Skip to content

Add docs about KEDA_HTTP_TLS_CIPHER_LIST, KEDA_SERVICE_MIN_TLS_VERSION and KEDA_SERVICE_TLS_CIPHER_LIST #1729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
joelsmith wants to merge 1 commit into
base: main
Choose a base branch
from
+41 −0
Open

Add docs about KEDA_HTTP_TLS_CIPHER_LIST, KEDA_SERVICE_MIN_TLS_VERSION and KEDA_SERVICE_TLS_CIPHER_LIST #1729

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions content/docs/2.20/operate/cluster.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,47 @@ For example:

The following values are allowed: `TLS13`, `TLS12`, `TLS11` and `TLS10`.

## HTTP TLS Ciphersuite List

Some organizations have very specific security requirements and only permit a subset of TLS cipher suites for secure communications. In such scenarios, KEDA can be configured with a list of allowed cipher suites. The TLS handshake will select only from the list of allowed cipher suites using the environment variable `KEDA_HTTP_TLS_CIPHER_LIST`.

For example:

```yaml
- env:
KEDA_HTTP_TLS_CIPHER_LIST: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
```

Allowed values are the names of the cipher suites returned by the Go `crypto/tls` module's `CipherSuites()` function. Invalid ciphersuite names will be ignored. If not specified or if only invalid names are specified, the default cipher suites list will be used. Note: the Go TLS library ignores cipher suites specified by this option if TLS13 is used for `KEDA_HTTP_MIN_TLS_VERSION`.

## Service TLS min version

By default, KEDA uses TLS1.3 as a minimum TLS version for TLS-enabled services (such as gRPC & the webhook). However, if you need to use another version you can configure it by using the environment variable `KEDA_SERVICE_MIN_TLS_VERSION`.

For example:

```yaml
- env:
KEDA_SERVICE_MIN_TLS_VERSION: TLS12
```

The following values are allowed: `TLS13` and `TLS12`.

If not specified, defaults to the value of `KEDA_HTTP_MIN_TLS_VERSION`.

## Service TLS Ciphersuite List

When making a TLS connection to a KEDA TLS-enabled service, the TLS handshake will select only from the list of allowed cipher suites using the environment variable `KEDA_SERVICE_TLS_CIPHER_LIST`.

For example:

```yaml
- env:
KEDA_SERVICE_TLS_CIPHER_LIST: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
```

Allowed values are the names of the cipher suites returned by the Go `crypto/tls` module's `CipherSuites()` function. Invalid ciphersuite names will be ignored. If not specified, defaults to the value of `KEDA_HTTP_TLS_CIPHER_LIST`. Note: the Go TLS library ignores cipher suites specified by this option if TLS13 is used for `KEDA_SERVICE_MIN_TLS_VERSION` (which is the default).

## Kubernetes Client Parameters

The Kubernetes client config used within KEDA Operator and KEDA Metrics Adapter can be adjusted by passing the following command-line flags to the binary:
Expand Down
Loading