Skip to content

feat(temporal): support scaling Temporal workers using Deployment Versions#7672

Merged
rickbrouwer merged 26 commits into
kedacore:mainfrom
veeral-patel:feat/temporal-deployment-versions-minimal
May 19, 2026
Merged

feat(temporal): support scaling Temporal workers using Deployment Versions#7672
rickbrouwer merged 26 commits into
kedacore:mainfrom
veeral-patel:feat/temporal-deployment-versions-minimal

Conversation

@veeral-patel

@veeral-patel veeral-patel commented Apr 20, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds support for scaling Temporal Workers that use Deployment Versions.

When the new workerDeploymentName and workerDeploymentBuildId fields are set, the scaler queries DescribeWorkerDeploymentVersion for the backlog of that specific deployment version, instead of the existing DescribeTaskQueueEnhanced path. This lets operators scale workers independently per deployment version.

New config fields

  • workerDeploymentName — the Worker Deployment name
  • workerDeploymentBuildId — the build ID within the deployment

Both must be set together. They are mutually exclusive with the deprecated build-id-based fields.

Deprecations

The following fields still work but log a warning recommending the new fields:

  • buildId
  • selectAllActive
  • selectUnversioned

Backward compatibility

  • Existing configs using buildId, selectAllActive, or selectUnversioned continue to work — they just log a deprecation warning on scaler init.
  • Unversioned configs (no versioning fields at all) work unchanged.

Test plan

  • Add unit tests for new fields and validation (pkg/scalers/temporal_scaler_test.go)
  • Add e2e test for deployment version path (tests/scalers/temporal/temporal_test.go). The test uses a custom minimal Go worker image (tests/scalers/temporal/worker/) since the existing temporaliotest/omes image does not support --deployment-name.

Docs

PR to update KEDA docs: kedacore/keda-docs#1740

@veeral-patel veeral-patel requested a review from a team as a code owner April 20, 2026 21:27
@github-actions

Copy link
Copy Markdown

Thank you for your contribution! 🙏

Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected.

While you are waiting, make sure to:

  • Add an entry in our changelog in alphabetical order and link related issue
  • Update the documentation, if needed
  • Add unit & e2e tests for your changes
  • GitHub checks are passing
  • Is the DCO check failing? Here is how you can fix DCO issues

Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient.

Learn more about our contribution guide.

@keda-automation keda-automation requested a review from a team April 20, 2026 21:27
@snyk-io

snyk-io Bot commented Apr 20, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

veeral-patel added a commit to veeral-patel/keda that referenced this pull request Apr 20, 2026
Three changes in response to @carlydf's review on kedacore#7672:

1. Use DescribeTaskQueue for the unversioned path instead of
   DescribeTaskQueueEnhanced. The latter is deprecated and, when no
   Versions selector is passed, returns the default Build ID's backlog
   rather than the unversioned queue's backlog. This silently caused
   unversioned scalers to scale on the wrong queue when the task queue
   was actually versioned.

2. Respect queueTypes in the deployment version path. Previously the
   scaler summed backlog across all task queue types in the deployment
   version, ignoring the queueTypes filter.

3. Respect taskQueue in the deployment version path. Previously
   taskQueue was required metadata but unused by the deployment path,
   which summed backlog across all task queues in the version.

Also adds a sumDeploymentBacklog pure function to make the filtering
logic unit-testable, with TestSumDeploymentBacklog covering all
filter combinations.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Signed-off-by: Veeral Patel <[email protected]>
@veeral-patel veeral-patel reopened this Apr 20, 2026
Comment thread pkg/scalers/temporal_scaler.go Outdated
Comment thread pkg/scalers/temporal_scaler.go Outdated
Comment thread pkg/scalers/temporal_scaler.go
Comment thread pkg/scalers/temporal_scaler.go Outdated
Comment thread tests/scalers/temporal/temporal_test.go Outdated
Comment thread tests/scalers/temporal/temporal_test.go Outdated
Comment thread tests/scalers/temporal/temporal_test.go Outdated
Comment thread CHANGELOG.md Outdated
Comment thread pkg/scalers/temporal_scaler.go
Comment thread pkg/scalers/temporal_scaler.go Outdated
Comment thread pkg/scalers/temporal_scaler_test.go
Comment thread tests/scalers/temporal/temporal_test.go
veeral-patel added a commit to veeral-patel/keda that referenced this pull request Apr 21, 2026
Three changes in response to @carlydf's review on kedacore#7672:

1. Use DescribeTaskQueue for the unversioned path instead of
   DescribeTaskQueueEnhanced. The latter is deprecated and, when no
   Versions selector is passed, returns the default Build ID's backlog
   rather than the unversioned queue's backlog. This silently caused
   unversioned scalers to scale on the wrong queue when the task queue
   was actually versioned.

2. Respect queueTypes in the deployment version path. Previously the
   scaler summed backlog across all task queue types in the deployment
   version, ignoring the queueTypes filter.

3. Respect taskQueue in the deployment version path. Previously
   taskQueue was required metadata but unused by the deployment path,
   which summed backlog across all task queues in the version.

Also adds a sumDeploymentBacklog pure function to make the filtering
logic unit-testable, with TestSumDeploymentBacklog covering all
filter combinations.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Signed-off-by: Veeral Patel <[email protected]>
@veeral-patel veeral-patel force-pushed the feat/temporal-deployment-versions-minimal branch from 3c48df1 to 1032eb4 Compare April 21, 2026 01:54
Comment thread pkg/scalers/temporal_scaler.go
Comment thread pkg/scalers/temporal_scaler.go Outdated
Comment thread pkg/scalers/temporal_scaler.go Outdated
Comment thread pkg/scalers/temporal_scaler_test.go Outdated
Comment thread pkg/scalers/temporal_scaler.go Outdated
Comment thread pkg/scalers/temporal_scaler.go Outdated
Comment thread pkg/scalers/temporal_scaler.go Outdated
@keda-automation keda-automation requested a review from a team April 21, 2026 18:31
@veeral-patel

Copy link
Copy Markdown
Contributor Author

@wozniakjan Ready for final review!

@rickbrouwer

rickbrouwer commented Apr 22, 2026

Copy link
Copy Markdown
Member

@veeral-patel

Can you run 'make generate-scalers-schema'?

@carlydf

carlydf commented Apr 22, 2026

Copy link
Copy Markdown

I just noticed that #7460 is close to merging, and adds a new feature which as written would not correctly count the number of running workflows on a certain version of the task queue.

We should either:

  • Make a note / warning that includeRunningWorkflowCount can't be combined with workerDeploymentName and workerDeploymentBuildId, or
  • When all are specified, add AND TemporalWorkerDeploymentVersion="<workerDeploymentName>:<workerDeploymentBuildId>" to the count workflow query used for includeRunningWorkflowCount

@veeral-patel

veeral-patel commented Apr 22, 2026

Copy link
Copy Markdown
Contributor Author

@rickbrouwer I've generated the schemas, thank you.

Could you go ahead and kick off the e2e tests if you don't mind? Don't think non-maintainers have permission.

@rickbrouwer

Copy link
Copy Markdown
Member

@veeral-patel

Could you take a look at @carlydf comment?

@veeral-patel

veeral-patel commented Apr 23, 2026

Copy link
Copy Markdown
Contributor Author

@rickbrouwer Yes, saw it. Once this PR is merged, I'll add a comment to #7460 expanding on Carly's message, and work with the PR author as needed to get the changes incorporated in a way that's compatible with our changes in this PR.

I think it will be better if we merge this PR first as it's substantially larger (in LOC changed), and making more foundational (architectural) changes. Once merged it won't take long to incorporate the changes from #7460!

Could we go ahead and kick off the e2e tests? I can get all the checks passing.

@rickbrouwer

Copy link
Copy Markdown
Member

@rickbrouwer Yes, saw it. Once this PR is merged, I'll add a comment to #7460 expanding on Carly's message, and work with the PR author as needed to get the changes incorporated in a way that's compatible with our changes in this PR.

I think it will be better if we merge this PR first as it's substantially larger (in LOC changed), and making more foundational (architectural) changes. Once merged it won't take long to incorporate the changes from #7460!

Do you agree @carlydf ?

@rickbrouwer

rickbrouwer commented Apr 23, 2026

Copy link
Copy Markdown
Member

/run-e2e temporal
Update: You can check the progress here

@rickbrouwer

Copy link
Copy Markdown
Member

I'm starting the E2E already, but the DCO still needs to be fixed anyway.

@rickbrouwer

rickbrouwer commented Apr 30, 2026

Copy link
Copy Markdown
Member

/run-e2e temporal
Update: You can check the progress here

@rickbrouwer

rickbrouwer commented Apr 30, 2026

Copy link
Copy Markdown
Member

/run-e2e temporal
Update: You can check the progress here

@rickbrouwer rickbrouwer left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Approved!

@rickbrouwer rickbrouwer added the Awaiting/2nd-approval This PR needs one more approval review label Apr 30, 2026
@veeral-patel

Copy link
Copy Markdown
Contributor Author

@rickbrouwer Anyone we can ping for a second review here?

@rickbrouwer

Copy link
Copy Markdown
Member

I have labeled the PR that a second approval is required. It is just a matter of patiently waiting for another Maintainer to have time to do the review. Rest assured, it is on the required list for the upcoming release, so I expect it will be included regardless.

@rickbrouwer

rickbrouwer commented May 3, 2026

Copy link
Copy Markdown
Member

/run-e2e temporal
Update: You can check the progress here

@keda-automation keda-automation requested a review from a team May 3, 2026 19:04
@rickbrouwer rickbrouwer enabled auto-merge (squash) May 3, 2026 19:07
@rickbrouwer

Copy link
Copy Markdown
Member

In accordance with policy, have already created a deprecation issue and discussion.

@rickbrouwer rickbrouwer added the required:keda-v2.20 This is absolutely mandatory to bring along label May 4, 2026
@rickbrouwer rickbrouwer requested a review from wozniakjan May 6, 2026 08:33
@wozniakjan

wozniakjan commented May 19, 2026

Copy link
Copy Markdown
Member

/run-e2e temporal
Update: You can check the progress here

@keda-automation keda-automation requested a review from a team May 19, 2026 15:39
@rickbrouwer rickbrouwer added ok-to-merge This PR can be merged and removed Awaiting/2nd-approval This PR needs one more approval review labels May 19, 2026
@rickbrouwer rickbrouwer merged commit 7bc70af into kedacore:main May 19, 2026
25 checks passed
nikoul pushed a commit to nikoul/temporal-worker-controller that referenced this pull request May 26, 2026
… ScaledObjects

Extend WorkerResourceTemplate auto-injection to populate workerDeploymentName
and workerDeploymentBuildId in KEDA ScaledObject triggers[*].metadata when
the trigger type is "temporal". Unblocks using KEDA's Temporal scaler
(kedacore/keda#7672) as the templated resource for per-version backlog
scaling.

Injection is opt-in: keys are only touched when already present in the
template's metadata map, mirroring the existing metrics matchLabels merge
pattern. Non-temporal triggers in the same ScaledObject are left untouched.

Refs temporalio#286.
nikoul added a commit to nikoul/temporal-worker-controller that referenced this pull request May 26, 2026
… ScaledObjects

Extend WorkerResourceTemplate auto-injection to populate workerDeploymentName
and workerDeploymentBuildId in KEDA ScaledObject triggers[*].metadata when
the trigger type is "temporal". Unblocks using KEDA's Temporal scaler
(kedacore/keda#7672) as the templated resource for per-version backlog
scaling.

Injection is opt-in: keys are only touched when already present in the
template's metadata map, mirroring the existing metrics matchLabels merge
pattern. Non-temporal triggers in the same ScaledObject are left untouched.

Refs temporalio#286.
nikoul added a commit to nikoul/temporal-worker-controller that referenced this pull request May 26, 2026
… ScaledObjects

Extend WorkerResourceTemplate auto-injection to populate workerDeploymentName
and workerDeploymentBuildId in KEDA ScaledObject triggers[*].metadata when
the trigger type is "temporal". Unblocks using KEDA's Temporal scaler
(kedacore/keda#7672) as the templated resource for per-version backlog
scaling.

Injection is opt-in: keys are only touched when already present in the
template's metadata map, mirroring the existing metrics matchLabels merge
pattern. Non-temporal triggers in the same ScaledObject are left untouched.

Refs temporalio#286.
rickbrouwer added a commit to kedacore/keda-docs that referenced this pull request May 27, 2026
* docs(temporal): document workerDeploymentName and workerDeploymentBuildId

Add documentation for the new Worker Deployment Versioning support
in the Temporal scaler: two new fields (workerDeploymentName and
workerDeploymentBuildId), deprecation notes on the legacy Rules-Based
Versioning fields (buildId, selectAllActive, selectUnversioned), and
an example configuration for deployment-version scaling.

Companion to kedacore/keda#7672.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Signed-off-by: Veeral Patel <[email protected]>

* Apply suggestions from code review

Co-authored-by: Carly de Frondeville <[email protected]>
Signed-off-by: Veeral Patel <[email protected]>

* Apply suggestion from @carlydf

Co-authored-by: Carly de Frondeville <[email protected]>
Signed-off-by: Veeral Patel <[email protected]>

* Update content/docs/2.20/scalers/temporal.md

Signed-off-by: Rick Brouwer <[email protected]>

---------

Signed-off-by: Veeral Patel <[email protected]>
Signed-off-by: Veeral Patel <[email protected]>
Signed-off-by: Rick Brouwer <[email protected]>
Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Co-authored-by: Carly de Frondeville <[email protected]>
Co-authored-by: Rick Brouwer <[email protected]>
nikoul added a commit to nikoul/temporal-worker-controller that referenced this pull request May 28, 2026
… ScaledObjects

Extend WorkerResourceTemplate auto-injection to populate workerDeploymentName
and workerDeploymentBuildId in KEDA ScaledObject triggers[*].metadata when
the trigger type is "temporal". Unblocks using KEDA's Temporal scaler
(kedacore/keda#7672) as the templated resource for per-version backlog
scaling.

Injection is opt-in: keys are only touched when already present in the
template's metadata map, mirroring the existing metrics matchLabels merge
pattern. Non-temporal triggers in the same ScaledObject are left untouched.

Refs temporalio#286.
eleboucher pushed a commit to eleboucher/homelab that referenced this pull request Jun 1, 2026
…eda (2.19.0 ➔ 2.20.0) (#779)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [ghcr.io/home-operations/charts-mirror/keda](https://github.com/kedacore/keda) | minor | `2.19.0` → `2.20.0` |

---

### Release Notes

<details>
<summary>kedacore/keda (ghcr.io/home-operations/charts-mirror/keda)</summary>

### [`v2.20.0`](https://github.com/kedacore/keda/blob/HEAD/CHANGELOG.md#v2200)

[Compare Source](kedacore/keda@v2.19.0...v2.20.0)

##### New

- **General**: Add `scalingModifiers` fallback behavior ([#&#8203;7366](kedacore/keda#7366))
- **General**: Introduce Elastic Forecast Scaler ([#&#8203;7494](kedacore/keda#7494))
- **General**: Introduce new OpenSearch Scaler ([#&#8203;7456](kedacore/keda#7456))

##### Improvements

- **General**: Add cooldownPeriod and pollingInterval checks for ScaledObject ([#&#8203;7271](kedacore/keda#7271))
- **General**: Add CRD-level validation markers (Minimum, MinLength, MinItems, Enum) for ScaledObject, ScaledJob, ScaleTriggers, and TriggerAuthentication API types ([#&#8203;7533](kedacore/keda#7533))
- **General**: Add `--leader-election-id` flag to allow configuring the leader election Lease name ([#&#8203;7564](kedacore/keda#7564))
- **General**: Add scaler HTTP request metrics (`keda_scaler_http_requests_total`, `keda_scaler_http_request_duration_seconds`) for outbound HTTP requests made during scaler metric collection ([#&#8203;6600](kedacore/keda#6600))
- **General**: Allow more control of TLS versions & ciphers via `KEDA_HTTP_TLS_CIPHER_LIST`, `KEDA_SERVICE_TLS_CIPHER_LIST` and `KEDA_SERVICE_MIN_TLS_VERSION` env vars ([#&#8203;7617](kedacore/keda#7617))
- **General**: Cap each scalers-cache reader at a per-reader budget derived from `globalHTTPTimeout` so `ScalersCache.Close` cannot block indefinitely ([#&#8203;7574](kedacore/keda#7574))
- **General**: Make APIService cert injections optional ([#&#8203;7559](kedacore/keda#7559))
- **General**: Remove unconditional `json.MarshalIndent` calls from admission webhook validation hot paths; replace spec-comparison `MarshalIndent`-and-string-compare in `isRemovingFinalizer` variants with `reflect.DeepEqual`. Prevents webhook OOM under sustained admission load at large scale (observed at \~60k ScaledObjects) ([#&#8203;7670](kedacore/keda#7670))
- **AWS Scalers**: Add support for AWS External ID in TriggerAuthentication podIdentity for all AWS scalers (SQS, Kinesis, DynamoDB, CloudWatch, etc.) to enable cross-account access scenarios ([#&#8203;6921](kedacore/keda#6921))
- **Elasticsearch Scaler**: Add HTTP status check for Elasticsearch errors ([#&#8203;7480](kedacore/keda#7480))
- **Github Runner Scaler**: Handle rate limit errors by respecting X-RateLimit-Reset and Retry-After headers and returning cached queue length ([#&#8203;7683](kedacore/keda#7683))
- **Kubernetes Workload Scaler**: Add `groupByNode` parameter ([#&#8203;7628](kedacore/keda#7628))
- **Metrics API Scaler**: Add custom HTTP client timeout ([#&#8203;7549](kedacore/keda#7549))
- **MSSQL Scaler**: Add Azure Workload Identity support for Azure SQL authentication ([#&#8203;6104](kedacore/keda#6104))
- **Prometheus Scaler**: Emit metric tracking empty responses from Prometheus ([#&#8203;7062](kedacore/keda#7062))
- **RabbitMQ Scaler**: Add support for OAuth2 authentication for RabbitMQ over HTTP ([#&#8203;7379](kedacore/keda#7379))
- **Temporal Scaler**: Add support for scaling based on Worker Deployment Version backlog via new `workerDeploymentName` and `workerDeploymentBuildId` fields. Deprecate `buildId`, `selectAllActive`, and `selectUnversioned` because those parameters are used for Rules-Based Worker Versioning, which was a short-lived experimental feature that has been deprecated in the Temporal server since December 2024 and will stop being supported soon. Users of Rules-Based Worker Versioning should use Worker Deployments instead. ([#&#8203;7672](kedacore/keda#7672))

##### Fixes

- **General**: Check updated status for Fallback condition instead of ScaledObject ([#&#8203;7488](kedacore/keda#7488))
- **General**: Fail fast in `GetMetrics` when the gRPC connection is in Shutdown state instead of waiting for context timeout ([#&#8203;7251](kedacore/keda#7251))
- **General**: Fix int64 overflow in milli-quantity conversion for very large metric values ([#&#8203;7441](kedacore/keda#7441))
- **General**: Fix `keda_scaler_active` not being emitted for CPU and memory triggers ([#&#8203;4945](kedacore/keda#4945))
- **General**: Fix misleading namespace in error log when secret access is restricted ([#&#8203;7739](kedacore/keda#7739))
- **General**: Fix race in scalers cache rebuild that caused transient scaler errors ([#&#8203;7574](kedacore/keda#7574))
- **General**: Fix ScaledJob emitting wrong CloudEvent type (`ScaledObjectReadyType` instead of `ScaledJobReadyType`) when transitioning to ready state ([#&#8203;7792](kedacore/keda#7792))
- **General**: Fix ScaledObject admission webhook to return validation error from `verifyReplicaCount`, preventing invalid ScaledObjects from being created ([#&#8203;5954](kedacore/keda#5954))
- **General**: Fix ScaledObject Ready condition not reflecting HPA status ([#&#8203;7649](kedacore/keda#7649))
- **General**: Handle paused scaling directly in reconciler ([#&#8203;7663](kedacore/keda#7663))
- **General**: Honor `stderrthreshold` when `logtostderr` is enabled by updating klog to v2.140.0 ([#&#8203;7568](kedacore/keda#7568))
- **General**: Limit projected service account token reads during Vault authentication ([#&#8203;7783](kedacore/keda#7783))
- **General**: Reject ScaledObject creation and update when the name exceeds 63 characters ([#&#8203;6998](kedacore/keda#6998))
- **AWS Scalers**: Fix TCP connection leak by closing HTTP idle connections on scaler `Close()` for SQS, Kinesis, DynamoDB, DynamoDB Streams, and CloudWatch scalers ([#&#8203;7756](kedacore/keda#7756))
- **Azure Data Explorer Scaler**: Remove clientSecretFromEnv support ([#&#8203;7554](kedacore/keda#7554))
- **Azure Event Hub Scaler**: Reject non-positive `unprocessedEventThreshold` to prevent integer division by zero when computing lag ([#&#8203;7732](kedacore/keda#7732))
- **Azure Pipelines Scaler**: Exclude already-assigned jobs from queue length ([#&#8203;7747](kedacore/keda#7747))
- **Cron Scaler**: Fix metric name generation so cron expressions with comma-separated values no longer produce invalid metric names ([#&#8203;7448](kedacore/keda#7448))
- **External Scaler**: gRPC Pool uses TLS context in the key ([#&#8203;7687](kedacore/keda#7687))
- **Forgejo Scaler**: Limit HTTP error response logging ([#&#8203;7469](kedacore/keda#7469))
- **Forgejo Scaler**: Return correct activity to enable scale-to-zero ([#&#8203;7527](kedacore/keda#7527))
- **GCP Cloud Tasks Scaler**: Implement escapeFilterValue for metric filtering ([#&#8203;7482](kedacore/keda#7482))
- **GCP Scaler**: Validate Pub/Sub resource name in BuildMQLQuery ([#&#8203;7468](kedacore/keda#7468))
- **GCP Storage Scaler**: Metadata is not printed in the log ([#&#8203;7688](kedacore/keda#7688))
- **Github Runner Scaler**: Bound etag and per-repo caches to prevent unbounded memory growth when `enableEtags` is on ([#&#8203;7685](kedacore/keda#7685))
- **Github Runner Scaler**: Improve URL construction and error handling ([#&#8203;7495](kedacore/keda#7495))
- **Github Runner Scaler**: Limit HTTP error response logging ([#&#8203;7469](kedacore/keda#7469))
- **InfluxDB Scaler**: Make `authToken` optional to support unauthenticated InfluxDB instances ([#&#8203;7616](kedacore/keda#7616))
- **Loki Scaler**: Limit HTTP error response logging ([#&#8203;7469](kedacore/keda#7469))
- **Loki Scaler**: `serverAddress` now appends `/loki/api/v1/query` to the end of existing path instead of overriding ([#&#8203;7648](kedacore/keda#7648))
- **Metrics API Scaler**: Fix `aggregateFromKubeServiceEndpoints` using empty label selector that matched all EndpointSlices in the namespace instead of only the target service's ([#&#8203;7641](kedacore/keda#7641))
- **Metrics API Scaler**: Fix division by zero in average aggregation when all kube service endpoints fail ([#&#8203;7742](kedacore/keda#7742))
- **Metrics API Scaler**: Prevent response value reflection in scaler errors ([#&#8203;7693](kedacore/keda#7693))
- **NATS JetStream Scaler**: Return an error from `getMaxMsgLag` when the configured consumer is missing instead of falling back to the stream's last sequence, preventing incorrect scale-up to `maxReplicaCount` ([#&#8203;7657](kedacore/keda#7657))
- **NATS JetStream Scaler**: URL-encode user input in monitoring URL construction ([#&#8203;7483](kedacore/keda#7483))
- **PostgreSQL Scaler**: Quote whitespace-containing connection parameters in generated connection strings ([#&#8203;7784](kedacore/keda#7784))
- **PredictKube Scaler**: Bump `dysnix/predictkube-libs` to `v0.1.0` (drops the predictkube path to the archived/EOL `go-grpc-prometheus` and to the deprecated `golang/protobuf`) and use a portable Prometheus-API instant query for the health check so the scaler works against VictoriaMetrics, Thanos and other Prometheus-API-compatible backends ([#&#8203;7745](kedacore/keda#7745))
- **Prometheus Scaler**: Handle NaN results in the same manner as Inf ([#&#8203;7475](kedacore/keda#7475))
- **Prometheus Scaler**: Limit HTTP error response logging ([#&#8203;7469](kedacore/keda#7469))
- **Pulsar Scaler**: Drop bearer/basic auth headers on redirects to a different host or on https->http downgrades to prevent credential leakage ([#&#8203;7686](kedacore/keda#7686))
- **RabbitMQ Scaler**: Fix AMQP connection leak by recovering channels on the existing connection and closing connections properly ([#&#8203;6266](kedacore/keda#6266))
- **RabbitMQ Scaler**: Use SASL EXTERNAL for RabbitMQ AMQP TLS without credentials ([#&#8203;6840](kedacore/keda#6840))
- **Redis Scaler**: Use literal command names in Lua script to fix compatibility with Alibaba Cloud Redis Cluster ([#&#8203;7758](kedacore/keda#7758))
- **Solace Scaler**: Fix URL escaping for Message VPN and Queue names ([#&#8203;7481](kedacore/keda#7481))
- **Solr Scaler**: Use net/url to safely encode query parameters ([#&#8203;7467](kedacore/keda#7467))
- **Splunk Observability Scaler**: Add MTS stream handling with context timeout ([#&#8203;7799](kedacore/keda#7799))

##### Deprecations

You can find all deprecations in [this overview](https://github.com/kedacore/keda/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3Abreaking-change) and [join the discussion here](https://github.com/kedacore/keda/discussions/categories/deprecations).

##### Breaking Changes

- **GCP PubSub Scaler**: The `subscriptionSize` setting is DEPRECATED and is removed in v2.20 - Use `mode` and `value` instead ([#&#8203;7720](kedacore/keda#7720))
- **Huawei Cloudeye Scaler**: The `minMetricValue` setting is DEPRECATED and is removed - Use `activationTargetMetricValue` instead ([#&#8203;7436](kedacore/keda#7436))
- **IBM MQ Scaler**: The `tls` setting code is removed ([#&#8203;6094](kedacore/keda#6094))
- **InfluxDB Scaler**: The `authToken` setting from `triggerMetadata` is DEPRECATED and is removed in v2.20 - Use `authToken` from `resolvedEnv` or `authParams` instead ([#&#8203;7722](kedacore/keda#7722))

##### Other

- **General**: Migrate event recording RBAC from core `events` to `events.k8s.io` ([#&#8203;7781](kedacore/keda#7781))
- **General**: Migrate metrics service gRPC response away from Kubernetes API protobuf types for Kubernetes 0.35 ([#&#8203;7781](kedacore/keda#7781))
- **General**: Remove dead code from authentication package and drop unused `authModes` field from ArangoDB, Loki, Prometheus and PredictKube scalers ([#&#8203;7726](kedacore/keda#7726))
- **General**: Use informer cache for ReplicaSet lookups in GetCurrentReplicas to reduce API server load ([#&#8203;7466](kedacore/keda#7466))
- **External Scaler**: Fix race condition in `TestWaitForState` causing flaky test under `-race` detector ([#&#8203;7542](kedacore/keda#7542))
- **GCP Scaler**: Replace `credentialsFromJSON` with `credentialsFromJSONWithType` ([#&#8203;7523](kedacore/keda#7523))
- **Kafka Scaler**: Refactor Kafka Scaler ([#&#8203;7528](kedacore/keda#7528))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEwMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL21pbm9yIl19-->

Reviewed-on: https://git.erwanleboucher.dev/eleboucher/homelab/pulls/779
Sammyrules7 pushed a commit to Sammyrules7/Servers that referenced this pull request Jun 3, 2026
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [authentik](https://goauthentik.io) ([source](https://github.com/goauthentik/helm)) | minor | `2026.2.x` → `2026.5.x` |
| [fluxcd/flux2](https://github.com/fluxcd/flux2) | patch | `v2.8.5` → `v2.8.8` |
| [ghcr.io/fluxcd/helm-controller](https://github.com/fluxcd/helm-controller) | patch | `v1.5.3` → `v1.5.5` |
| [ghcr.io/fluxcd/kustomize-controller](https://github.com/fluxcd/kustomize-controller) | patch | `v1.8.3` → `v1.8.5` |
| [ghcr.io/fluxcd/notification-controller](https://github.com/fluxcd/notification-controller) | patch | `v1.8.3` → `v1.8.4` |
| [ghcr.io/fluxcd/source-controller](https://github.com/fluxcd/source-controller) | patch | `v1.8.2` → `v1.8.5` |
| [keda](https://github.com/kedacore/keda) | minor | `2.19.0` → `2.20.0` |
| [renovate/renovate](https://renovatebot.com) ([source](https://github.com/renovatebot/renovate)) | patch | [`43.209.1` → `43.209.2`](https://octochangelog.com/compare?repo=renovatebot%2Frenovate&from=43.209.1&to=43.209.2) |
| [victoria-metrics-k8s-stack](https://github.com/VictoriaMetrics/helm-charts) | minor | `0.76.x` → `0.81.x` |

---

### Release Notes

<details>
<summary>goauthentik/helm (authentik)</summary>

### [`v2026.5.2`](https://github.com/goauthentik/helm/releases/tag/authentik-2026.5.2)

[Compare Source](goauthentik/helm@authentik-2026.5.0...authentik-2026.5.2)

authentik is an open-source Identity Provider focused on flexibility and versatility

#### What's Changed

- charts/authentik: bump to 2026.5.2 by [@&#8203;authentik-automation](https://github.com/authentik-automation)\[bot] in [#&#8203;476](goauthentik/helm#476)

**Full Changelog**: <goauthentik/helm@authentik-2026.5.0...authentik-2026.5.2>

### [`v2026.5.0`](https://github.com/goauthentik/helm/releases/tag/authentik-2026.5.0)

[Compare Source](goauthentik/helm@authentik-2026.2.3...authentik-2026.5.0)

authentik is an open-source Identity Provider focused on flexibility and versatility

See <https://docs.goauthentik.io/releases/2026.5/>

#### What's Changed

- charts/authentik: bump postgresql subchart from 16.7.27 to 18.6.5 by [@&#8203;renovate](https://github.com/renovate)\[bot] in [#&#8203;410](goauthentik/helm#410)
- charts/authentik: remove hardcoded AUTHENTIK\_LISTEN variables by [@&#8203;rissson](https://github.com/rissson) in [#&#8203;468](goauthentik/helm#468)
- charts/authentik: update docker.io/library/postgres Docker tag to v17.10 by [@&#8203;renovate](https://github.com/renovate)\[bot] in [#&#8203;470](goauthentik/helm#470)
- charts/authentik: bump postgresql subchart to v18.6.7 by [@&#8203;renovate](https://github.com/renovate)\[bot] in [#&#8203;469](goauthentik/helm#469)
- charts/authentik: bump to 2026.5.0 by [@&#8203;authentik-automation](https://github.com/authentik-automation)\[bot] in [#&#8203;471](goauthentik/helm#471)

**Full Changelog**: <goauthentik/helm@authentik-2026.2.3...authentik-2026.5.0>

</details>

<details>
<summary>fluxcd/flux2 (fluxcd/flux2)</summary>

### [`v2.8.8`](https://github.com/fluxcd/flux2/releases/tag/v2.8.8)

[Compare Source](fluxcd/flux2@v2.8.7...v2.8.8)

#### Highlights

Flux v2.8.8 is a patch release that includes CVE fixes via go-git v5.19.1 (source-controller, image-automation-controller), reliability fixes in helm-controller and source-controller, the move of Helm back to upstream v4.2.0, support for GCP sovereign cloud artifact registries, and dependency updates. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the [Upgrade Procedure for Flux v2.7+](fluxcd/flux2#5572) for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

- Add a configurable HTTP timeout for artifact fetching, preventing fetches that could block indefinitely and stall reconciliations (helm-controller)
- Fix unbounded memory growth caused by a Kubernetes client transport retry wrapper accumulating on every reconcile (helm-controller)
- Stop force-applying non-CRD objects placed under a chart's `crds/` directory (helm-controller)
- Fix the Helm test action failing to find releases with names longer than 53 characters (helm-controller)
- Improve path handling in the source reconcilers (source-controller)
- Support Helm semver build-metadata encoding in OCIRepository tags (source-controller)

Improvements:

- Update go-git to v5.19.1 which fixes [CVE-2026-45571](GHSA-crhj-59gh-8x96) and [CVE-2026-45570](GHSA-m7cr-m3pv-hgrp) (source-controller, image-automation-controller)
- Move Helm back to upstream v4.2.0 (source-controller, helm-controller)
- Add support for GCP sovereign cloud artifact registries (source-controller, image-reflector-controller)
- Upgrade Kubernetes to 1.36.1 (source-controller, helm-controller)
- Update fluxcd/pkg dependencies

#### Components changelog

- helm-controller [v1.5.5](https://github.com/fluxcd/helm-controller/blob/v1.5.5/CHANGELOG.md)
- image-automation-controller [v1.1.4](https://github.com/fluxcd/image-automation-controller/blob/v1.1.4/CHANGELOG.md)
- image-reflector-controller [v1.1.2](https://github.com/fluxcd/image-reflector-controller/blob/v1.1.2/CHANGELOG.md)
- source-controller [v1.8.5](https://github.com/fluxcd/source-controller/blob/v1.8.5/CHANGELOG.md)

#### CLI changelog

- Update toolkit components by [@&#8203;fluxcdbot](https://github.com/fluxcdbot) in [#&#8203;5904](fluxcd/flux2#5904)

**Full Changelog**: <fluxcd/flux2@v2.8.7...v2.8.8>

### [`v2.8.7`](https://github.com/fluxcd/flux2/releases/tag/v2.8.7)

[Compare Source](fluxcd/flux2@v2.8.6...v2.8.7)

#### Highlights

Flux v2.8.7 is a patch release that includes a bug fix in kustomize-controller, a CVE fix in source-controller and image-automation-controller via go-git v5.19.0, and dependency updates. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the [Upgrade Procedure for Flux v2.7+](fluxcd/flux2#5572) for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

- Fix management of objects annotated with `kustomize.toolkit.fluxcd.io/ssa: IfNotPresent` where non-namespaced resources were being deleted and recreated on each reconciliation (kustomize-controller)

Improvements:

- Update go-git to v5.19.0 which fixes [CVE-2026-45022](GHSA-389r-gv7p-r3rp) (source-controller, image-automation-controller)
- Update fluxcd/pkg dependencies (source-controller, kustomize-controller, image-automation-controller)

#### Components changelog

- helm-controller [v1.5.4](https://github.com/fluxcd/helm-controller/blob/v1.5.4/CHANGELOG.md)
- image-automation-controller [v1.1.3](https://github.com/fluxcd/image-automation-controller/blob/v1.1.3/CHANGELOG.md)
- kustomize-controller [v1.8.5](https://github.com/fluxcd/kustomize-controller/blob/v1.8.5/CHANGELOG.md)
- notification-controller [v1.8.4](https://github.com/fluxcd/notification-controller/blob/v1.8.4/CHANGELOG.md)
- source-controller [v1.8.4](https://github.com/fluxcd/source-controller/blob/v1.8.4/CHANGELOG.md)

#### CLI changelog

- Update toolkit components by [@&#8203;fluxcdbot](https://github.com/fluxcdbot) in [#&#8203;5891](fluxcd/flux2#5891)

**Full Changelog**: <fluxcd/flux2@v2.8.6...v2.8.7>

### [`v2.8.6`](https://github.com/fluxcd/flux2/releases/tag/v2.8.6)

[Compare Source](fluxcd/flux2@v2.8.5...v2.8.6)

#### Highlights

Flux v2.8.6 is a patch release that includes bug fixes and improvements across helm-controller, image-automation-controller, kustomize-controller, notification-controller, and source-controller. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the [Upgrade Procedure for Flux v2.7+](fluxcd/flux2#5572) for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

- Fix a post-renderer conflict between overlapping hooks and templates (helm-controller)
- Ignore force replace when server-side apply is enabled (helm-controller)
- Fix a regression where generic providers would not forward commit status events (notification-controller)
- Require the `audience` field on the GCR Receiver secret for tighter verification — will become mandatory in Flux v2.9 (notification-controller)

Improvements:

- Introduce the `MigrateAPIVersion` feature gate for migrating the API version of resources in managed field entries (kustomize-controller)
- Update go-git to v5.18.0 bringing performance improvements for Git operations (source-controller, image-automation-controller)

#### Components changelog

- helm-controller [v1.5.4](https://github.com/fluxcd/helm-controller/blob/v1.5.4/CHANGELOG.md)
- image-automation-controller [v1.1.2](https://github.com/fluxcd/image-automation-controller/blob/v1.1.2/CHANGELOG.md)
- kustomize-controller [v1.8.4](https://github.com/fluxcd/kustomize-controller/blob/v1.8.4/CHANGELOG.md)
- notification-controller [v1.8.4](https://github.com/fluxcd/notification-controller/blob/v1.8.4/CHANGELOG.md)
- source-controller [v1.8.3](https://github.com/fluxcd/source-controller/blob/v1.8.3/CHANGELOG.md)

#### CLI changelog

- Update toolkit components by [@&#8203;fluxcdbot](https://github.com/fluxcdbot) in [#&#8203;5857](fluxcd/flux2#5857)

**Full Changelog**: <fluxcd/flux2@v2.8.5...v2.8.6>

</details>

<details>
<summary>fluxcd/helm-controller (ghcr.io/fluxcd/helm-controller)</summary>

### [`v1.5.5`](https://github.com/fluxcd/helm-controller/releases/tag/v1.5.5)

[Compare Source](fluxcd/helm-controller@v1.5.4...v1.5.5)

#### Changelog

[v1.5.5 changelog](https://github.com/fluxcd/helm-controller/blob/v1.5.5/CHANGELOG.md)

#### Container images

- `docker.io/fluxcd/helm-controller:v1.5.5`
- `ghcr.io/fluxcd/helm-controller:v1.5.5`

Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).

### [`v1.5.4`](https://github.com/fluxcd/helm-controller/releases/tag/v1.5.4)

[Compare Source](fluxcd/helm-controller@v1.5.3...v1.5.4)

#### Changelog

[v1.5.4 changelog](https://github.com/fluxcd/helm-controller/blob/v1.5.4/CHANGELOG.md)

#### Container images

- `docker.io/fluxcd/helm-controller:v1.5.4`
- `ghcr.io/fluxcd/helm-controller:v1.5.4`

Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).

</details>

<details>
<summary>fluxcd/kustomize-controller (ghcr.io/fluxcd/kustomize-controller)</summary>

### [`v1.8.5`](https://github.com/fluxcd/kustomize-controller/releases/tag/v1.8.5)

[Compare Source](fluxcd/kustomize-controller@v1.8.4...v1.8.5)

#### Changelog

[v1.8.5 changelog](https://github.com/fluxcd/kustomize-controller/blob/v1.8.5/CHANGELOG.md)

#### Container images

- `docker.io/fluxcd/kustomize-controller:v1.8.5`
- `ghcr.io/fluxcd/kustomize-controller:v1.8.5`

Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).

### [`v1.8.4`](https://github.com/fluxcd/kustomize-controller/releases/tag/v1.8.4)

[Compare Source](fluxcd/kustomize-controller@v1.8.3...v1.8.4)

#### Changelog

[v1.8.4 changelog](https://github.com/fluxcd/kustomize-controller/blob/v1.8.4/CHANGELOG.md)

#### Container images

- `docker.io/fluxcd/kustomize-controller:v1.8.4`
- `ghcr.io/fluxcd/kustomize-controller:v1.8.4`

Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).

</details>

<details>
<summary>fluxcd/notification-controller (ghcr.io/fluxcd/notification-controller)</summary>

### [`v1.8.4`](https://github.com/fluxcd/notification-controller/releases/tag/v1.8.4)

[Compare Source](fluxcd/notification-controller@v1.8.3...v1.8.4)

#### Changelog

[v1.8.4 changelog](https://github.com/fluxcd/notification-controller/blob/v1.8.4/CHANGELOG.md)

#### Container images

- `docker.io/fluxcd/notification-controller:v1.8.4`
- `ghcr.io/fluxcd/notification-controller:v1.8.4`

Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).

</details>

<details>
<summary>fluxcd/source-controller (ghcr.io/fluxcd/source-controller)</summary>

### [`v1.8.5`](https://github.com/fluxcd/source-controller/releases/tag/v1.8.5)

[Compare Source](fluxcd/source-controller@v1.8.4...v1.8.5)

#### Changelog

[v1.8.5 changelog](https://github.com/fluxcd/source-controller/blob/v1.8.5/CHANGELOG.md)

#### Container images

- `docker.io/fluxcd/source-controller:v1.8.5`
- `ghcr.io/fluxcd/source-controller:v1.8.5`

Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).

### [`v1.8.4`](https://github.com/fluxcd/source-controller/releases/tag/v1.8.4)

[Compare Source](fluxcd/source-controller@v1.8.3...v1.8.4)

#### Changelog

[v1.8.4 changelog](https://github.com/fluxcd/source-controller/blob/v1.8.4/CHANGELOG.md)

#### Container images

- `docker.io/fluxcd/source-controller:v1.8.4`
- `ghcr.io/fluxcd/source-controller:v1.8.4`

Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).

### [`v1.8.3`](https://github.com/fluxcd/source-controller/releases/tag/v1.8.3)

[Compare Source](fluxcd/source-controller@v1.8.2...v1.8.3)

#### Changelog

[v1.8.3 changelog](https://github.com/fluxcd/source-controller/blob/v1.8.3/CHANGELOG.md)

#### Container images

- `docker.io/fluxcd/source-controller:v1.8.3`
- `ghcr.io/fluxcd/source-controller:v1.8.3`

Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).

</details>

<details>
<summary>kedacore/keda (keda)</summary>

### [`v2.20.0`](https://github.com/kedacore/keda/blob/HEAD/CHANGELOG.md#v2200)

[Compare Source](kedacore/keda@v2.19.0...v2.20.0)

##### New

- **General**: Add `scalingModifiers` fallback behavior ([#&#8203;7366](kedacore/keda#7366))
- **General**: Introduce Elastic Forecast Scaler ([#&#8203;7494](kedacore/keda#7494))
- **General**: Introduce new OpenSearch Scaler ([#&#8203;7456](kedacore/keda#7456))

##### Improvements

- **General**: Add cooldownPeriod and pollingInterval checks for ScaledObject ([#&#8203;7271](kedacore/keda#7271))
- **General**: Add CRD-level validation markers (Minimum, MinLength, MinItems, Enum) for ScaledObject, ScaledJob, ScaleTriggers, and TriggerAuthentication API types ([#&#8203;7533](kedacore/keda#7533))
- **General**: Add `--leader-election-id` flag to allow configuring the leader election Lease name ([#&#8203;7564](kedacore/keda#7564))
- **General**: Add scaler HTTP request metrics (`keda_scaler_http_requests_total`, `keda_scaler_http_request_duration_seconds`) for outbound HTTP requests made during scaler metric collection ([#&#8203;6600](kedacore/keda#6600))
- **General**: Allow more control of TLS versions & ciphers via `KEDA_HTTP_TLS_CIPHER_LIST`, `KEDA_SERVICE_TLS_CIPHER_LIST` and `KEDA_SERVICE_MIN_TLS_VERSION` env vars ([#&#8203;7617](kedacore/keda#7617))
- **General**: Cap each scalers-cache reader at a per-reader budget derived from `globalHTTPTimeout` so `ScalersCache.Close` cannot block indefinitely ([#&#8203;7574](kedacore/keda#7574))
- **General**: Make APIService cert injections optional ([#&#8203;7559](kedacore/keda#7559))
- **General**: Remove unconditional `json.MarshalIndent` calls from admission webhook validation hot paths; replace spec-comparison `MarshalIndent`-and-string-compare in `isRemovingFinalizer` variants with `reflect.DeepEqual`. Prevents webhook OOM under sustained admission load at large scale (observed at \~60k ScaledObjects) ([#&#8203;7670](kedacore/keda#7670))
- **AWS Scalers**: Add support for AWS External ID in TriggerAuthentication podIdentity for all AWS scalers (SQS, Kinesis, DynamoDB, CloudWatch, etc.) to enable cross-account access scenarios ([#&#8203;6921](kedacore/keda#6921))
- **Elasticsearch Scaler**: Add HTTP status check for Elasticsearch errors ([#&#8203;7480](kedacore/keda#7480))
- **Github Runner Scaler**: Handle rate limit errors by respecting X-RateLimit-Reset and Retry-After headers and returning cached queue length ([#&#8203;7683](kedacore/keda#7683))
- **Kubernetes Workload Scaler**: Add `groupByNode` parameter ([#&#8203;7628](kedacore/keda#7628))
- **Metrics API Scaler**: Add custom HTTP client timeout ([#&#8203;7549](kedacore/keda#7549))
- **MSSQL Scaler**: Add Azure Workload Identity support for Azure SQL authentication ([#&#8203;6104](kedacore/keda#6104))
- **Prometheus Scaler**: Emit metric tracking empty responses from Prometheus ([#&#8203;7062](kedacore/keda#7062))
- **RabbitMQ Scaler**: Add support for OAuth2 authentication for RabbitMQ over HTTP ([#&#8203;7379](kedacore/keda#7379))
- **Temporal Scaler**: Add support for scaling based on Worker Deployment Version backlog via new `workerDeploymentName` and `workerDeploymentBuildId` fields. Deprecate `buildId`, `selectAllActive`, and `selectUnversioned` because those parameters are used for Rules-Based Worker Versioning, which was a short-lived experimental feature that has been deprecated in the Temporal server since December 2024 and will stop being supported soon. Users of Rules-Based Worker Versioning should use Worker Deployments instead. ([#&#8203;7672](kedacore/keda#7672))

##### Fixes

- **General**: Check updated status for Fallback condition instead of ScaledObject ([#&#8203;7488](kedacore/keda#7488))
- **General**: Fail fast in `GetMetrics` when the gRPC connection is in Shutdown state instead of waiting for context timeout ([#&#8203;7251](kedacore/keda#7251))
- **General**: Fix int64 overflow in milli-quantity conversion for very large metric values ([#&#8203;7441](kedacore/keda#7441))
- **General**: Fix `keda_scaler_active` not being emitted for CPU and memory triggers ([#&#8203;4945](kedacore/keda#4945))
- **General**: Fix misleading namespace in error log when secret access is restricted ([#&#8203;7739](kedacore/keda#7739))
- **General**: Fix race in scalers cache rebuild that caused transient scaler errors ([#&#8203;7574](kedacore/keda#7574))
- **General**: Fix ScaledJob emitting wrong CloudEvent type (`ScaledObjectReadyType` instead of `ScaledJobReadyType`) when transitioning to ready state ([#&#8203;7792](kedacore/keda#7792))
- **General**: Fix ScaledObject admission webhook to return validation error from `verifyReplicaCount`, preventing invalid ScaledObjects from being created ([#&#8203;5954](kedacore/keda#5954))
- **General**: Fix ScaledObject Ready condition not reflecting HPA status ([#&#8203;7649](kedacore/keda#7649))
- **General**: Handle paused scaling directly in reconciler ([#&#8203;7663](kedacore/keda#7663))
- **General**: Honor `stderrthreshold` when `logtostderr` is enabled by updating klog to v2.140.0 ([#&#8203;7568](kedacore/keda#7568))
- **General**: Limit projected service account token reads during Vault authentication ([#&#8203;7783](kedacore/keda#7783))
- **General**: Reject ScaledObject creation and update when the name exceeds 63 characters ([#&#8203;6998](kedacore/keda#6998))
- **AWS Scalers**: Fix TCP connection leak by closing HTTP idle connections on scaler `Close()` for SQS, Kinesis, DynamoDB, DynamoDB Streams, and CloudWatch scalers ([#&#8203;7756](kedacore/keda#7756))
- **Azure Data Explorer Scaler**: Remove clientSecretFromEnv support ([#&#8203;7554](kedacore/keda#7554))
- **Azure Event Hub Scaler**: Reject non-positive `unprocessedEventThreshold` to prevent integer division by zero when computing lag ([#&#8203;7732](kedacore/keda#7732))
- **Azure Pipelines Scaler**: Exclude already-assigned jobs from queue length ([#&#8203;7747](kedacore/keda#7747))
- **Cron Scaler**: Fix metric name generation so cron expressions with comma-separated values no longer produce invalid metric names ([#&#8203;7448](kedacore/keda#7448))
- **External Scaler**: gRPC Pool uses TLS context in the key ([#&#8203;7687](kedacore/keda#7687))
- **Forgejo Scaler**: Limit HTTP error response logging ([#&#8203;7469](kedacore/keda#7469))
- **Forgejo Scaler**: Return correct activity to enable scale-to-zero ([#&#8203;7527](kedacore/keda#7527))
- **GCP Cloud Tasks Scaler**: Implement escapeFilterValue for metric filtering ([#&#8203;7482](kedacore/keda#7482))
- **GCP Scaler**: Validate Pub/Sub resource name in BuildMQLQuery ([#&#8203;7468](kedacore/keda#7468))
- **GCP Storage Scaler**: Metadata is not printed in the log ([#&#8203;7688](kedacore/keda#7688))
- **Github Runner Scaler**: Bound etag and per-repo caches to prevent unbounded memory growth when `enableEtags` is on ([#&#8203;7685](kedacore/keda#7685))
- **Github Runner Scaler**: Improve URL construction and error handling ([#&#8203;7495](kedacore/keda#7495))
- **Github Runner Scaler**: Limit HTTP error response logging ([#&#8203;7469](kedacore/keda#7469))
- **InfluxDB Scaler**: Make `authToken` optional to support unauthenticated InfluxDB instances ([#&#8203;7616](kedacore/keda#7616))
- **Loki Scaler**: Limit HTTP error response logging ([#&#8203;7469](kedacore/keda#7469))
- **Loki Scaler**: `serverAddress` now appends `/loki/api/v1/query` to the end of existing path instead of overriding ([#&#8203;7648](kedacore/keda#7648))
- **Metrics API Scaler**: Fix `aggregateFromKubeServiceEndpoints` using empty label selector that matched all EndpointSlices in the namespace instead of only the target service's ([#&#8203;7641](kedacore/keda#7641))
- **Metrics API Scaler**: Fix division by zero in average aggregation when all kube service endpoints fail ([#&#8203;7742](kedacore/keda#7742))
- **Metrics API Scaler**: Prevent response value reflection in scaler errors ([#&#8203;7693](kedacore/keda#7693))
- **NATS JetStream Scaler**: Return an error from `getMaxMsgLag` when the configured consumer is missing instead of falling back to the stream's last sequence, preventing incorrect scale-up to `maxReplicaCount` ([#&#8203;7657](kedacore/keda#7657))
- **NATS JetStream Scaler**: URL-encode user input in monitoring URL construction ([#&#8203;7483](kedacore/keda#7483))
- **PostgreSQL Scaler**: Quote whitespace-containing connection parameters in generated connection strings ([#&#8203;7784](kedacore/keda#7784))
- **PredictKube Scaler**: Bump `dysnix/predictkube-libs` to `v0.1.0` (drops the predictkube path to the archived/EOL `go-grpc-prometheus` and to the deprecated `golang/protobuf`) and use a portable Prometheus-API instant query for the health check so the scaler works against VictoriaMetrics, Thanos and other Prometheus-API-compatible backends ([#&#8203;7745](kedacore/keda#7745))
- **Prometheus Scaler**: Handle NaN results in the same manner as Inf ([#&#8203;7475](kedacore/keda#7475))
- **Prometheus Scaler**: Limit HTTP error response logging ([#&#8203;7469](kedacore/keda#7469))
- **Pulsar Scaler**: Drop bearer/basic auth headers on redirects to a different host or on https->http downgrades to prevent credential leakage ([#&#8203;7686](kedacore/keda#7686))
- **RabbitMQ Scaler**: Fix AMQP connection leak by recovering channels on the existing connection and closing connections properly ([#&#8203;6266](kedacore/keda#6266))
- **RabbitMQ Scaler**: Use SASL EXTERNAL for RabbitMQ AMQP TLS without credentials ([#&#8203;6840](kedacore/keda#6840))
- **Redis Scaler**: Use literal command names in Lua script to fix compatibility with Alibaba Cloud Redis Cluster ([#&#8203;7758](kedacore/keda#7758))
- **Solace Scaler**: Fix URL escaping for Message VPN and Queue names ([#&#8203;7481](kedacore/keda#7481))
- **Solr Scaler**: Use net/url to safely encode query parameters ([#&#8203;7467](kedacore/keda#7467))
- **Splunk Observability Scaler**: Add MTS stream handling with context timeout ([#&#8203;7799](kedacore/keda#7799))

##### Deprecations

You can find all deprecations in [this overview](https://github.com/kedacore/keda/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3Abreaking-change) and [join the discussion here](https://github.com/kedacore/keda/discussions/categories/deprecations).

##### Breaking Changes

- **GCP PubSub Scaler**: The `subscriptionSize` setting is DEPRECATED and is removed in v2.20 - Use `mode` and `value` instead ([#&#8203;7720](kedacore/keda#7720))
- **Huawei Cloudeye Scaler**: The `minMetricValue` setting is DEPRECATED and is removed - Use `activationTargetMetricValue` instead ([#&#8203;7436](kedacore/keda#7436))
- **IBM MQ Scaler**: The `tls` setting code is removed ([#&#8203;6094](kedacore/keda#6094))
- **InfluxDB Scaler**: The `authToken` setting from `triggerMetadata` is DEPRECATED and is removed in v2.20 - Use `authToken` from `resolvedEnv` or `authParams` instead ([#&#8203;7722](kedacore/keda#7722))

##### Other

- **General**: Migrate event recording RBAC from core `events` to `events.k8s.io` ([#&#8203;7781](kedacore/keda#7781))
- **General**: Migrate metrics service gRPC response away from Kubernetes API protobuf types for Kubernetes 0.35 ([#&#8203;7781](kedacore/keda#7781))
- **General**: Remove dead code from authentication package and drop unused `authModes` field from ArangoDB, Loki, Prometheus and PredictKube scalers ([#&#8203;7726](kedacore/keda#7726))
- **General**: Use informer cache for ReplicaSet lookups in GetCurrentReplicas to reduce API server load ([#&#8203;7466](kedacore/keda#7466))
- **External Scaler**: Fix race condition in `TestWaitForState` causing flaky test under `-race` detector ([#&#8203;7542](kedacore/keda#7542))
- **GCP Scaler**: Replace `credentialsFromJSON` with `credentialsFromJSONWithType` ([#&#8203;7523](kedacore/keda#7523))
- **Kafka Scaler**: Refactor Kafka Scaler ([#&#8203;7528](kedacore/keda#7528))

</details>

<details>
<summary>renovatebot/renovate (renovate/renovate)</summary>

### [`v43.209.2`](https://github.com/renovatebot/renovate/releases/tag/43.209.2)

[Compare Source](renovatebot/renovate@43.209.1...43.209.2)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v13.55.6 (main) ([#&#8203;43751](renovatebot/renovate#43751)) ([160e9f9](renovatebot/renovate@160e9f9))

</details>

<details>
<summary>VictoriaMetrics/helm-charts (victoria-metrics-k8s-stack)</summary>

### [`v0.81.0`](https://github.com/VictoriaMetrics/helm-charts/releases/tag/victoria-metrics-k8s-stack-0.81.0)

[Compare Source](VictoriaMetrics/helm-charts@victoria-metrics-k8s-stack-0.80.0...victoria-metrics-k8s-stack-0.81.0)

### Release notes for version 0.81.0

**Release date:** 28 May 2026

![Helm: v3](https://img.shields.io/badge/Helm-v3.14%2B-informational?color=informational\&logo=helm\&link=https%3A%2F%2Fgithub.com%2Fhelm%2Fhelm%2Freleases%2Ftag%2Fv3.14.0) ![AppVersion: v1.144.0](https://img.shields.io/badge/v1.144.0-success?logo=VictoriaMetrics\&labelColor=gray\&link=https%3A%2F%2Fdocs.victoriametrics.com%2Fvictoriametrics%2Fchangelog%2F%23v11440)

**Update note 1**: `defaultRules.create` is renamed to `defaultRules.enabled`; per-group `create` is renamed to `enabled`. Old `create` key is still respected as a fallback if `enabled` is not set.

**Update note 2**: `defaultRules.additionalGroupByLabels` is renamed to `defaultRules.extraGroupByLabels`. Old `additionalGroupByLabels` is still respected as a fallback if `extraGroupByLabels` is not set.

- rename `defaultRules.create` and per-group `create` to `enabled`, with fallback to `create` for backward compatibility.
- add per-group extraGroupByLabels, that replace defaultRules.extraGroupByLabels (if absent defaults to defaultRules.additionalGroupByLabels). See [#&#8203;2832](VictoriaMetrics/helm-charts#2832).

### [`v0.80.0`](https://github.com/VictoriaMetrics/helm-charts/releases/tag/victoria-metrics-k8s-stack-0.80.0)

[Compare Source](VictoriaMetrics/helm-charts@victoria-metrics-k8s-stack-0.79.1...victoria-metrics-k8s-stack-0.80.0)

### Release notes for version 0.80.0

**Release date:** 25 May 2026

![Helm: v3](https://img.shields.io/badge/Helm-v3.14%2B-informational?color=informational\&logo=helm\&link=https%3A%2F%2Fgithub.com%2Fhelm%2Fhelm%2Freleases%2Ftag%2Fv3.14.0) ![AppVersion: v1.144.0](https://img.shields.io/badge/v1.144.0-success?logo=VictoriaMetrics\&labelColor=gray\&link=https%3A%2F%2Fdocs.victoriametrics.com%2Fvictoriametrics%2Fchangelog%2F%23v11440)

- bump version of VM components to [v1.144.0](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.144.0)

### [`v0.79.1`](https://github.com/VictoriaMetrics/helm-charts/releases/tag/victoria-metrics-k8s-stack-0.79.1)

[Compare Source](VictoriaMetrics/helm-charts@victoria-metrics-k8s-stack-0.79.0...victoria-metrics-k8s-stack-0.79.1)

### Release notes for version 0.79.1

**Release date:** 20 May 2026

![Helm: v3](https://img.shields.io/badge/Helm-v3.14%2B-informational?color=informational\&logo=helm\&link=https%3A%2F%2Fgithub.com%2Fhelm%2Fhelm%2Freleases%2Ftag%2Fv3.14.0) ![AppVersion: v1.143.0](https://img.shields.io/badge/v1.143.0-success?logo=VictoriaMetrics\&labelColor=gray\&link=https%3A%2F%2Fdocs.victoriametrics.com%2Fvictoriametrics%2Fchangelog%2F%23v11430)

- support Grafana HTTPRoute when resolving grafanaAddr
- bump operator dependency chart to version 0.63.1

### [`v0.79.0`](https://github.com/VictoriaMetrics/helm-charts/releases/tag/victoria-metrics-k8s-stack-0.79.0)

[Compare Source](VictoriaMetrics/helm-charts@victoria-metrics-k8s-stack-0.78.0...victoria-metrics-k8s-stack-0.79.0)

### Release notes for version 0.79.0

**Release date:** 18 May 2026

![Helm: v3](https://img.shields.io/badge/Helm-v3.14%2B-informational?color=informational\&logo=helm\&link=https%3A%2F%2Fgithub.com%2Fhelm%2Fhelm%2Freleases%2Ftag%2Fv3.14.0) ![AppVersion: v1.143.0](https://img.shields.io/badge/v1.143.0-success?logo=VictoriaMetrics\&labelColor=gray\&link=https%3A%2F%2Fdocs.victoriametrics.com%2Fvictoriametrics%2Fchangelog%2F%23v11430)

- bump victoria-metrics-operator dependency chart to version 0.63.0
- bump grafana dependency chart to version 12.3.3
- bump node-exporter dependency chart to version 4.55.0

### [`v0.78.0`](https://github.com/VictoriaMetrics/helm-charts/releases/tag/victoria-metrics-k8s-stack-0.78.0)

[Compare Source](VictoriaMetrics/helm-charts@victoria-metrics-k8s-stack-0.77.0...victoria-metrics-k8s-stack-0.78.0)

### Release notes for version 0.78.0

**Release date:** 11 May 2026

![Helm: v3](https://img.shields.io/badge/Helm-v3.14%2B-informational?color=informational\&logo=helm\&link=https%3A%2F%2Fgithub.com%2Fhelm%2Fhelm%2Freleases%2Ftag%2Fv3.14.0) ![AppVersion: v1.143.0](https://img.shields.io/badge/v1.143.0-success?logo=VictoriaMetrics\&labelColor=gray\&link=https%3A%2F%2Fdocs.victoriametrics.com%2Fvictoriametrics%2Fchangelog%2F%23v11430)

- bump version of VM components to [v1.143.0](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.143.0)
- fix Alertmanager templates path to match VM Operator mount. See [#&#8203;2883](VictoriaMetrics/helm-charts#2883).

### [`v0.77.0`](https://github.com/VictoriaMetrics/helm-charts/releases/tag/victoria-metrics-k8s-stack-0.77.0)

[Compare Source](VictoriaMetrics/helm-charts@victoria-metrics-k8s-stack-0.76.0...victoria-metrics-k8s-stack-0.77.0)

### Release notes for version 0.77.0

**Release date:** 03 May 2026

![Helm: v3](https://img.shields.io/badge/Helm-v3.14%2B-informational?color=informational\&logo=helm\&link=https%3A%2F%2Fgithub.com%2Fhelm%2Fhelm%2Freleases%2Ftag%2Fv3.14.0) ![AppVersion: v1.142.0](https://img.shields.io/badge/v1.142.0-success?logo=VictoriaMetrics\&labelColor=gray\&link=https%3A%2F%2Fdocs.victoriametrics.com%2Fvictoriametrics%2Fchangelog%2F%23v11420)

- set default securityContext for Alertmanager, when persistence is enabled to prevent from permissions issues. See [#&#8203;2846](VictoriaMetrics/helm-charts#2846).
- default operator `admissionWebhooks.policy` to `Ignore` so the stack can be installed and upgraded in a single pass without races against the operator's webhook server. Override to `Fail` for strict validation. See [#&#8203;2874](VictoriaMetrics/helm-charts#2874).

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Reviewed-on: https://forgejo.maio-tech.com/Sammy/Servers/pulls/2
jaypipes added a commit to temporalio/temporal-worker-controller that referenced this pull request Jun 12, 2026
… ScaledObjects (#351)

## Summary

Extends `WorkerResourceTemplate` auto-injection to populate the
`workerDeploymentName` and `workerDeploymentBuildId` fields in KEDA
`ScaledObject` `triggers[*].metadata` when the trigger `type` is
`"temporal"`. This unblocks using KEDA's Temporal scaler
([kedacore/keda#7672](kedacore/keda#7672)) as
the templated resource for per-version backlog scaling, as requested in
#286.

Closes (or contributes towards) #286.

## Motivation

For users who already run KEDA cluster-wide for non-Temporal workloads,
KEDA owns the `external.metrics.k8s.io` APIService — only one external
metrics provider can be installed per cluster. That makes the documented
WRT-HPA + prometheus-adapter path unavailable: prometheus-adapter cannot
co-exist with KEDA on the same APIService.

KEDA's recent Worker Deployment Versioning support (kedacore/keda#7672)
makes it possible for a KEDA `ScaledObject` to scale a single worker
version by querying Temporal Cloud directly with `workerDeploymentName`
+ `workerDeploymentBuildId`. WRT already supports templating arbitrary
kinds (verified: `spec.template` is unstructured, SSA-applied, with a
kind allow-list in the chart) and `scaleTargetRef: {}` auto-fill works
recursively. The only missing piece was injecting the per-version
identifiers into the KEDA trigger metadata — same source values the
controller already injects into HPA External metric selectors, different
JSON path.

## Behaviour

For each templated resource that contains:

```yaml
spec:
  triggers:
    - type: temporal
      metadata:
        workerDeploymentName: ""        # placeholder, any string value
        workerDeploymentBuildId: ""     # placeholder, any string value
        # ...other user-provided KEDA Temporal scaler metadata
```

the controller sets:

- `workerDeploymentName` ← `wrt.Spec.EffectiveWorkerDeploymentName()`
- `workerDeploymentBuildId` ← the per-version build ID

Injection is **opt-in**: the keys are only touched if already present in
the template's `metadata` map (mirroring the existing
`metrics[*].external.metric.selector.matchLabels` merge pattern).
Non-`temporal` triggers in the same `ScaledObject` are left untouched.

## Example

```yaml
apiVersion: temporal.io/v1alpha1
kind: WorkerResourceTemplate
metadata:
  name: my-worker-scaler
  namespace: default
spec:
  workerDeploymentRef:
    name: my-worker
  template:
    apiVersion: keda.sh/v1alpha1
    kind: ScaledObject
    spec:
      scaleTargetRef: {}                     # auto-injected (versioned Deployment)
      minReplicaCount: 1
      maxReplicaCount: 10
      pollingInterval: 30
      triggers:
        - type: temporal
          metadata:
            endpoint: us-east-1.aws.api.temporal.io:7233
            namespace: my-temporal-ns
            taskQueue: my-task-queue
            workerDeploymentName: ""         # auto-injected
            workerDeploymentBuildId: ""      # auto-injected
            targetQueueSize: "10"
          authenticationRef:
            kind: ClusterTriggerAuthentication
            name: temporal-cloud-auth
```

The controller will stamp one `ScaledObject` per active worker version,
each with the correct `workerDeploymentBuildId`, and delete them on
sunset via the existing `DeleteWorkerResources` planner (kind-agnostic).

## Implementation

- `appendTemporalTriggerMetadata(spec, twdName, buildID)` — new helper
that walks `spec.triggers[*]`, filters on `type == "temporal"`, and sets
the two keys if already present.
- `autoInjectFields` signature now takes `twdName, buildID` so it can
pass them through. Behaviour for HPA / matchLabels / scaleTargetRef is
unchanged.

Helm-side: adding `ScaledObject` to
`workerResourceTemplate.allowedResources` + the controller's
`ClusterRole` is left as a follow-up (or a separate commit in this PR if
maintainers prefer). For users who want this today, they can add the
entry to their chart values without further controller changes.

## Tests

New `TestAutoInjectFields_TemporalTriggerMetadata` covers:

- injects when both keys present (empty string placeholders)
- overwrites stale values
- no-op when keys absent (opt-in semantics)
- non-`temporal` triggers are untouched (heterogeneous trigger array)
- `scaleTargetRef: {}` auto-fill still works on `ScaledObject`
- no panic when `spec.triggers` is absent

All existing tests still pass (`go test ./...`).

---------

Co-authored-by: Carly de Frondeville <[email protected]>
Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
Co-authored-by: Jay Pipes <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ok-to-merge This PR can be merged required:keda-v2.20 This is absolutely mandatory to bring along

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants