Cannot configure GRPC TLS minimum version

or-shachar commented 1 week ago

Report

We uses always TLS 1.3 as minimum TLS version for grpc client.
When compiling in FIPS mode (Boringcrpyto with limited approved TLS versions) and Go 1.23, this causes runtime issue: no supported versions satisfy MinVersion and MaxVersion

For http client we allow setting the min TLS version with KEDA_HTTP_MIN_TLS_VERSION. Not sure why we don't allow configuring the value for grpc client as well.

Expected Behavior

It would be nice if we could control the min TLS version for grpc client.
Not sure if through the same env variable (KEDA_HTTP_MIN_TLS_VERSION) or introduce a different one.

Actual Behavior

For grpc client - the min tls version is hardcoded to 1.3.

Steps to Reproduce the Problem

If you want to see FIPS issue:

Compile with go 1.23.2 with GOEXPERIMENT=boringcrypto
Run the services in cluster

You'll see this in the metrics adapter:

W1024 18:24:27.886000       1 logging.go:55] [core] [Channel #1 SubChannel #53]grpc: addrConn.createTransport failed to connect to {Addr: "172.20.74.146:9666", ServerName: "keda-operator.keda.svc.cluster.local:9666", }. Err: connection error: desc = "transport: authentication handshake failed: tls: no supported versions satisfy MinVersion and MaxVersion"

KEDA Version

2.15.0

Kubernetes Version

1.30

Platform

Any

Scaler Details

No response

Anything else?

In Go main branch they approved TLS 1.3 for FIPS but in 1.23.2 it's still not there.

JorTurFer commented 6 days ago

I think that it's a good feature supporting a configuration for the min TLS version for GRPC. are you willing to open a PR?

zroubalik commented 4 hours ago

Yeah, a separate ENV variable would make sense here

kedacore / keda