merged 6 commits into from
Nov 24, 2023
Merged

Keda eks #174

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7dce128
Keda SQS started
Phantom-Intruder Aug 7, 2023
9167ec9
Keda SQS authentication
Phantom-Intruder Aug 8, 2023
ebfac62
Keda SQS authentication
Phantom-Intruder Aug 9, 2023
feee245
Keda SQS finished
Phantom-Intruder Aug 10, 2023
7fdb57b
Conflic resolution
Phantom-Intruder Nov 21, 2023
081f28f
Conflic resolution
Phantom-Intruder Nov 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 57 additions & 1 deletion Keda101/keda-lab.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,62 @@ And that's it! You only needed to modify two lines and you have full authorizati

While this is the easiest way to provide authentication, it is not the only way to do it. You could also change the `identityOwner` to `pod`, and create a `TriggerAuthentication` resource and feed in the AWS access keys (which isn't very secure), or have the keda service account assume a role that has access to the necessary resources (which is much more secure). There is a number of different ways to authorize, and these are covered in the [KEDA documentation](https://keda.sh/docs/1.4/concepts/authentication/).

If you added the arn, then setting up authentication is a simple matter. While Keda provides resources specifically geared towards authentication, you won't need to use any of that. In the Keda authentication types, there exists a type called `operator`. This type allows the keda service account to directly acquire the role of the IAM arn you provided. As long as the arn has the permissions necessary, keda can function. The triggers will look like the following:

```yaml
triggers:
- type: aws-sqs-queue
authenticationRef:
name: keda-trigger-auth-aws-credentials-activity-distributor
metadata:
queueURL: <your_queue_url>
queueLength: "1"
awsRegion: "us-east-1"
identityOwner: operator # This is where the identityOwner needs to be set
```

If you set the `identityOwner` to something else, such as `pod`, you could set up Keda to authenticate by assuming a role that has the necessary permissions instead of acquiring the IAM role itself. You could also completely scrap this part and choose to provide access keys. In this case, you would use several additional resources. For starters, you need to include your access keys in a secret. So start by defining a resource of kind `secret`:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: keda-secret
namespace: keda
data:
AWS_ACCESS_KEY_ID: <AWS ACCESS KEY>
AWS_SECRET_ACCESS_KEY: <AWS SECRET KEY>
```

You should then assign this resource to a Keda-specific custom resource called "TriggerAuthentication":

```yaml
apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
name: keda-trigger-authentication
namespace: keda
spec:
secretTargetRef:
- parameter: awsAccessKeyID
name: keda-secret
key: AWS_ACCESS_KEY_ID
- parameter: awsSecretAccessKey
name: keda-secret
key: AWS_SECRET_ACCESS_KEY
```

This `TriggerAuthentication` resource should then be referenced within the actual `ScaledJob` resource under the `triggered` section:

```yaml
authenticationRef:
name: keda-trigger-authentication
```

This will allow your `ScaledJob` resource to read the authentication keys that you added to your secret via the `TriggerAuthentication` resource. Of course, if you don't want to have your access keys even as a secret, you can use the operator authentication type described above. Additionally, Keda support [several different authentication types](https://keda.sh/docs/2.11/concepts/authentication/) out of the box.

With the above configuration, a new Keda job will start every time a message is sent to the SQS queue. The job should have the necessary configurations to read the content of the message sent to the queue, and the message in SQS should get consumed by the job that starts. Once the job succeeds, it will terminate. If there is a failure, the job will exit and a new job will get created. It will then attempt to consume the message.

## Conclusion

This wraps up the lesson on KEDA. What we tried out was a simple demonstration of a MySQL scaler, but it is a good representation of what you can expect with other data sources. If you want to try out other scalers, make sure you check out the [official samples page](https://github.com/kedacore/samples).
This wraps up the lesson on KEDA. What we tried out was a simple demonstration of a MySQL scaler followed by a demonstration of using various authentication methods to connect and consume messages from AWS SQS. This is a good representation of what you can expect from other data sources. If you were considering using this with a different Kubernetes engine running on a different cloud provider, the concept would still work. Make sure you read through the authentication page, which contains different methods of authentication for different cloud providers. If you want to try out other scalers, make sure you check out the [official samples page](https://github.com/kedacore/samples).
Loading