Prepare v2.15 (#1442)

* Prepare v2.15 Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> * remove skipped links Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> * update ignores Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> * update ignores Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> * update ignores Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> --------- Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>
kedacore · Aug 1, 2024 · f5d74de · f5d74de
1 parent ad9d2ff
commit f5d74de
Show file tree

Hide file tree

Showing 108 changed files with 15,558 additions and 15 deletions.
diff --git a/.htmltest.yml b/.htmltest.yml
@@ -4,5 +4,11 @@ CheckExternal: false
 IgnoreAltMissing: true
 IgnoreEmptyHref: true
 IgnoreInternalURLs:
-  - /docs/2.14/scalers/splunk/
-  - /docs/2.14/scalers/dynatrace/
+  # Temporal ignores
+
+  # Deprecated and removed resources
+  - /docs/2.15/authentication-providers/azure-ad-pod-identity/
+  - /docs/2.15/authentication-providers/aws-kiam/
+  # Renamed pages
+  - /docs/2.15/operate/events/
+  - /docs/2.15/faq/
diff --git a/config.toml b/config.toml
@@ -29,7 +29,7 @@ alpine_js_version = "2.2.1"
 favicon = "favicon.png"
 
 [params.versions]
-docs = ["2.14", "2.13", "2.12", "2.11", "2.10", "2.9", "2.8", "2.7", "2.6", "2.5", "2.4", "2.3", "2.2", "2.1", "2.0", "1.5", "1.4"]
+docs = ["2.15", "2.14", "2.13", "2.12", "2.11", "2.10", "2.9", "2.8", "2.7", "2.6", "2.5", "2.4", "2.3", "2.2", "2.1", "2.0", "1.5", "1.4"]
 
 # Site fonts. For more options see https://fonts.google.com.
 [[params.fonts]]

diff --git a/content/docs/2.14/deploy.md b/content/docs/2.14/deploy.md
@@ -90,21 +90,21 @@ If you want to try KEDA on [Minikube](https://minikube.sigs.k8s.io) or a differe
     - Use `keda-2.xx.x.yaml` that includes all features, including [admission webhooks](./concepts/admission-webhooks.md) (recommended)
     - Use `keda-2.xx.x-core.yaml` that installs the minimal required KEDA components, without admission webhooks
 
-Run the following command (if needed, replace the version, in this case `2.14.0`, with the one you are using):
+Run the following command (if needed, replace the version, in this case `2.14.1`, with the one you are using):
 
 ```sh
 # Including admission webhooks
-kubectl apply --server-side -f https://github.com/kedacore/keda/releases/download/v2.14.0/keda-2.14.0.yaml
+kubectl apply --server-side -f https://github.com/kedacore/keda/releases/download/v2.14.1/keda-2.14.1.yaml
 # Without admission webhooks
-kubectl apply --server-side -f https://github.com/kedacore/keda/releases/download/v2.14.0/keda-2.14.0-core.yaml
+kubectl apply --server-side -f https://github.com/kedacore/keda/releases/download/v2.14.1/keda-2.14.1-core.yaml
 ```
 
 - Alternatively you can download the file and deploy it from the local path:
 ```sh
 # Including admission webhooks
-kubectl apply --server-side -f keda-2.14.0.yaml
+kubectl apply --server-side -f keda-2.14.1.yaml
 # Without admission webhooks
-kubectl apply --server-side -f keda-2.14.0-core.yaml
+kubectl apply --server-side -f keda-2.14.1-core.yaml
 ```
 
 > 💡 **NOTE:** `--server-side` option is needed because the ScaledJob CRD is too long to process, see [this issue](https://github.com/kedacore/keda/issues/4740) for details.
@@ -114,33 +114,33 @@ kubectl apply --server-side -f keda-2.14.0-core.yaml
 ```sh
 git clone https://github.com/kedacore/keda && cd keda
 
-VERSION=2.14.0 make deploy
+VERSION=2.14.1 make deploy
 ```
 
 ### Uninstall
 
-- In case of installing from released YAML file just run the following command (if needed, replace the version, in this case `2.14.0`, with the one you are using):
+- In case of installing from released YAML file just run the following command (if needed, replace the version, in this case `2.14.1`, with the one you are using):
 
 ```sh
 # Including admission webhooks
-kubectl delete -f https://github.com/kedacore/keda/releases/download/v2.14.0/keda-2.14.0.yaml
+kubectl delete -f https://github.com/kedacore/keda/releases/download/v2.14.1/keda-2.14.1.yaml
 # Without admission webhooks
-kubectl delete -f https://github.com/kedacore/keda/releases/download/v2.14.0/keda-2.14.0-core.yaml
+kubectl delete -f https://github.com/kedacore/keda/releases/download/v2.14.1/keda-2.14.1-core.yaml
 ```
 
 - If you have downloaded the file locally, you can run:
 
 ```sh
 # Including admission webhooks
-kubectl delete -f keda-2.14.0.yaml
+kubectl delete -f keda-2.14.1.yaml
 # Without admission webhooks
-kubectl delete -f keda-2.14.0-core.yaml
+kubectl delete -f keda-2.14.1-core.yaml
 ```
 
 - You would need to run these commands from within the directory of the cloned [GitHub repo](https://github.com/kedacore/keda):
 
 ```sh
-VERSION=2.14.0 make undeploy
+VERSION=2.14.1 make undeploy
 ```
 
 ## Deploying KEDA on MicroK8s {#microk8s}

diff --git a/content/docs/2.16/_index.md b/content/docs/2.16/_index.md
@@ -0,0 +1,19 @@
++++
+title = "Getting Started"
+weight = 1
++++
+
+Welcome to the documentation for **KEDA**, the Kubernetes Event-driven Autoscaler. 
+
+Use the navigation bar on the left to learn more about KEDA's architecture  and how to deploy and use KEDA.
+
+## Where to go
+
+What is your involvement with KEDA?
+
+| Role                      | Documentation                                                                                                                                                |
+|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| User                      | This documentation is for users who want to deploy KEDA to scale Kubernetes.                                                                                 |
+| Core Contributor          | To contribute to the core KEDA project see the [KEDA GitHub repo](https://github.com/kedacore/keda).                                                         |
+| Documentation Contributor | To add or contribute to these docs, or to build and serve the documentation locally, see the [keda-docs GitHub repo](https://github.com/kedacore/keda-docs). |
+| Other Contributor         | See the [KEDA project on GitHub](https://github.com/kedacore/) for other KEDA repos, including project governance, testing, and external scalers.            |
diff --git a/content/docs/2.16/authentication-providers/_index.md b/content/docs/2.16/authentication-providers/_index.md
@@ -0,0 +1,8 @@
++++
+title = "Authentication Providers"
+weight = 5
++++
+
+Available authentication providers for KEDA:
+
+{{< authentication-providers >}}
diff --git a/content/docs/2.16/authentication-providers/aws-eks.md b/content/docs/2.16/authentication-providers/aws-eks.md
@@ -0,0 +1,14 @@
++++
+title = "AWS EKS Pod Identity Webhook"
++++
+
+[**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
+
+> ⚠️ **WARNING:** [`aws-eks` auth has been deprecated](https://github.com/kedacore/keda/discussions/5343) and support for it will be removed from KEDA on v3. We strongly encourage the migration to [`aws` auth](./aws.md).
+
+You can tell KEDA to use EKS Pod Identity Webhook via `podIdentity.provider`.
+
+```yaml
+podIdentity:
+  provider: aws-eks # Optional. Default: none
+```
diff --git a/content/docs/2.16/authentication-providers/aws-secret-manager.md b/content/docs/2.16/authentication-providers/aws-secret-manager.md
@@ -0,0 +1,40 @@
++++ 
+title = "AWS Secret Manager" 
++++
+
+You can integrate AWS Secret Manager secrets into your trigger by configuring the `awsSecretManager` key in your KEDA scaling specification.
+
+The `podIdentity` section configures the usage of AWS pod identity with the provider set to AWS.
+
+The `credentials` section specifies AWS credentials, including the `accessKey` and `secretAccessKey`.
+
+- **accessKey:** Configuration for the AWS access key.
+- **secretAccessKey:** Configuration for the AWS secret access key.
+
+The `region` parameter is optional and represents the AWS region where the secret resides, defaulting to the default region if not specified.
+
+The `secrets` list within `awsSecretManager` defines the mapping between the AWS Secret Manager secret and the authentication parameter used in your application, including the parameter name, AWS Secret Manager secret name, and an optional version parameter, defaulting to the latest version if unspecified.
+
+### Configuration
+
+```yaml
+awsSecretManager:
+  podIdentity:                                     # Optional.
+    provider: aws                                  # Required.
+  credentials:                                     # Optional.
+    accessKey:                                     # Required.
+      valueFrom:                                   # Required.
+        secretKeyRef:                              # Required.
+          name: {k8s-secret-with-aws-credentials}  # Required.
+          key: {key-in-k8s-secret}                    # Required.
+    accessSecretKey:                               # Required.
+      valueFrom:                                   # Required.
+        secretKeyRef:                              # Required.
+          name: {k8s-secret-with-aws-credentials}  # Required.
+          key: {key-in-k8s-secret}               # Required.
+  region: {aws-region}                             # Optional.
+  secrets:                                         # Required.
+  - parameter: {param-name-used-for-auth}          # Required.
+    name: {aws-secret-name}                        # Required.
+    version: {aws-secret-version}                  # Optional.
+```
diff --git a/content/docs/2.16/authentication-providers/aws.md b/content/docs/2.16/authentication-providers/aws.md
@@ -0,0 +1,140 @@
++++
+title = "AWS (IRSA) Pod Identity Webhook"
++++
+
+[**AWS IAM Roles for Service Accounts (IRSA) Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook) ([documentation](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/)) allows you to provide the role name using an annotation on a service account associated with your pod.
+
+You can tell KEDA to use AWS Pod Identity Webhook via `podIdentity.provider`.
+
+```yaml
+podIdentity:
+  provider: aws
+  roleArn: <role-arn> # Optional. 
+  identityOwner: keda|workload # Optional. If not set, 'keda' is default value. Mutually exclusive with 'roleArn' (if set)
+```
+
+**Parameter list:**
+
+- `roleArn` - Role ARN to be used by KEDA. If not set the IAM role which the KEDA operator uses will be used. Mutually exclusive with `identityOwner: workload`
+- `identityOwner` - Owner of the identity to be used. (Values: `keda`, `workload`, Default: `keda`, Optional)
+
+> ⚠️ **NOTE:** `podIdentity.roleArn` and `podIdentity.identityOwner` are mutually exclusive, setting both is not supported.
+
+## How to use 
+
+AWS IRSA will give access to pods with service accounts having appropriate annotations. ([official docs](https://aws.amazon.com/es/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/)) You can set these annotations on the KEDA Operator service account.
+
+This can be done for you during deployment with Helm with the following flags: 
+
+1. `--set podIdentity.aws.irsa.enabled=true`
+2. `--set podIdentity.aws.irsa.roleArn={aws-arn-role}`
+
+You can override the default KEDA operator IAM role by specifying an `roleArn` parameter under the `podIdentity` field. This allows end-users to use different roles to access various resources which allows for more granular access than having a single IAM role that has access to multiple resources.
+
+If you would like to use the same IAM credentials as your workload is currently using, `podIdentity.identityOwner` can be set with the value `workload` and KEDA will inspect the workload service account to check if IRSA annotation is there and KEDA will assume that role.
+
+## AssumeRole or AssumeRoleWithWebIdentity?
+
+This authentication automatically uses both, falling back from [AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) to [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) if the first one fails. This extends the capabilities because KEDA doesn't need `sts:AssumeRole` permission if you are already working with [WebIdentities](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html); in this case, you can add a KEDA service account to the trusted relations of the role.
+
+## Setting up KEDA role and policy
+
+The [official AWS docs](https://aws.amazon.com/es/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/) explain how to set up a basic configuration for an IRSA role. The policy changes depending on if you are using the KEDA role (`podIdentity.roleArn` is not set) or workload role (`podIdentity.roleArn` sets a RoleArn or `podIdentity.identityOwner` sets to `workload`).
+
+### Using KEDA role to access infrastructure
+
+Attach the desired policies to KEDA's role, granting the access permissions that you want to provide. For example, this could be a policy to use with SQS:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "sqs:GetQueueAttributes",
+            "Resource": "arn:aws:sqs:*:YOUR_ACCOUNT:YOUR_QUEUE"
+        }
+    ]
+}
+```
+
+### Using KEDA role to assume workload role using AssumeRoleWithWebIdentity
+In this case, KEDA will use its own (k8s) service account to assume workload role (and to use workload's role attached policies). This scenario requires that KEDA service account is trusted for requesting the role using AssumeRoleWithWebIdentity.
+
+This is an example of how role policy could look like:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            ... YOUR WORKLOAD TRUSTED RELATION ...
+        },
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "YOUR_OIDC_ARN"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringEquals": {
+                    "YOUR_OIDC:sub": "system:serviceaccount:keda:keda-operator",
+                    "YOUR_OIDC:aud": "sts.amazonaws.com"
+                }
+            }
+        }
+    ]
+}
+```
+
+### Using KEDA role to assume workload role using AssumeRole
+
+In this case, KEDA will use its own role to assume the workload role (and to use workload's role attached policies). This scenario is a bit more complex because we need to establish a trusted relationship between both roles and we need to grant to KEDA's role the permission to assume other roles.
+
+This is an example of how KEDA's role policy could look like:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Resource": [
+        "arn:aws:iam::ACCOUNT_1:role/ROLE_NAME"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Resource": [
+        "arn:aws:iam::ACCOUNT_2:role/*"
+      ]
+    }
+  ]
+}
+```
+This can be extended so that KEDA can assume multiple workload roles, either as an explicit array of role ARNs, or with a wildcard.
+This policy attached to KEDA's role will allow KEDA to assume other roles, now you have to allow the workload roles you want to use all allow to being assumed by the KEDA operator role. To achieve this, you have to add a trusted relation to the workload role:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      // Your already existing relations
+      "Sid": "",
+      "Effect": "Allow",
+      // ...
+    },
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::ACCOUNT:role/KEDA_ROLE_NAME"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+```