Allow more control of TLS versions & ciphers

[joelsmith]

Add 2 new env vars KEDA_HTTP_TLS_CIPHER_LIST and KEDA_SERVICE_TLS_CIPHER_LIST to
provide fine-grained control to restrict the cipher suites used by the webhook and gRPC
servers as well as TLS clients in the scalers. Also add KEDA_SERVICE_MIN_TLS_VERSION
to mirror the behovior of KEDA_HTTP_MIN_TLS_VERSION for the gRPC server and webhooks server.

Checklist

• Tests have been added (if applicable)
• Ensure make generate-scalers-schema has been run to update any outdated generated files
• Changelog has been updated and is aligned with our changelog requirements, only when the change impacts end users
• A PR is opened to update our Helm chart (Deploy with KEDA_HTTP_TLS_CIPHER_LIST, KEDA_SERVICE_MIN_TLS_VERSION and KEDA_SERVICE_TLS_CIPHER_LIST env vars charts#842)
• A PR is opened to update the documentation on (Add docs about KEDA_HTTP_TLS_CIPHER_LIST, KEDA_SERVICE_MIN_TLS_VERSION and KEDA_SERVICE_TLS_CIPHER_LIST keda-docs#1729)
• Commits are signed with Developer Certificate of Origin (DCO - learn more)

[github-actions]

Thank you for your contribution! 🙏

Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected.

While you are waiting, make sure to:

• Add an entry in our changelog in alphabetical order and link related issue
• Update the documentation, if needed
• Add unit & e2e tests for your changes
• GitHub checks are passing
• Is the DCO check failing? Here is how you can fix DCO issues

Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient.

Learn more about our contribution guide.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[joelsmith]

@JorTurFer @zroubalik could one or both of you PTAL? I'm not sure what you'll think of the dichotomy in the PR of HTTP TLS settings and HTTP Service TLS settings. The docs have always said that KEDA_HTTP_MIN_TLS_VERSION is about the scalers making TLS connections, but we were using it for the webhook as well, so my thoughts here were to make one set of settings for the scalers to use as clients and one for the KEDA services (webhook, gRPC) which falls back to the other one if not specified.

Not sure if I have enough privs to kick off E2Es, but I'll try.
/run-e2e external

[rickbrouwer]

/run-e2e external
Update: You can check the progress here

[Copilot]

Pull request overview

This PR adds configurable TLS cipher suite lists and a configurable minimum TLS version for the gRPC server, extending existing TLS hardening controls used by the webhook/HTTP path and TLS clients.

Changes:

• Add parsing/support for KEDA_HTTP_TLS_CIPHER_LIST (and expose it via CreateTLSClientConfig + webhook TLS opts).
• Add gRPC server support for KEDA_GRPC_MIN_TLS_VERSION and KEDA_GRPC_TLS_CIPHER_LIST.
• Add unit tests for TLS version parsing and cipher list parsing; update changelog.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
pkg/util/tls_config.go	Adds cipher list parsing + exported getters; refactors TLS version parsing.
pkg/util/tls_config_test.go	Updates min TLS version tests and adds cipher list parsing tests.
pkg/metricsservice/utils/tls.go	Makes gRPC TLS config respect env-configured min TLS version + cipher list.
cmd/webhooks/main.go	Applies configured cipher list to webhook TLS server config.
CHANGELOG.md	Adds entry for new TLS controls (but includes a malformed/duplicate line).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[rickbrouwer]

Typo: GetSerivceTLSCipherList --> GetServiceTLSCipherList

[joelsmith]

Typo: GetSerivceTLSCipherList --> GetServiceTLSCipherList

Good catch, thanks!

[wozniakjan]

/run-e2e internal
Update: You can check the progress here

[rickbrouwer]

/run-e2e internal
Update: You can check the progress here