Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot Provide Both TLS CA Cert and Client Cert for KEDA Deployment #503

Closed
wsugarman opened this issue Jul 30, 2023 · 3 comments
Closed

Cannot Provide Both TLS CA Cert and Client Cert for KEDA Deployment #503

wsugarman opened this issue Jul 30, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@wsugarman
Copy link

wsugarman commented Jul 30, 2023
edited
Loading

With the introduction of TLS support for external scalers in kedacore/keda#4407, ScaledObject resources may now include both a CA certificate to validate the certificate authority used by the external scaler server as well as its own certificate. However, there appears to only be one value for passing gRPC TLS secrets in the KEDA helm chart: grpcTLSCertsSecret. Specifying both the CA cert and the client cert would require two secrets, volumes, and volume mounts for the Deployment resource.

Am I missing something? I suppose you could use the hashiCorpVaultTLS value as a workaround.

Expected Behavior

The ability to pass multiple secrets, perhaps as an array like grpcTLSCertsSecrets? Or if that's confusing given the existing value and wanting to avoid removing it as a breaking change until v3, add a new value as the current one was historically used for the CA only, like grpcKedaTLSCertsSecret or something?

For example:

grpcTLSCertsSecrets:
- name: serverCert
  secretName: kedaTlsCert
  mountPath: server
- name: caCert
  secretName: scalerTlsCaCert
  mountPath: ca

Actual Behavior

Only 1 TLS secret may be specified today for the Helm chart that's designated for gRPC communication with external scalers.

Specifications

  • KEDA Version: >= 2.11.0
  • Scaler(s): External Scalers
@wsugarman wsugarman added the bug Something isn't working label Jul 30, 2023
@JorTurFer
Copy link
Member

Hi
You can create all the extra secrets that you want using [extraObjects](https://github.com/kedacore/charts/blob/main/keda/values.yaml#L623) and mount them in KEDA with volumes.

Using this approach, you can mount all the secrets that you want in KEDA pods, then you just need to reference them.

I'm not totally sure if this is the best approach because maybe reading base64 encoded value from secrets scales better, but currently is a way to do it

@wsugarman
Copy link
Author

Thanks @JorTurFer! I will close this issue, as I somehow completely missed the volumes.keda.extraVolumes and volumes.keda.extraVolumeMounts! My mistake! These volumes can be easily be used for both certificate secrets for mTLS. However, perhaps these different volume helm values can be reconciled in the future: does the chart need both grpcTLSCertsSecret and volumes.keda.extraVolumes?

@JorTurFer
Copy link
Member

Honestly, I have noticed that key, I thought that you proposed that key as new 🤦
I have checked the history and that parameter is there since the beginning 😄 I think that it's not used because I don't see that option in KEDA core, I guess it's because you could read from it as part of the external scaler directly. I'd use the volume parameters I told you before because it's more flexible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wsugarman @JorTurFer