From a7fd8484f257e5282b11e1d85537acfa158de4df Mon Sep 17 00:00:00 2001 From: Or Shachar Date: Mon, 11 Nov 2024 13:33:05 -0500 Subject: [PATCH] feat: allow configuring min tls for grpc Signed-off-by: Or Shachar --- keda/README.md | 1 + keda/templates/manager/deployment.yaml | 2 ++ keda/templates/metrics-server/deployment.yaml | 2 ++ keda/values.yaml | 4 ++++ 4 files changed, 9 insertions(+) diff --git a/keda/README.md b/keda/README.md index 2cd68fd1..0e2b37b9 100644 --- a/keda/README.md +++ b/keda/README.md @@ -90,6 +90,7 @@ their default values. | `http.minTlsVersion` | string | `"TLS12"` | The minimum TLS version to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and this value does not necessarily apply to them) | | `http.timeout` | int | `3000` | The default HTTP timeout to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and the timeout does not necessarily apply to them) | | `image.pullPolicy` | string | `"Always"` | Image pullPolicy for all KEDA components | +| `grpc.minTlsVersion` | string | `"TLS13"` | The minimum TLS version to use for all GRPC clients/servers | | `imagePullSecrets` | list | `[]` | Name of secret to use to pull images to use to pull Docker images | | `networkPolicy.cilium` | object | `{"operator":{"extraEgressRules":[]}}` | Allow use of extra egress rules for cilium network policies | | `networkPolicy.enabled` | bool | `false` | Enable network policies | diff --git a/keda/templates/manager/deployment.yaml b/keda/templates/manager/deployment.yaml index 91821bb2..e9bef481 100644 --- a/keda/templates/manager/deployment.yaml +++ b/keda/templates/manager/deployment.yaml @@ -156,6 +156,8 @@ spec: value: {{ .Values.http.timeout | quote }} - name: KEDA_HTTP_MIN_TLS_VERSION value: {{ .Values.http.minTlsVersion }} + - name: KEDA_GRPC_MIN_TLS_VERSION + value: {{ .Values.grpc.minTlsVersion }} {{- if ( not .Values.http.keepAlive.enabled ) }} - name: KEDA_HTTP_DISABLE_KEEP_ALIVE value: "true" diff --git a/keda/templates/metrics-server/deployment.yaml b/keda/templates/metrics-server/deployment.yaml index 23a4ecd0..e6fcd3ab 100644 --- a/keda/templates/metrics-server/deployment.yaml +++ b/keda/templates/metrics-server/deployment.yaml @@ -105,6 +105,8 @@ spec: value: {{ .Values.http.timeout | quote }} - name: KEDA_HTTP_MIN_TLS_VERSION value: {{ .Values.http.minTlsVersion }} + - name: KEDA_GRPC_MIN_TLS_VERSION + value: {{ .Values.grpc.minTlsVersion }} {{- if ( not .Values.http.keepAlive.enabled ) }} - name: KEDA_HTTP_DISABLE_KEEP_ALIVE value: "true" diff --git a/keda/values.yaml b/keda/values.yaml index 8a15740b..70d8fea2 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -544,6 +544,10 @@ http: # -- The minimum TLS version to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and this value does not necessarily apply to them) minTlsVersion: TLS12 +grpc: + # -- The minimum TLS version to use for GRPC clients / servers + minTlsVersion: TLS13 + ## This setting lets you enable profiling for all of the components of KEDA and in the specific port you choose ## This can be useful when trying to investigate errors like memory leaks or CPU or even look at goroutines to understand better ## This setting is disabled by default