File path Latest
You can read authentication parameters from files mounted in the KEDA operator pod using the filePath option. This feature requires the KEDA operator to be configured with a root path for file access.
Security Constraints
The filePath feature has important security constraints:
- Requires root path configuration - The KEDA operator must be started with
--filepath-auth-root-pathto define the allowed directory - Path validation - All file paths are validated to ensure they resolve within the configured root path, preventing access to sensitive system files like service account tokens
- Relative paths - The
filePathinClusterTriggerAuthenticationis treated as a relative path under the configured root path
Operator Configuration
The KEDA operator requires a command-line argument to enable file-based authentication:
--filepath-auth-root-path=/path/to/allowed/files
This path should point to a directory where credential files are mounted. The operator will only read files from within this directory.
Example
First, ensure the KEDA operator has the root path configured. Then create a ClusterTriggerAuthentication referencing files:
apiVersion: keda.sh/v1alpha1
kind: ClusterTriggerAuthentication
metadata:
name: file-based-auth
spec:
filePath:
- parameter: apiKey # Required - Defined by the scale trigger
path: credentials/api-key # Required - Path relative to filepath-auth-root-path
Assumptions:
- The path is relative to the
--filepath-auth-root-pathconfigured for the KEDA operator - The credential file exists at
{filepath-auth-root-path}/credentials/api-key - The file contains the raw credential value (not JSON encoded)
- The file path should match the actual file name, including any extension if present (e.g.,
credentials/api-key.txtif the file is namedapi-key.txt)