Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: allow configuring min tls for grpc #6320

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

or-shachar
Copy link
Contributor

@or-shachar or-shachar commented Nov 7, 2024

This will allow configuring grpc min grpc version very similarly to how we allow configuring the HTTP version.

Checklist

Docs: kedacore/keda-docs#1497

Fixes #6270

Copy link
Member

@zroubalik zroubalik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good in general

@@ -50,8 +53,12 @@ func LoadGrpcTLSCredentials(certDir string, server bool) (credentials.TransportC
}

// Create the credentials and return it
minTlsVersion, err := kedatls.GetMinGrpcTlsVersion()
if err != nil {
ctrl.Log.WithName("grpc_tls_setup").Info(err.Error())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should imho return err here

Copy link
Contributor Author

@or-shachar or-shachar Nov 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I followed the previous behavior that didn't fail the process for invalid value, but selected the default value + returned an error. I can change the function signature to not return an error and perform the logging in the function. wdyt?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm, I am not sure if we shouldn't just fail here. I mean, the grpc connection wouldn't be functional -> KEDA wouldn't be fully functional either.

WDYT @kedacore/keda-maintainers

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not functional? The error only means that it fell back to default value because the configuration value was wrong.

Copy link
Member

@wozniakjan wozniakjan Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

iiuc, if this returns error, KEDA will default back to TLS 1.3 as min for gRPC. So it might again cause difficulties with boring crypto?

I am also leaning towards failing here because that will tell the user their desired and configured min TLS version wasn't respected. They can then either fix the configuration or knowingly leave the default to KEDA.

Copy link
Contributor Author

@or-shachar or-shachar Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. I'd make it fail here but I'll keep the same behavior for the HTTP client, because I don't want to introduce breaking change.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is still pending, correct?

@or-shachar or-shachar force-pushed the ors/grpc-min-tls branch 2 times, most recently from ae7defe to 873f7f5 Compare November 7, 2024 23:16
Signed-off-by: Or Shachar <or.shachar@wiz.io>
or-shachar added a commit to or-shachar/keda-docs that referenced this pull request Nov 11, 2024
Supporting kedacore/keda#6320

Signed-off-by: Or Shachar <orchoock@gmail.com>
or-shachar added a commit to or-shachar/keda-docs that referenced this pull request Nov 11, 2024
Supporting kedacore/keda#6320

Signed-off-by: Or Shachar <orchoock@gmail.com>
Signed-off-by: Or Shachar <or.shachar@wiz.io>
@or-shachar or-shachar marked this pull request as ready for review November 11, 2024 20:34
@or-shachar or-shachar requested a review from a team as a code owner November 11, 2024 20:34
@zroubalik
Copy link
Member

zroubalik commented Nov 18, 2024

/run-e2e internal
Update: You can check the progress here

Copy link
Member

@zroubalik zroubalik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@or-shachar we should also document this, this is existing docs for HTTP TLS settings: https://keda.sh/docs/2.16/operate/cluster/#http-tls-min-version

@@ -68,6 +68,7 @@ Here is an overview of all new **experimental** features:

### Improvements

- **General**: Allow configuring minimum TLS version for GRPC client via `KEDA_GRPC_MIN_TLS_VERSION` ([#6320](https://github.com/kedacore/keda/pull/6320))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please refer an issue here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Cannot configure GRPC TLS minimum version
4 participants