diff --git a/content/docs/2.20/operate/cluster.md b/content/docs/2.20/operate/cluster.md index 548e25886..10ed0ad7b 100644 --- a/content/docs/2.20/operate/cluster.md +++ b/content/docs/2.20/operate/cluster.md @@ -116,6 +116,47 @@ For example: The following values are allowed: `TLS13`, `TLS12`, `TLS11` and `TLS10`. +## HTTP TLS Ciphersuite List + +Some organizations have very specific security requirements and only permit a subset of TLS cipher suites for secure communications. In such scenarios, KEDA can be configured with a list of allowed cipher suites. The TLS handshake will select only from the list of allowed cipher suites using the environment variable `KEDA_HTTP_TLS_CIPHER_LIST`. + +For example: + +```yaml +- env: + KEDA_HTTP_TLS_CIPHER_LIST: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +``` + +Allowed values are the names of the cipher suites returned by the Go `crypto/tls` module's `CipherSuites()` function. Invalid ciphersuite names will be ignored. If not specified or if only invalid names are specified, the default cipher suites list will be used. Note: the Go TLS library ignores cipher suites specified by this option if TLS13 is used for `KEDA_HTTP_MIN_TLS_VERSION`. + +## Service TLS min version + +By default, KEDA uses TLS1.3 as a minimum TLS version for TLS-enabled services (such as gRPC & the webhook). However, if you need to use another version you can configure it by using the environment variable `KEDA_SERVICE_MIN_TLS_VERSION`. + +For example: + +```yaml +- env: + KEDA_SERVICE_MIN_TLS_VERSION: TLS12 +``` + +The following values are allowed: `TLS13` and `TLS12`. + +If not specified, defaults to the value of `KEDA_HTTP_MIN_TLS_VERSION`. + +## Service TLS Ciphersuite List + +When making a TLS connection to a KEDA TLS-enabled service, the TLS handshake will select only from the list of allowed cipher suites using the environment variable `KEDA_SERVICE_TLS_CIPHER_LIST`. + +For example: + +```yaml +- env: + KEDA_SERVICE_TLS_CIPHER_LIST: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +``` + +Allowed values are the names of the cipher suites returned by the Go `crypto/tls` module's `CipherSuites()` function. Invalid ciphersuite names will be ignored. If not specified, defaults to the value of `KEDA_HTTP_TLS_CIPHER_LIST`. Note: the Go TLS library ignores cipher suites specified by this option if TLS13 is used for `KEDA_SERVICE_MIN_TLS_VERSION` (which is the default). + ## Kubernetes Client Parameters The Kubernetes client config used within KEDA Operator and KEDA Metrics Adapter can be adjusted by passing the following command-line flags to the binary: