Deploy with KEDA_HTTP_TLS_CIPHER_LIST, KEDA_GRPC_MIN_TLS_VERSION and KEDA_GRPC_TLS_CIPHER_LIST env vars

Signed-off-by: Joel Smith <joelsmith@redhat.com>

Author: joelsmith

keda/README.md

@@ -92,6 +92,7 @@ their default values.
 | `hostAliases` | list | `[]` | HostAliases for pod networking ([docs](https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/)) |
 | `http.keepAlive.enabled` | bool | `true` | Enable HTTP connection keep alive |
 | `http.minTlsVersion` | string | `"TLS12"` | The minimum TLS version to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and this value does not necessarily apply to them) |
+| `http.tlsCipherList` | string | `""` | The list of ciphersuites to use when making HTTP over TLS connections. When left empty or unset, the TLS implementaion will provide a default list of ciphersuites which are believed to be secure. |
 | `http.timeout` | int | `3000` | The default HTTP timeout to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and the timeout does not necessarily apply to them) |
 | `image.pullPolicy` | string | `"Always"` | Image pullPolicy for all KEDA components |
 | `imagePullSecrets` | list | `[]` | Name of secret to use to pull images to use to pull Docker images |
@@ -119,6 +120,8 @@ their default values.
 | `rbac.enabledCustomScaledRefKinds` | bool | `true` | Whether RBAC for configured CRDs that can have a `scale` subresource should be created |
 | `rbac.scaledRefKinds` | list | `[{"apiGroup":"*","kind":"*"}]` | List of custom resources that support the `scale` subresource and can be referenced by `scaledobject.spec.scaleTargetRef`. The feature needs to be also enabled by `enabledCustomScaledRefKinds`. If left empty, RBAC for `apiGroups: *` and `resources: *, */scale` will be created note: Deployments and StatefulSets are supported out of the box |
 | `securityContext` | object | [See below](#KEDA-is-secure-by-default) | [Security context] for all containers |
+| `service.minTlsVersion` | string | `"TLS13"` | The minimum TLS version to use when KEDA components listen via TLS-enabled services (gRPC & Webhook). |
+| `service.tlsCipherList` | string | `""` | The list of ciphersuites to use when KEDA comonents listen via TLS-enabled services. When left empty or unset, the TLS implementaion will provide a default list of ciphersuites which are believed to be secure. |
 | `tolerations` | list | `[]` | Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) |
 | `watchNamespace` | string | `""` | Defines Kubernetes namespaces to watch to scale their workloads. Default watches all namespaces |
 

keda/templates/manager/deployment.yaml

@@ -164,6 +164,12 @@ spec:
               value: {{ .Values.http.timeout | quote }}
             - name: KEDA_HTTP_MIN_TLS_VERSION
               value: {{ .Values.http.minTlsVersion }}
+            - name: KEDA_HTTP_TLS_CIPHER_LIST
+              value: {{ .Values.http.tlsCipherList }}
+            - name: KEDA_SERVICE_MIN_TLS_VERSION
+              value: {{ .Values.service.minTlsVersion }}
+            - name: KEDA_SERVICE_TLS_CIPHER_LIST
+              value: {{ .Values.service.tlsCipherList }}
             {{- if ( not .Values.http.keepAlive.enabled ) }}
             - name: KEDA_HTTP_DISABLE_KEEP_ALIVE
               value: "true"

keda/templates/metrics-server/deployment.yaml

@@ -107,6 +107,12 @@ spec:
               value: {{ .Values.http.timeout | quote }}
             - name: KEDA_HTTP_MIN_TLS_VERSION
               value: {{ .Values.http.minTlsVersion }}
+            - name: KEDA_HTTP_TLS_CIPHER_LIST
+              value: {{ .Values.http.tlsCipherList }}
+            - name: KEDA_SERVICE_MIN_TLS_VERSION
+              value: {{ .Values.service.minTlsVersion }}
+            - name: KEDA_SERVICE_TLS_CIPHER_LIST
+              value: {{ .Values.service.tlsCipherList }}
             {{- if ( not .Values.http.keepAlive.enabled ) }}
             - name: KEDA_HTTP_DISABLE_KEEP_ALIVE
               value: "true"

keda/values.yaml

@@ -596,6 +596,13 @@ affinity: {}
 # -- priorityClassName for all KEDA components
 priorityClassName: ""
 
+## Service settings for KEDA components which provide a network service or server
+service:
+  # -- The minimum TLS version to use when KEDA components provide a TLS-enabled service.
+  minTlsVersion: "TLS13"
+  # -- The list of ciphersuites to use when KEDA comonents provide a TLS-enabled service. When left empty or unset, the TLS implementaion will provide a default list of ciphersuites which are believed to be secure.
+  tlsCipherList: ""
+
 ## The default HTTP timeout in milliseconds that KEDA should use
 ## when making requests to external services. Removing this defaults to a
 ## reasonable default
@@ -607,6 +614,8 @@ http:
     enabled: true
   # -- The minimum TLS version to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and this value does not necessarily apply to them)
   minTlsVersion: TLS12
+  # -- The list of ciphersuites to use when making HTTP over TLS connections. When left empty or unset, the TLS implementaion will provide a default list of ciphersuites which are believed to be secure.
+  tlsCipherList: ""
 
 ## This setting lets you enable profiling for all of the components of KEDA and in the specific port you choose
 ## This can be useful when trying to investigate errors like memory leaks or CPU or even look at goroutines to understand better