-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow configuring min tls for grpc #6320
base: main
Are you sure you want to change the base?
Conversation
52b4a84
to
4e822dd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good in general
@@ -50,8 +53,12 @@ func LoadGrpcTLSCredentials(certDir string, server bool) (credentials.TransportC | |||
} | |||
|
|||
// Create the credentials and return it | |||
minTlsVersion, err := kedatls.GetMinGrpcTlsVersion() | |||
if err != nil { | |||
ctrl.Log.WithName("grpc_tls_setup").Info(err.Error()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should imho return err here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I followed the previous behavior that didn't fail the process for invalid value, but selected the default value + returned an error. I can change the function signature to not return an error and perform the logging in the function. wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm, I am not sure if we shouldn't just fail here. I mean, the grpc connection wouldn't be functional -> KEDA wouldn't be fully functional either.
WDYT @kedacore/keda-maintainers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not functional? The error only means that it fell back to default value because the configuration value was wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
iiuc, if this returns error, KEDA will default back to TLS 1.3 as min for gRPC. So it might again cause difficulties with boring crypto?
I am also leaning towards failing here because that will tell the user their desired and configured min TLS version wasn't respected. They can then either fix the configuration or knowingly leave the default to KEDA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. I'd make it fail here but I'll keep the same behavior for the HTTP client, because I don't want to introduce breaking change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is still pending, correct?
ae7defe
to
873f7f5
Compare
Signed-off-by: Or Shachar <[email protected]>
873f7f5
to
3e2e6fa
Compare
Supporting kedacore/keda#6320 Signed-off-by: Or Shachar <[email protected]>
Supporting kedacore/keda#6320 Signed-off-by: Or Shachar <[email protected]> Signed-off-by: Or Shachar <[email protected]>
/run-e2e internal |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@or-shachar we should also document this, this is existing docs for HTTP TLS settings: https://keda.sh/docs/2.16/operate/cluster/#http-tls-min-version
@@ -68,6 +68,7 @@ Here is an overview of all new **experimental** features: | |||
|
|||
### Improvements | |||
|
|||
- **General**: Allow configuring minimum TLS version for GRPC client via `KEDA_GRPC_MIN_TLS_VERSION` ([#6320](https://github.com/kedacore/keda/pull/6320)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please refer an issue here
This will allow configuring grpc min grpc version very similarly to how we allow configuring the HTTP version.
Checklist
Docs: kedacore/keda-docs#1497
Fixes #6270