Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot configure GRPC TLS minimum version #6270

Closed
or-shachar opened this issue Oct 24, 2024 · 6 comments · May be fixed by #6320
Closed

Cannot configure GRPC TLS minimum version #6270

or-shachar opened this issue Oct 24, 2024 · 6 comments · May be fixed by #6320
Labels
bug Something isn't working stale All issues that are marked as stale due to inactivity

Comments

@or-shachar
Copy link
Contributor

or-shachar commented Oct 24, 2024
edited
Loading

Report

  • We uses always TLS 1.3 as minimum TLS version for grpc client.
  • When compiling in FIPS mode (Boringcrpyto with limited approved TLS versions) and Go 1.23, this causes runtime issue: no supported versions satisfy MinVersion and MaxVersion

For http client we allow setting the min TLS version with KEDA_HTTP_MIN_TLS_VERSION. Not sure why we don't allow configuring the value for grpc client as well.

Expected Behavior

  • It would be nice if we could control the min TLS version for grpc client.
  • Not sure if through the same env variable (KEDA_HTTP_MIN_TLS_VERSION) or introduce a different one.

Actual Behavior

For grpc client - the min tls version is hardcoded to 1.3.

Steps to Reproduce the Problem

If you want to see FIPS issue:

  1. Compile with go 1.23.2 with GOEXPERIMENT=boringcrypto
  2. Run the services in cluster
  3. You'll see this in the metrics adapter:
W1024 18:24:27.886000       1 logging.go:55] [core] [Channel #1 SubChannel #53]grpc: addrConn.createTransport failed to connect to {Addr: "172.20.74.146:9666", ServerName: "keda-operator.keda.svc.cluster.local:9666", }. Err: connection error: desc = "transport: authentication handshake failed: tls: no supported versions satisfy MinVersion and MaxVersion"

KEDA Version

2.15.0

Kubernetes Version

1.30

Platform

Any

Scaler Details

No response

Anything else?

In Go main branch they approved TLS 1.3 for FIPS but in 1.23.2 it's still not there.
@or-shachar or-shachar added the bug Something isn't working label Oct 24, 2024
@JorTurFer
Copy link
Member

I think that it's a good feature supporting a configuration for the min TLS version for GRPC. are you willing to open a PR?

@zroubalik
Copy link
Member

Yeah, a separate ENV variable would make sense here

@or-shachar
Copy link
Contributor Author

I'll open a PR

@or-shachar or-shachar mentioned this issue Nov 7, 2024
Open
6 tasks
@or-shachar
Copy link
Contributor Author

@JorTurFer would appreciate your feedback on the PR. If that's good to go - I'll open chart nad docs PRs as well.

@stale Stale
Copy link

stale bot commented Jan 9, 2025

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale All issues that are marked as stale due to inactivity label Jan 9, 2025
@stale Stale
Copy link

stale bot commented Jan 18, 2025

This issue has been automatically closed due to inactivity.

@stale stale bot closed this as completed Jan 18, 2025
@github-project-automation github-project-automation bot moved this from To Triage to Ready To Ship in Roadmap - KEDA Core Jan 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working stale All issues that are marked as stale due to inactivity
Projects
Roadmap - KEDA Core
Status: Ready To Ship
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: allow configuring min tls for grpc or-shachar/keda
3 participants
@zroubalik @or-shachar @JorTurFer