Skip to content

Commit

Permalink
docs on KEDA Metrics Server Certificates (kedacore#971)
Browse files Browse the repository at this point in the history
  • Loading branch information
zroubalik authored Nov 4, 2022
1 parent 20cc085 commit f726780
Show file tree
Hide file tree
Showing 4 changed files with 140 additions and 0 deletions.
35 changes: 35 additions & 0 deletions content/docs/2.6/operate/cluster.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,3 +91,38 @@ To modify this properties you can set environment variables on both KEDA Operato
| KEDA_SCALEDOBJECT_CTRL_MAX_RECONCILES | Operator | 5 | ScaledObjectReconciler |
| KEDA_SCALEDJOB_CTRL_MAX_RECONCILES | Operator | 1 | ScaledJobReconciler |
| KEDA_METRICS_CTRL_MAX_RECONCILES | Metrics Server | 1 | MetricsScaledObjectReconciler |

## Certificates used by KEDA Metrics Server

By default KEDA Metrics Server uses self signed certificates while communicating with Kubernetes API Server. It is recommended to provide own (trusted) certificates instead.

Certificates and CA bundle can be referenced in `args` section in KEDA Metrics Server Deployment:

```yaml
...
args:
- '--client-ca-file=/cabundle/service-ca.crt'
- '--tls-cert-file=/certs/tls.crt'
- '--tls-private-key-file=/certs/tls.key'
...
```

The custom CA bundle should be also referenced in the `v1beta1.external.metrics.k8s.io` [APIService](https://kubernetes.io/docs/reference/kubernetes-api/cluster-resources/api-service-v1/#APIServiceSpec) resource (which is created during the installation of KEDA).

You should also make sure that `insecureSkipTLSVerify` is not set to `true`.

```yaml
...
spec:
service:
namespace: keda
name: keda-metrics-apiserver
port: 443
group: external.metrics.k8s.io
version: v1beta1
caBundle: >-
YOURCABUNDLE...
groupPriorityMinimum: 100
versionPriority: 100
...
```
35 changes: 35 additions & 0 deletions content/docs/2.7/operate/cluster.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,3 +102,38 @@ To modify this properties you can set environment variables on both KEDA Operato
| KEDA_SCALEDOBJECT_CTRL_MAX_RECONCILES | Operator | 5 | ScaledObjectReconciler |
| KEDA_SCALEDJOB_CTRL_MAX_RECONCILES | Operator | 1 | ScaledJobReconciler |
| KEDA_METRICS_CTRL_MAX_RECONCILES | Metrics Server | 1 | MetricsScaledObjectReconciler |

## Certificates used by KEDA Metrics Server

By default KEDA Metrics Server uses self signed certificates while communicating with Kubernetes API Server. It is recommended to provide own (trusted) certificates instead.

Certificates and CA bundle can be referenced in `args` section in KEDA Metrics Server Deployment:

```yaml
...
args:
- '--client-ca-file=/cabundle/service-ca.crt'
- '--tls-cert-file=/certs/tls.crt'
- '--tls-private-key-file=/certs/tls.key'
...
```

The custom CA bundle should be also referenced in the `v1beta1.external.metrics.k8s.io` [APIService](https://kubernetes.io/docs/reference/kubernetes-api/cluster-resources/api-service-v1/#APIServiceSpec) resource (which is created during the installation of KEDA).

You should also make sure that `insecureSkipTLSVerify` is not set to `true`.

```yaml
...
spec:
service:
namespace: keda
name: keda-metrics-apiserver
port: 443
group: external.metrics.k8s.io
version: v1beta1
caBundle: >-
YOURCABUNDLE...
groupPriorityMinimum: 100
versionPriority: 100
...
```
35 changes: 35 additions & 0 deletions content/docs/2.8/operate/cluster.md
Original file line number Diff line number Diff line change
Expand Up @@ -120,3 +120,38 @@ To specify values other than their defaults, you can set the following environme
| KEDA_METRICS_LEADER_ELECTION_LEASE_DURATION | Metrics Server | LeaseDuration |
| KEDA_METRICS_LEADER_ELECTION_RENEW_DEADLINE | Metrics Server | RenewDeadline |
| KEDA_METRICS_LEADER_ELECTION_RETRY_PERIOD | Metrics Server | RetryPeriod |

## Certificates used by KEDA Metrics Server

By default KEDA Metrics Server uses self signed certificates while communicating with Kubernetes API Server. It is recommended to provide own (trusted) certificates instead.

Certificates and CA bundle can be referenced in `args` section in KEDA Metrics Server Deployment:

```yaml
...
args:
- '--client-ca-file=/cabundle/service-ca.crt'
- '--tls-cert-file=/certs/tls.crt'
- '--tls-private-key-file=/certs/tls.key'
...
```

The custom CA bundle should be also referenced in the `v1beta1.external.metrics.k8s.io` [APIService](https://kubernetes.io/docs/reference/kubernetes-api/cluster-resources/api-service-v1/#APIServiceSpec) resource (which is created during the installation of KEDA).

You should also make sure that `insecureSkipTLSVerify` is not set to `true`.

```yaml
...
spec:
service:
namespace: keda
name: keda-metrics-apiserver
port: 443
group: external.metrics.k8s.io
version: v1beta1
caBundle: >-
YOURCABUNDLE...
groupPriorityMinimum: 100
versionPriority: 100
...
```
35 changes: 35 additions & 0 deletions content/docs/2.9/operate/cluster.md
Original file line number Diff line number Diff line change
Expand Up @@ -130,3 +130,38 @@ To specify values other than their defaults, you can set the following environme
| KEDA_METRICS_LEADER_ELECTION_LEASE_DURATION | Metrics Server | LeaseDuration |
| KEDA_METRICS_LEADER_ELECTION_RENEW_DEADLINE | Metrics Server | RenewDeadline |
| KEDA_METRICS_LEADER_ELECTION_RETRY_PERIOD | Metrics Server | RetryPeriod |

## Certificates used by KEDA Metrics Server

By default KEDA Metrics Server uses self signed certificates while communicating with Kubernetes API Server. It is recommended to provide own (trusted) certificates instead.

Certificates and CA bundle can be referenced in `args` section in KEDA Metrics Server Deployment:

```yaml
...
args:
- '--client-ca-file=/cabundle/service-ca.crt'
- '--tls-cert-file=/certs/tls.crt'
- '--tls-private-key-file=/certs/tls.key'
...
```

The custom CA bundle should be also referenced in the `v1beta1.external.metrics.k8s.io` [APIService](https://kubernetes.io/docs/reference/kubernetes-api/cluster-resources/api-service-v1/#APIServiceSpec) resource (which is created during the installation of KEDA).

You should also make sure that `insecureSkipTLSVerify` is not set to `true`.

```yaml
...
spec:
service:
namespace: keda
name: keda-metrics-apiserver
port: 443
group: external.metrics.k8s.io
version: v1beta1
caBundle: >-
YOURCABUNDLE...
groupPriorityMinimum: 100
versionPriority: 100
...
```

0 comments on commit f726780

Please sign in to comment.